mirror of
https://github.com/mvt-project/mvt
synced 2025-10-21 22:42:15 +02:00
Compare commits
2 Commits
fix_tests
...
makitos666
| Author | SHA1 | Date | |
|---|---|---|---|
|
79d565712c | ||
|
|
ee34bcff92 |
11
.github/dependabot.yml
vendored
11
.github/dependabot.yml
vendored
@@ -1,11 +0,0 @@
|
||||
# To get started with Dependabot version updates, you'll need to specify which
|
||||
# package ecosystems to update and where the package manifests are located.
|
||||
# Please see the documentation for all configuration options:
|
||||
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
|
||||
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "pip" # See documentation for possible values
|
||||
directory: "/" # Location of package manifests
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
@@ -1,5 +1,5 @@
|
||||
mkdocs==1.6.1
|
||||
mkdocs-autorefs==1.4.2
|
||||
mkdocs-material==9.6.16
|
||||
mkdocs-autorefs==1.2.0
|
||||
mkdocs-material==9.5.42
|
||||
mkdocs-material-extensions==1.3.1
|
||||
mkdocstrings==0.30.0
|
||||
mkdocstrings==0.23.0
|
||||
@@ -20,21 +20,21 @@ classifiers = [
|
||||
]
|
||||
dependencies = [
|
||||
"click==8.2.1",
|
||||
"rich==14.1.0",
|
||||
"rich==14.0.0",
|
||||
"tld==0.13.1",
|
||||
"requests==2.32.4",
|
||||
"requests==2.32.2",
|
||||
"simplejson==3.20.1",
|
||||
"packaging==25.0",
|
||||
"appdirs==1.4.4",
|
||||
"iOSbackup==0.9.925",
|
||||
"adb-shell[usb]==0.4.4",
|
||||
"libusb1==3.3.1",
|
||||
"cryptography==45.0.6",
|
||||
"cryptography==45.0.3",
|
||||
"PyYAML>=6.0.2",
|
||||
"pyahocorasick==2.2.0",
|
||||
"pyahocorasick==2.1.0",
|
||||
"betterproto==1.2.5",
|
||||
"pydantic==2.11.7",
|
||||
"pydantic-settings==2.10.1",
|
||||
"pydantic==2.11.5",
|
||||
"pydantic-settings==2.9.1",
|
||||
"NSKeyedUnArchiver==1.5.2",
|
||||
"python-dateutil==2.9.0.post0",
|
||||
]
|
||||
|
||||
@@ -21,22 +21,12 @@ class DumpsysADBArtifact(AndroidArtifact):
|
||||
stack = [res]
|
||||
cur_indent = 0
|
||||
in_multiline = False
|
||||
# Normalize line endings to handle both Unix (\n) and Windows (\r\n)
|
||||
normalized_data = dump_data.replace(b"\r\n", b"\n").replace(b"\r", b"\n")
|
||||
for line in normalized_data.strip(b"\n").split(b"\n"):
|
||||
# Skip completely empty lines
|
||||
if not line.strip():
|
||||
continue
|
||||
|
||||
for line in dump_data.strip(b"\n").split(b"\n"):
|
||||
# Track the level of indentation
|
||||
indent = len(line) - len(line.lstrip())
|
||||
if indent < cur_indent:
|
||||
# If the current line is less indented than the previous one, back out
|
||||
while len(stack) > 1 and indent < cur_indent:
|
||||
stack.pop()
|
||||
# Check if we were in multiline mode and need to exit it
|
||||
if in_multiline and not isinstance(stack[-1], list):
|
||||
in_multiline = False
|
||||
cur_indent = indent
|
||||
else:
|
||||
cur_indent = indent
|
||||
@@ -48,30 +38,12 @@ class DumpsysADBArtifact(AndroidArtifact):
|
||||
|
||||
# Annoyingly, some values are multiline and don't have a key on each line
|
||||
if in_multiline:
|
||||
if key == "" and len(vals) < 2:
|
||||
if key == "":
|
||||
# If the line is empty, it's the terminator for the multiline value
|
||||
in_multiline = False
|
||||
stack.pop()
|
||||
current_dict = stack[-1]
|
||||
elif len(vals) >= 2 and (key in self.multiline_fields or key == "}" or vals[1] == b"{"):
|
||||
# If we encounter a new field while in multiline mode, exit multiline mode
|
||||
# and process this line as a new field
|
||||
in_multiline = False
|
||||
stack.pop()
|
||||
current_dict = stack[-1]
|
||||
# Don't continue here - let the line be processed as a new field
|
||||
else:
|
||||
# When in multiline mode, the top of stack should be a list
|
||||
if isinstance(stack[-1], list):
|
||||
stack[-1].append(line.lstrip())
|
||||
else:
|
||||
# Something went wrong with the stack, exit multiline mode
|
||||
in_multiline = False
|
||||
current_dict = stack[-1]
|
||||
continue
|
||||
|
||||
# Skip lines that don't have a value after '='
|
||||
if len(vals) < 2:
|
||||
current_dict.append(line.lstrip())
|
||||
continue
|
||||
|
||||
if key == "}":
|
||||
@@ -161,16 +133,7 @@ class DumpsysADBArtifact(AndroidArtifact):
