Bumps version

.github/workflows/flake8.yml

@@ -1,26 +0,0 @@
-name: Flake8
-
-on:
-  push:
-    paths:
-      - '*.py'
-
-jobs:
-  flake8_py3:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Setup Python
-        uses: actions/setup-python@v1
-        with:
-          python-version: 3.9
-          architecture: x64
-      - name: Checkout
-        uses: actions/checkout@master
-      - name: Install flake8
-        run: pip install flake8
-      - name: Run flake8
-        uses: suo/flake8-github-action@releases/v1
-        with:
-          checkName: 'flake8_py3'   # NOTE: this needs to be the same as the job name
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/python-package.yml

@@ -16,8 +16,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # python-version: [3.7, 3.8, 3.9]
-        python-version: [3.8, 3.9]
+        python-version: ['3.8', '3.9', '3.10']
 
     steps:
     - uses: actions/checkout@v2

.github/workflows/ruff.yml

@@ -0,0 +1,21 @@
+name: Ruff
+on: [push]
+
+jobs:
+  ruff_py3:
+    name: Ruff syntax check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Python
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.9
+          architecture: x64
+      - name: Checkout
+        uses: actions/checkout@master
+      - name: Install Dependencies
+        run: |
+          pip install ruff
+      - name: ruff
+        run: |
+          ruff check .

Makefile

@@ -1,5 +1,10 @@
 PWD = $(shell pwd)
 
+check:
+	flake8
+	pytest -q
+	ruff check -q .
+
 clean:
 	rm -rf $(PWD)/build $(PWD)/dist $(PWD)/mvt.egg-info
 

docs/android/backup.md

@@ -24,7 +24,7 @@ Some recent phones will enforce the utilisation of a password to encrypt the bac
 
 ## Unpack and check the backup
 
-MVT includes a partial implementation of the Android Backup parsing, because of the implementation difference in the compression algorithm between Java and Python. The `-nocompress` option passed to adb in the section above allows to avoid this issue. You can analyse and extract SMSs containing links from the backup directly with MVT:
+MVT includes a partial implementation of the Android Backup parsing, because of the implementation difference in the compression algorithm between Java and Python. The `-nocompress` option passed to adb in the section above allows to avoid this issue. You can analyse and extract SMSs from the backup directly with MVT:
 
 ```bash
 $ mvt-android check-backup --output /path/to/results/ /path/to/backup.ab
@@ -32,7 +32,7 @@ $ mvt-android check-backup --output /path/to/results/ /path/to/backup.ab
          INFO     [mvt.android.modules.backup.sms] Running module SMS...
          INFO     [mvt.android.modules.backup.sms] Processing SMS backup file at
                   apps/com.android.providers.telephony/d_f/000000_sms_backup
-         INFO     [mvt.android.modules.backup.sms] Extracted a total of 64 SMS messages containing links
+         INFO     [mvt.android.modules.backup.sms] Extracted a total of 64 SMS messages
 ```
 
 If the backup is encrypted, MVT will prompt you to enter the password.
@@ -52,4 +52,4 @@ If the backup is encrypted, ABE will prompt you to enter the password.
 
 Alternatively, [ab-decrypt](https://github.com/joernheissler/ab-decrypt) can be used for that purpose.
 
-You can then extract SMSs containing links with MVT by passing the folder path as parameter instead of the `.ab` file: `mvt-android check-backup --output /path/to/results/ /path/to/backup/` (the path to backup given should be the folder containing the `apps` folder).
+You can then extract SMSs with MVT by passing the folder path as parameter instead of the `.ab` file: `mvt-android check-backup --output /path/to/results/ /path/to/backup/` (the path to backup given should be the folder containing the `apps` folder).

docs/install.md

@@ -54,7 +54,7 @@ Then you can install MVT directly from [pypi](https://pypi.org/project/mvt/)
 pip3 install mvt
 ```
 
-Or from the source code:
+If you want to have the latest features in development, you can install MVT directly from the source code. If you installed MVT previously from pypi, you should first uninstall it using `pip3 uninstall mvt` and then install from the source code:
 
