mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-27 22:58:57 +00:00
Fixed WebkitSessionResourceLog module, still needs testing
This commit is contained in:
parent
fda621672d
commit
fdaf2fc760
|
@ -66,13 +66,6 @@ class MVTModule(object):
|
||||||
sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__)
|
sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__)
|
||||||
return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower()
|
return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower()
|
||||||
|
|
||||||
def _find_paths(self, root_paths):
|
|
||||||
for root_path in root_paths:
|
|
||||||
for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
|
|
||||||
if not os.path.exists(found_path):
|
|
||||||
continue
|
|
||||||
yield found_path
|
|
||||||
|
|
||||||
def load_indicators(self, file_path):
|
def load_indicators(self, file_path):
|
||||||
self.indicators = Indicators(file_path, self.log)
|
self.indicators = Indicators(file_path, self.log)
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ class ConfigurationProfiles(IOSExtraction):
|
||||||
log=log, results=results)
|
log=log, results=results)
|
||||||
|
|
||||||
def run(self):
|
def run(self):
|
||||||
for conf_file in self._get_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
|
for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
|
||||||
conf_file_path = self._get_backup_file_from_id(conf_file["file_id"])
|
conf_file_path = self._get_backup_file_from_id(conf_file["file_id"])
|
||||||
if not conf_file_path:
|
if not conf_file_path:
|
||||||
continue
|
continue
|
||||||
|
|
|
@ -32,7 +32,7 @@ class ProfileEvents(IOSExtraction):
|
||||||
}
|
}
|
||||||
|
|
||||||
def run(self):
|
def run(self):
|
||||||
for events_file in self._get_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH):
|
for events_file in self._get_backup_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH):
|
||||||
events_file_path = self._get_backup_file_from_id(events_file["file_id"])
|
events_file_path = self._get_backup_file_from_id(events_file["file_id"])
|
||||||
if not events_file_path:
|
if not events_file_path:
|
||||||
continue
|
continue
|
||||||
|
|
|
@ -68,7 +68,7 @@ class IOSExtraction(MVTModule):
|
||||||
|
|
||||||
self.log.info("Database at path %s recovered successfully!", file_path)
|
self.log.info("Database at path %s recovered successfully!", file_path)
|
||||||
|
|
||||||
def _get_files_from_manifest(self, relative_path=None, domain=None):
|
def _get_backup_files_from_manifest(self, relative_path=None, domain=None):
|
||||||
"""Locate files from Manifest.db.
|
"""Locate files from Manifest.db.
|
||||||
:param relative_path: Relative path to use as filter from Manifest.db.
|
:param relative_path: Relative path to use as filter from Manifest.db.
|
||||||
:param domain: Domain to use as filter from Manifest.db.
|
:param domain: Domain to use as filter from Manifest.db.
|
||||||
|
@ -107,6 +107,14 @@ class IOSExtraction(MVTModule):
|
||||||
|
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
def _find_fs_files_from_pattern(self, root_paths):
|
||||||
|
for root_path in root_paths:
|
||||||
|
for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
|
||||||
|
if not os.path.exists(found_path):
|
||||||
|
continue
|
||||||
|
|
||||||
|
yield found_path
|
||||||
|
|
||||||
def _find_ios_database(self, backup_ids=None, root_paths=[]):
|
def _find_ios_database(self, backup_ids=None, root_paths=[]):
|
||||||
"""Try to locate the module's database file from either an iTunes
|
"""Try to locate the module's database file from either an iTunes
|
||||||
backup or a full filesystem dump.
|
backup or a full filesystem dump.