|
||||
|
||||
# TODO: Parse AdbDebuggingManager line in output.
|
||||
start_of_json = content.find(b"\n{") + 2
|
||||
|
||||
# Handle both Unix (\n) and Windows (\r\n) line endings
|
||||
end_of_json = content.rfind(b"}\n")
|
||||
if end_of_json == -1:
|
||||
end_of_json = content.rfind(b"}\r\n")
|
||||
if end_of_json == -1:
|
||||
self.log.error("Unable to find end of JSON block in dumpsys output")
|
||||
return
|
||||
|
||||
end_of_json -= 2
|
||||
end_of_json = content.rfind(b"}\n") - 2
|
||||
json_content = content[start_of_json:end_of_json].rstrip()
|
||||
|
||||
parsed = self.indented_dump_parser(json_content)
|
||||
|
||||
@@ -51,6 +51,11 @@ ANDROID_DANGEROUS_SETTINGS = [
|
||||
"key": "send_action_app_error",
|
||||
"safe_value": "1",
|
||||
},
|
||||
{
|
||||
"description": "enabled installation of non Google Play apps",
|
||||
"key": "install_non_market_apps",
|
||||
"safe_value": "0",
|
||||
},
|
||||
{
|
||||
"description": "enabled accessibility services",
|
||||
"key": "accessibility_enabled",
|
||||
|
||||
@@ -112,18 +112,10 @@ class Files(AndroidQFModule):
|
||||
|
||||
def run(self) -> None:
|
||||
if timezone := self._get_device_timezone():
|
||||
try:
|
||||
device_timezone = zoneinfo.ZoneInfo(timezone)
|
||||
except zoneinfo.ZoneInfoNotFoundError:
|
||||
self.log.warning("Device timezone '%s' not found, using UTC", timezone)
|
||||
device_timezone = datetime.timezone.utc
|
||||
else:
|
||||
self.log.warning("Unable to determine device timezone, using UTC")
|
||||
try:
|
||||
device_timezone = zoneinfo.ZoneInfo("UTC")
|
||||
except zoneinfo.ZoneInfoNotFoundError:
|
||||
# Fallback for Windows systems where zoneinfo might not have UTC
|
||||
device_timezone = datetime.timezone.utc
|
||||
|
||||
for file in self._get_files_by_pattern("*/files.json"):
|
||||
rawdata = self._get_file_content(file).decode("utf-8", errors="ignore")
|
||||
|
||||
@@ -231,7 +231,6 @@ def parse_sms_file(data):
|
||||
entry.pop("mms_body")
|
||||
|
||||
body = entry.get("body", None)
|
||||
message_links = None
|
||||
if body:
|
||||
message_links = check_for_links(entry["body"])
|
||||
|
||||
|
||||
@@ -654,8 +654,7 @@ class Indicators:
|
||||
return None
|
||||
|
||||
for ioc in self.get_iocs("processes"):
|
||||
# Use os-agnostic path splitting to handle both Windows (\) and Unix (/) separators
|
||||
parts = file_path.replace("\\", "/").split("/")
|
||||
parts = file_path.split("/")
|
||||
if ioc["value"] in parts:
|
||||
self.log.warning(
|
||||
"Found known suspicious process name mentioned in file at "
|
||||
|
||||
@@ -1131,9 +1131,5 @@
|
||||
{
|
||||
"version": "18.5",
|
||||
"build": "22F76"
|
||||
},
|
||||
{
|
||||
"version": "18.6",
|
||||
"build": "22G86"
|
||||
}
|
||||
]
|
||||
@@ -95,7 +95,6 @@ class SafariBrowserState(IOSExtraction):
|
||||
)
|
||||
except sqlite3.OperationalError:
|
||||
# Old version iOS <12 likely
|
||||
try:
|
||||
cur.execute(
|
||||
"""
|
||||
SELECT
|
||||
@@ -104,8 +103,6 @@ class SafariBrowserState(IOSExtraction):
|
||||
ORDER BY last_viewed_time;
|
||||
"""
|
||||
)
|
||||
except sqlite3.OperationalError as e:
|
||||
self.log.error(f"Error executing query: {e}")
|
||||
|
||||
for row in cur:
|
||||
session_entries = []
|
||||
|
||||
@@ -116,7 +116,6 @@ class TCC(IOSExtraction):
|
||||
)
|
||||
db_version = "v2"
|
||||
except sqlite3.OperationalError:
|
||||
try:
|
||||
cur.execute(
|
||||
"""SELECT
|
||||
service, client, client_type, allowed,
|
||||
@@ -124,8 +123,6 @@ class TCC(IOSExtraction):
|
||||
FROM access;"""
|
||||
)
|
||||
db_version = "v1"
|
||||
except sqlite3.OperationalError as e:
|
||||
self.log.error(f"Error parsing TCC database: {e}")
|
||||
|
||||
for row in cur:
|
||||
service = row[0]
|
||||
|
||||
Reference in New Issue
Block a user