 ```bash
 git clone https://github.com/mvt-project/mvt.git

docs/iocs.md

@@ -39,7 +39,9 @@ export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
 - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
     - [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware)) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2))
     - [Predator from Cytrox](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2))
+    - [An Android Spyware Campaign Linked to a Mercenary Company](https://github.com/AmnestyTech/investigations/tree/master/2023-03-29_android_campaign) ([STIX2](https://github.com/AmnestyTech/investigations/blob/master/2023-03-29_android_campaign/malware.stix2))
 - [This repository](https://github.com/Te-k/stalkerware-indicators) contains IOCs for Android stalkerware including [a STIX MVT-compatible file](https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/generated/stalkerware.stix2).
+- We are also maintaining [a list of IOCs](https://github.com/mvt-project/mvt-indicators) in STIX format from public spyware campaigns.
 
 You can automaticallly download the latest public indicator files with the command `mvt-ios download-iocs` or `mvt-android download-iocs`. These commands download the list of indicators listed [here](https://github.com/mvt-project/mvt/blob/main/public_indicators.json) and store them in the [appdir](https://pypi.org/project/appdirs/) folder. They are then loaded automatically by MVT.
 

mvt/android/cli.py

@@ -6,15 +6,15 @@
 import logging
 
 import click
-from rich.logging import RichHandler
 
 from mvt.common.cmd_check_iocs import CmdCheckIOCS
-from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC,
+from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_HASHES, HELP_MSG_IOC,
                              HELP_MSG_LIST_MODULES, HELP_MSG_MODULE,
                              HELP_MSG_OUTPUT, HELP_MSG_SERIAL,
-                             HELP_MSG_HASHES)
+                             HELP_MSG_VERBOSE)
 from mvt.common.logo import logo
 from mvt.common.updates import IndicatorsUpdates
+from mvt.common.utils import init_logging, set_verbose_logging
 
 from .cmd_check_adb import CmdAndroidCheckADB
 from .cmd_check_androidqf import CmdAndroidCheckAndroidQF
@@ -26,11 +26,8 @@ from .modules.adb.packages import Packages
 from .modules.backup import BACKUP_MODULES
 from .modules.bugreport import BUGREPORT_MODULES
 
-# Setup logging using Rich.
-LOG_FORMAT = "[%(name)s] %(message)s"
-logging.basicConfig(level="INFO", format=LOG_FORMAT, handlers=[
-    RichHandler(show_path=False, log_time_format="%X")])
-log = logging.getLogger(__name__)
+init_logging()
+log = logging.getLogger("mvt")
 CONTEXT_SETTINGS = dict(help_option_names=['-h', '--help'])
 
 
@@ -64,8 +61,10 @@ def version():
 @click.option("--from-file", "-f", type=click.Path(exists=True),
               help="Instead of acquiring from phone, load an existing packages.json file for "
                    "lookups (mainly for debug purposes)")
+@click.option("--verbose", "-v", is_flag=True, help=HELP_MSG_VERBOSE)
 @click.pass_context
-def download_apks(ctx, all_apks, virustotal, output, from_file, serial):
+def download_apks(ctx, all_apks, virustotal, output, from_file, serial, verbose):
+    set_verbose_logging(verbose)
     try:
         if from_file:
             download = DownloadAPKs.from_json(from_file)
@@ -113,8 +112,10 @@ def download_apks(ctx, all_apks, virustotal, output, from_file, serial):
 @click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
 @click.option("--module", "-m", help=HELP_MSG_MODULE)
+@click.option("--verbose", "-v", is_flag=True, help=HELP_MSG_VERBOSE)
 @click.pass_context
-def check_adb(ctx, serial, iocs, output, fast, list_modules, module):
+def check_adb(ctx, serial, iocs, output, fast, list_modules, module, verbose):
+    set_verbose_logging(verbose)
     cmd = CmdAndroidCheckADB(results_path=output, ioc_files=iocs,
                              module_name=module, serial=serial, fast_mode=fast)
 