|
||||||
|
|
|
@ -32,7 +32,7 @@ class IOSVersionHistory(IOSExtraction):
|
||||||
}
|
}
|
||||||
|
|
||||||
def run(self):
|
def run(self):
|
||||||
for found_path in self._find_paths(IOS_ANALYTICS_JOURNAL_PATHS):
|
for found_path in self._find_fs_files_from_pattern(IOS_ANALYTICS_JOURNAL_PATHS):
|
||||||
with open(found_path, "r") as analytics_log:
|
with open(found_path, "r") as analytics_log:
|
||||||
log_line = json.loads(analytics_log.readline().strip())
|
log_line = json.loads(analytics_log.readline().strip())
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@ class WebkitBase(IOSExtraction):
|
||||||
self.detected.append(item)
|
self.detected.append(item)
|
||||||
|
|
||||||
def _process_webkit_folder(self, root_paths):
|
def _process_webkit_folder(self, root_paths):
|
||||||
for found_path in self._find_paths(root_paths):
|
for found_path in self._find_fs_files_from_pattern(root_paths):
|
||||||
key = os.path.relpath(found_path, self.base_folder)
|
key = os.path.relpath(found_path, self.base_folder)
|
||||||
|
|
||||||
for name in os.listdir(found_path):
|
for name in os.listdir(found_path):
|
||||||
|
|
|
@ -76,12 +76,12 @@ class WebkitResourceLoadStatistics(IOSExtraction):
|
||||||
def run(self):
|
def run(self):
|
||||||
if self.is_backup:
|
if self.is_backup:
|
||||||
try:
|
try:
|
||||||
for backup_file in self._get_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH):
|
for backup_file in self._get_backup_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH):
|
||||||
db_path = os.path.join(self.base_folder, backup_file["file_id"][0:2], backup_file["file_id"])
|
db_path = os.path.join(self.base_folder, backup_file["file_id"][0:2], backup_file["file_id"])
|
||||||
key = f"{backup_file['domain']}/{WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH}"
|
key = f"{backup_file['domain']}/{WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH}"
|
||||||
self._process_observations_db(db_path=db_path, key=key)
|
self._process_observations_db(db_path=db_path, key=key)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
self.log.info("Unable to search for WebKit observations.db: %s", e)
|
self.log.info("Unable to search for WebKit observations.db: %s", e)
|
||||||
elif self.is_fs_dump:
|
elif self.is_fs_dump:
|
||||||
for db_path in self._find_paths(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
|
for db_path in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
|
||||||
self._process_observations_db(db_path=db_path, key=os.path.relpath(db_path, self.base_folder))
|
self._process_observations_db(db_path=db_path, key=os.path.relpath(db_path, self.base_folder))
|
||||||
|
|
|
@ -14,7 +14,6 @@ from ..base import IOSExtraction
|
||||||
WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS = [
|
WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS = [
|
||||||
"a500ee38053454a02e990957be8a251935e28d3f",
|
"a500ee38053454a02e990957be8a251935e28d3f",
|
||||||
]
|
]
|
||||||
|
|
||||||
WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS = [
|
WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS = [
|
||||||
"private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/full_browsing_session_resourceLog.plist",
|
"private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/full_browsing_session_resourceLog.plist",
|
||||||
"private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist",
|
"private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist",
|
||||||
|
@ -32,6 +31,8 @@ class WebkitSessionResourceLog(IOSExtraction):
|
||||||
output_folder=output_folder, fast_mode=fast_mode,
|
output_folder=output_folder, fast_mode=fast_mode,
|
||||||
log=log, results=results)
|
log=log, results=results)
|
||||||
|
|
||||||
|
self.results = {}
|
||||||
|
|
||||||
def _extract_browsing_stats(self, file_path):
|
def _extract_browsing_stats(self, file_path):
|
||||||
items = []
|
items = []
|
||||||
|
|
||||||
|
@ -110,32 +111,13 @@ class WebkitSessionResourceLog(IOSExtraction):
|
||||||
|
|
||||||
self.log.warning("Found HTTP redirect between suspicious domains: %s", redirect_path)
|
self.log.warning("Found HTTP redirect between suspicious domains: %s", redirect_path)
|
||||||
|
|
||||||
def _find_paths(self, root_paths):
|
|
||||||
results = {}
|
|
||||||
for root_path in root_paths:
|
|
||||||
for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
|
|
||||||
if not os.path.exists(found_path):
|
|
||||||
continue
|
|
||||||
|
|
||||||
key = os.path.relpath(found_path, self.base_folder)
|
|
||||||
if key not in results:
|
|
||||||
results[key] = []
|
|
||||||
|
|
||||||
return results
|
|
||||||
|
|
||||||
def run(self):
|
def run(self):
|
||||||
self.results = {}
|
if self.is_backup:
|
||||||
|
|
||||||
try:
|
|
||||||
self._find_ios_database(backup_ids=WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS)
|
self._find_ios_database(backup_ids=WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS)
|
||||||
except FileNotFoundError:
|
self.results[self.file_path] = self._extract_browsing_stats(self.file_path)
|
||||||
pass
|
return
|
||||||
else:
|
|
||||||
if self.file_path:
|
|
||||||
self.results[self.file_path] = self._extract_browsing_stats(self.file_path)
|
|
||||||
return
|
|
||||||
|
|
||||||
self.results = self._find_paths(root_paths=WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS)
|
for log_file in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
|
||||||
for log_file in self.results.keys():
|
|
||||||
self.log.info("Found Safari browsing session resource log at path: %s", log_file)
|
self.log.info("Found Safari browsing session resource log at path: %s", log_file)
|
||||||
self.results[log_file] = self._extract_browsing_stats(os.path.join(self.base_folder, log_file))
|
key = os.path.relpath(log_file, self.base_folder)
|
||||||
|
self.results[key] = self._extract_browsing_stats(log_file)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user