mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-22 20:38:55 +00:00
119 lines
3.8 KiB
Python
119 lines
3.8 KiB
Python
# Mobile Verification Toolkit (MVT)
|
|
# Copyright (c) 2021-2023 The MVT Authors.
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
# https://license.mvt.re/1.1/
|
|
|
|
import logging
|
|
from typing import Any, Dict, List, Optional, Union
|
|
|
|
from mvt.android.modules.adb.packages import (
|
|
DANGEROUS_PERMISSIONS,
|
|
DANGEROUS_PERMISSIONS_THRESHOLD,
|
|
ROOT_PACKAGES,
|
|
)
|
|
from mvt.android.parsers.dumpsys import parse_dumpsys_packages
|
|
|
|
from .base import AndroidQFModule
|
|
|
|
|
|
class DumpsysPackages(AndroidQFModule):
|
|
"""This module analyse dumpsys packages"""
|
|
|
|
def __init__(
|
|
self,
|
|
file_path: Optional[str] = None,
|
|
target_path: Optional[str] = None,
|
|
results_path: Optional[str] = None,
|
|
module_options: Optional[dict] = None,
|
|
log: logging.Logger = logging.getLogger(__name__),
|
|
results: Optional[List[Dict[str, Any]]] = None,
|
|
) -> None:
|
|
super().__init__(
|
|
file_path=file_path,
|
|
target_path=target_path,
|
|
results_path=results_path,
|
|
module_options=module_options,
|
|
log=log,
|
|
results=results,
|
|
)
|
|
|
|
def serialize(self, record: dict) -> Union[dict, list]:
|
|
entries = []
|
|
for entry in ["timestamp", "first_install_time", "last_update_time"]:
|
|
if entry in record:
|
|
entries.append(
|
|
{
|
|
"timestamp": record[entry],
|
|
"module": self.__class__.__name__,
|
|
"event": entry,
|
|
"data": f"Package {record['package_name']} "
|
|
f"({record['uid']})",
|
|
}
|
|
)
|
|
|
|
return entries
|
|
|
|
def check_indicators(self) -> None:
|
|
for result in self.results:
|
|
if result["package_name"] in ROOT_PACKAGES:
|
|
self.log.warning(
|
|
"Found an installed package related to "
|
|
'rooting/jailbreaking: "%s"',
|
|
result["package_name"],
|
|
)
|
|
self.detected.append(result)
|
|
continue
|
|
|
|
if not self.indicators:
|
|
continue
|
|
|
|
ioc = self.indicators.check_app_id(result.get("package_name", ""))
|
|
if ioc:
|
|
result["matched_indicator"] = ioc
|
|
self.detected.append(result)
|
|
|
|
def run(self) -> None:
|
|
dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
|
|
if len(dumpsys_file) != 1:
|
|
self.log.info("Dumpsys file not found")
|
|
return
|
|
|
|
data = self._get_file_content(dumpsys_file[0])
|
|
|
|
package = []
|
|
in_service = False
|
|
in_package_list = False
|
|
for line in data.decode("utf-8").split("\n"):
|
|
if line.strip().startswith("DUMP OF SERVICE package:"):
|
|
in_service = True
|
|
continue
|
|
|
|
if in_service and line.startswith("Packages:"):
|
|
in_package_list = True
|
|
continue
|
|
|
|
if not in_service or not in_package_list:
|
|
continue
|
|
|
|
if line.strip() == "":
|
|
break
|
|
|
|
package.append(line)
|
|
|
|
self.results = parse_dumpsys_packages("\n".join(package))
|
|
|
|
for result in self.results:
|
|
dangerous_permissions_count = 0
|
|
for perm in result["permissions"]:
|
|
if perm["name"] in DANGEROUS_PERMISSIONS:
|
|
dangerous_permissions_count += 1
|
|
|
|
if dangerous_permissions_count >= DANGEROUS_PERMISSIONS_THRESHOLD:
|
|
self.log.info(
|
|
'Found package "%s" requested %d potentially dangerous permissions',
|
|
result["package_name"],
|
|
dangerous_permissions_count,
|
|
)
|
|
|
|
self.log.info("Extracted details on %d packages", len(self.results))
|