@@ -142,9 +143,11 @@ def check_adb(ctx, serial, iocs, output, fast, list_modules, module):
               help=HELP_MSG_OUTPUT)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
 @click.option("--module", "-m", help=HELP_MSG_MODULE)
+@click.option("--verbose", "-v", is_flag=True, help=HELP_MSG_VERBOSE)
 @click.argument("BUGREPORT_PATH", type=click.Path(exists=True))
 @click.pass_context
-def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
+def check_bugreport(ctx, iocs, output, list_modules, module, verbose, bugreport_path):
+    set_verbose_logging(verbose)
     # Always generate hashes as bug reports are small.
     cmd = CmdAndroidCheckBugreport(target_path=bugreport_path,
                                    results_path=output, ioc_files=iocs,
@@ -173,9 +176,11 @@ def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
 @click.option("--output", "-o", type=click.Path(exists=False),
               help=HELP_MSG_OUTPUT)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
+@click.option("--verbose", "-v", is_flag=True, help=HELP_MSG_VERBOSE)
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
 @click.pass_context
-def check_backup(ctx, iocs, output, list_modules, backup_path):
+def check_backup(ctx, iocs, output, list_modules, verbose, backup_path):
+    set_verbose_logging(verbose)
     # Always generate hashes as backups are generally small.
     cmd = CmdAndroidCheckBackup(target_path=backup_path, results_path=output,
                                 ioc_files=iocs, hashes=True)
@@ -205,9 +210,11 @@ def check_backup(ctx, iocs, output, list_modules, backup_path):
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
 @click.option("--module", "-m", help=HELP_MSG_MODULE)
 @click.option("--hashes", "-H", is_flag=True, help=HELP_MSG_HASHES)
+@click.option("--verbose", "-v", is_flag=True, help=HELP_MSG_VERBOSE)
 @click.argument("ANDROIDQF_PATH", type=click.Path(exists=True))
 @click.pass_context
-def check_androidqf(ctx, iocs, output, list_modules, module, hashes, androidqf_path):
+def check_androidqf(ctx, iocs, output, list_modules, module, hashes, verbose, androidqf_path):
+    set_verbose_logging(verbose)
     cmd = CmdAndroidCheckAndroidQF(target_path=androidqf_path,
                                    results_path=output, ioc_files=iocs,
                                    module_name=module, hashes=hashes)

mvt/android/cmd_check_backup.py

@@ -9,15 +9,15 @@ import os
 import sys
 import tarfile
 from pathlib import Path
-from typing import Callable, Optional, List
+from typing import List, Optional
 
 from rich.prompt import Prompt
 
+from mvt.android.modules.backup.base import BackupExtraction
 from mvt.android.parsers.backup import (AndroidBackupParsingError,
                                         InvalidBackupPassword, parse_ab_header,
                                         parse_backup_file)
 from mvt.common.command import Command
-from mvt.android.modules.backup.base import BackupExtraction
 
 from .modules.backup import BACKUP_MODULES
 

mvt/android/cmd_check_bugreport.py

@@ -6,11 +6,11 @@
 import logging
 import os
 from pathlib import Path
-from typing import Callable, Optional, List
+from typing import List, Optional
 from zipfile import ZipFile
 
-from mvt.common.command import Command
 from mvt.android.modules.bugreport.base import BugReportModule
+from mvt.common.command import Command
 
 from .modules.bugreport import BUGREPORT_MODULES
 

mvt/android/cmd_download_apks.py

@@ -21,15 +21,13 @@ log = logging.getLogger(__name__)
 class DownloadAPKs(AndroidExtraction):
     """DownloadAPKs is the main class operating the download of APKs
     from the device.
-
-
     """
 
     def __init__(
         self,
         results_path: Optional[str] = None,
         all_apks: Optional[bool] = False,
-        packages: Optional[list] = None
+        packages: Optional[list] = None,
     ) -> None:
         """Initialize module.
         :param results_path: Path to the folder where data should be stored

mvt/android/modules/adb/chrome_history.py

@@ -31,6 +31,7 @@ class ChromeHistory(AndroidExtraction):
         super().__init__(file_path=file_path, target_path=target_path,
                          results_path=results_path, fast_mode=fast_mode,
                          log=log, results=results)
+        self.results = []
 
     def serialize(self, record: dict) -> Union[dict, list]:
         return {
@@ -55,6 +56,7 @@ class ChromeHistory(AndroidExtraction):
         :param db_path: Path to the History database to process.
 
         """
+        assert isinstance(self.results, list)  # assert results type for mypy
         conn = sqlite3.connect(db_path)
         cur = conn.cursor()
         cur.execute("""

mvt/android/modules/adb/files.py

@@ -39,7 +39,7 @@ class Files(AndroidExtraction):
                          log=log, results=results)
         self.full_find = False
 
-    def serialize(self, record: dict) -> Union[dict, list]:
+    def serialize(self, record: dict) -> Union[dict, list, None]:
         if "modified_time" in record:
             return {
                 "timestamp": record["modified_time"],
@@ -62,6 +62,9 @@ class Files(AndroidExtraction):
                 self.detected.append(result)
 
     def backup_file(self, file_path: str) -> None:
+        if not self.results_path:
+            return
+
         local_file_name = file_path.replace("/", "_").replace(" ", "-")
         local_files_folder = os.path.join(self.results_path, "files")
         if not os.path.exists(local_files_folder):
@@ -79,6 +82,7 @@ class Files(AndroidExtraction):
                           file_path, local_file_path)
 
     def find_files(self, folder: str) -> None:
+        assert isinstance(self.results, list)
         if self.full_find:
             cmd = f"find '{folder}' -type f -printf '%T@ %m %s %u %g %p\n' 2> /dev/null"
             output = self._adb_command(cmd)
@@ -121,8 +125,7 @@ class Files(AndroidExtraction):
         for entry in self.results:
             self.log.info("Found file in tmp folder at path %s",
                           entry.get("path"))
-            if self.results_path:
-                self.backup_file(entry.get("path"))
+            self.backup_file(entry.get("path"))
 
         for media_folder in ANDROID_MEDIA_FOLDERS:
             self.find_files(media_folder)

mvt/android/modules/adb/getprop.py

@@ -30,6 +30,16 @@ class Getprop(AndroidExtraction):
 
         self.results = {} if not results else results
 
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            ioc = self.indicators.check_android_property_name(result.get("name", ""))
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("getprop")
@@ -38,13 +48,14 @@ class Getprop(AndroidExtraction):
         self.results = parse_getprop(output)
 
         # Alert if phone is outdated.
-        security_patch = self.results.get("ro.build.version.security_patch", "")
-        if security_patch:
-            patch_date = datetime.strptime(security_patch, "%Y-%m-%d")
+        for entry in self.results:
+            if entry.get("name", "") != "ro.build.version.security_patch":
+                continue
+            patch_date = datetime.strptime(entry["value"], "%Y-%m-%d")
             if (datetime.now() - patch_date) > timedelta(days=6*30):
                 self.log.warning("This phone has not received security updates "
                                  "for more than six months (last update: %s)",
-                                 security_patch)
+                                 entry["value"])
 
         self.log.info("Extracted %d Android system properties",
                       len(self.results))

mvt/android/modules/adb/logcat.py

@@ -30,9 +30,9 @@ class Logcat(AndroidExtraction):
         self._adb_connect()
 
         # Get the current logcat.
-        output = self._adb_command("logcat -d")
+        output = self._adb_command("logcat -d -b all \"*:V\"")
         # Get the locat prior to last reboot.
-        last_output = self._adb_command("logcat -L")
+        last_output = self._adb_command("logcat -L -b all \"*:V\"")
 
         if self.results_path:
             logcat_path = os.path.join(self.results_path,

mvt/android/modules/adb/packages.py

@@ -4,7 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union, List
+from typing import List, Optional, Union
 
 from rich.console import Console
 from rich.progress import track

mvt/android/modules/adb/sms.py

@@ -43,7 +43,7 @@ FROM sms;
 
 
 class SMS(AndroidExtraction):
-    """This module extracts all SMS messages containing links."""
+    """This module extracts all SMS messages."""
 
     def __init__(
         self,
@@ -77,8 +77,10 @@ class SMS(AndroidExtraction):
             if "body" not in message:
                 continue
 
-            # TODO: check links exported from the body previously.
-            message_links = check_for_links(message["body"])
+            message_links = message.get("links", [])
+            if message_links == []:
+                message_links = check_for_links(message["body"])
+
             if self.indicators.check_domains(message_links):
                 self.detected.append(message)
 
@@ -106,15 +108,16 @@ class SMS(AndroidExtraction):
             message["direction"] = ("received" if message["incoming"] == 1 else "sent")
             message["isodate"] = convert_unix_to_iso(message["timestamp"])
 
-            # If we find links in the messages or if they are empty we add
-            # them to the list of results.
-            if check_for_links(message["body"]) or message["body"].strip() == "":
-                self.results.append(message)
+            # Extract links in the message body
+            links = check_for_links(message["body"])
+            message["links"] = links
+
+            self.results.append(message)
 
         cur.close()
         conn.close()
 
-        self.log.info("Extracted a total of %d SMS messages containing links",
+        self.log.info("Extracted a total of %d SMS messages",
                       len(self.results))
 
     def _extract_sms_adb(self) -> None:
@@ -137,7 +140,7 @@ class SMS(AndroidExtraction):
                           "Android Backup Extractor")
             return
 
-        self.log.info("Extracted a total of %d SMS messages containing links",
+        self.log.info("Extracted a total of %d SMS messages",
                       len(self.results))
 
     def run(self) -> None:

mvt/android/modules/androidqf/base.py

@@ -6,7 +6,7 @@
 import fnmatch
 import logging
 import os
-from typing import Union, List, Dict, Any, Optional
+from typing import Any, Dict, List, Optional, Union
 
 from mvt.common.module import MVTModule
 

mvt/android/modules/androidqf/dumpsys_packages.py

@@ -4,14 +4,12 @@
 #   https://license.mvt.re/1.1/
 
 import logging
-from datetime import datetime
-from typing import Optional, Union, List, Any, Dict
+from typing import Any, Dict, List, Optional, Union
 
 from mvt.android.modules.adb.packages import (DANGEROUS_PERMISSIONS,
                                               DANGEROUS_PERMISSIONS_THRESHOLD,
                                               ROOT_PACKAGES)
 from mvt.android.parsers.dumpsys import parse_dumpsys_packages
-from mvt.common.utils import convert_datetime_to_iso
 
 from .base import AndroidQFModule
 

mvt/android/modules/androidqf/dumpsys_receivers.py

@@ -4,7 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, List, Dict, Union, Any
+from typing import Any, Dict, List, Optional, Union
 
 from mvt.android.modules.adb.dumpsys_receivers import (
     INTENT_DATA_SMS_RECEIVED, INTENT_NEW_OUTGOING_CALL,

mvt/android/modules/androidqf/getprop.py

@@ -7,7 +7,7 @@ import logging
 from datetime import datetime, timedelta
 from typing import Optional
 
-from mvt.android.parsers import getprop
+from mvt.android.parsers.getprop import parse_getprop
 
 from .base import AndroidQFModule
 
@@ -41,7 +41,17 @@ class Getprop(AndroidQFModule):
         super().__init__(file_path=file_path, target_path=target_path,
                          results_path=results_path, fast_mode=fast_mode,
                          log=log, results=results)
-        self.results = {}
+        self.results = []
+
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            ioc = self.indicators.check_android_property_name(result.get("name", ""))
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
 
     def run(self) -> None:
         getprop_files = self._get_files_by_pattern("*/getprop.txt")
@@ -52,15 +62,15 @@ class Getprop(AndroidQFModule):
         with open(getprop_files[0]) as f:
             data = f.read()
 
-        self.results = getprop.parse_getprop(data)
+        self.results = parse_getprop(data)
         for entry in self.results:
-            if entry in INTERESTING_PROPERTIES:
-                self.log.info("%s: %s", entry, self.results[entry])
-            if entry == "ro.build.version.security_patch":
-                last_patch = datetime.strptime(self.results[entry], "%Y-%m-%d")
+            if entry["name"] in INTERESTING_PROPERTIES:
+                self.log.info("%s: %s", entry["name"], entry["value"])
+            if entry["name"] == "ro.build.version.security_patch":
+                last_patch = datetime.strptime(entry["value"], "%Y-%m-%d")
                 if (datetime.now() - last_patch) > timedelta(days=6*31):
                     self.log.warning("This phone has not received security "
                                      "updates for more than six months "
-                                     "(last update: %s)", self.results[entry])
+                                     "(last update: %s)", entry["value"])
 
         self.log.info("Extracted a total of %d properties", len(self.results))

mvt/android/modules/androidqf/sms.py

@@ -1,7 +1,7 @@
-# Mobile Verification Toolkit (MVT) - Private
+# Mobile Verification Toolkit (MVT)
 # Copyright (c) 2021-2023 Claudio Guarnieri.
-# This file is part of MVT Private and its content is confidential.
-# Please refer to the project maintainers before sharing with others.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1
 
 import getpass
 import logging

mvt/android/modules/backup/base.py

@@ -7,7 +7,7 @@ import fnmatch
 import logging
 import os
 from tarfile import TarFile
-from typing import Optional, List
+from typing import List, Optional
 
 from mvt.common.module import MVTModule
 

mvt/android/modules/backup/sms.py

@@ -8,6 +8,7 @@ from typing import Optional
 
 from mvt.android.modules.backup.base import BackupExtraction
 from mvt.android.parsers.backup import parse_sms_file
+from mvt.common.utils import check_for_links
 
 
 class SMS(BackupExtraction):
@@ -34,7 +35,11 @@ class SMS(BackupExtraction):
             if "body" not in message:
                 continue
 
-            if self.indicators.check_domains(message["links"]):
+            message_links = message.get("links", [])
+            if message_links == []:
+                message_links = check_for_links(message.get("text", ""))
+
+            if self.indicators.check_domains(message_links):
                 self.detected.append(message)
 
     def run(self) -> None:
@@ -50,5 +55,5 @@ class SMS(BackupExtraction):
             data = self._get_file_content(file)
             self.results.extend(parse_sms_file(data))
 
-        self.log.info("Extracted a total of %d SMS & MMS messages containing links",
+        self.log.info("Extracted a total of %d SMS & MMS messages",
                       len(self.results))

mvt/android/modules/bugreport/base.py

@@ -6,7 +6,7 @@
 import fnmatch
 import logging
 import os
-from typing import Optional, List
+from typing import List, Optional
 from zipfile import ZipFile
 
 from mvt.common.module import MVTModule

mvt/android/parsers/backup.py

@@ -218,10 +218,9 @@ def parse_sms_file(data):
         entry["isodate"] = convert_unix_to_iso(int(entry["date"]) / 1000)
         entry["direction"] = ("sent" if int(entry["date_sent"]) else "received")
 
-        # If we find links in the messages or if they are empty we add them to
-        # the list.
+        # Extract links from the body
         if message_links or entry["body"].strip() == "":
             entry["links"] = message_links
-            res.append(entry)
+        res.append(entry)
 
     return res

mvt/android/parsers/dumpsys.py

@@ -4,8 +4,8 @@
 #   https://license.mvt.re/1.1/
 
 import re
-from typing import List, Dict, Any
 from datetime import datetime
+from typing import Any, Dict, List
 
 from mvt.common.utils import convert_datetime_to_iso
 

mvt/android/parsers/getprop.py

@@ -4,10 +4,11 @@
 #   https://license.mvt.re/1.1/
 
 import re
+from typing import Dict, List
 
 
-def parse_getprop(output: str) -> dict:
-    results = {}
+def parse_getprop(output: str) -> List[Dict[str, str]]:
+    results = []
     rxp = re.compile(r"\[(.+?)\]: \[(.+?)\]")
 
     for line in output.splitlines():
@@ -19,8 +20,10 @@ def parse_getprop(output: str) -> dict:
         if not matches or len(matches[0]) != 2:
             continue
 
-        key = matches[0][0]
-        value = matches[0][1]
-        results[key] = value
+        entry = {
+            "name": matches[0][0],
+            "value": matches[0][1]
+        }
+        results.append(entry)
 
     return results

mvt/common/cmd_check_iocs.py

@@ -30,6 +30,7 @@ class CmdCheckIOCS(Command):
         self.name = "check-iocs"
 
     def run(self) -> None:
+        assert self.target_path is not None
         all_modules = []
         for entry in self.modules:
             if entry not in all_modules:

mvt/common/command.py

@@ -3,17 +3,18 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-import hashlib
 import json
 import logging
 import os
 import sys
 from datetime import datetime
-from typing import Callable, Optional
+from typing import Optional
 
 from mvt.common.indicators import Indicators
-from mvt.common.module import run_module, save_timeline, MVTModule
-from mvt.common.utils import convert_datetime_to_iso, generate_hashes_from_path, get_sha256_from_file_path
+from mvt.common.module import MVTModule, run_module, save_timeline
+from mvt.common.utils import (convert_datetime_to_iso,
+                              generate_hashes_from_path,
+                              get_sha256_from_file_path)
 from mvt.common.version import MVT_VERSION
 
 
@@ -41,20 +42,21 @@ class Command:
         self.fast_mode = fast_mode
         self.log = log
 
-        self.iocs = Indicators(log=log)
-        self.iocs.load_indicators_files(self.ioc_files)
-
         # This list will contain all executed modules.
         # We can use this to reference e.g. self.executed[0].results.
         self.executed = []
-
         self.detected_count = 0
-
         self.hashes = hashes
         self.hash_values = []
         self.timeline = []
         self.timeline_detected = []
 
+        # Load IOCs
+        self._create_storage()
+        self._setup_logging()
+        self.iocs = Indicators(log=log)
+        self.iocs.load_indicators_files(self.ioc_files)
+
     def _create_storage(self) -> None:
         if self.results_path and not os.path.exists(self.results_path):
             try:
@@ -64,10 +66,11 @@ class Command:
                                   self.results_path, exc)
                 sys.exit(1)
 
-    def _add_log_file_handler(self, logger: logging.Logger) -> None:
+    def _setup_logging(self):
         if not self.results_path:
             return
 
+        logger = logging.getLogger("mvt")
         file_handler = logging.FileHandler(os.path.join(self.results_path,
                                                         "command.log"))
         formatter = logging.Formatter("%(asctime)s - %(name)s - "
@@ -121,7 +124,7 @@ class Command:
 
         if self.target_path and (os.environ.get("MVT_HASH_FILES") or self.hashes):
             info_hash = get_sha256_from_file_path(info_path)
-            self.log.warning("Reference hash of the info.json file : %s", info_hash)
+            self.log.info("Reference hash of the info.json file: \"%s\"", info_hash)
 
     def generate_hashes(self) -> None:
         """
@@ -149,8 +152,6 @@ class Command:
         raise NotImplementedError
 
     def run(self) -> None:
-        self._create_storage()
-        self._add_log_file_handler(self.log)
 
         try:
             self.init()
@@ -161,8 +162,8 @@ class Command:
             if self.module_name and module.__name__ != self.module_name:
                 continue
 
+            # FIXME: do we need the logger here
             module_logger = logging.getLogger(module.__module__)
-            self._add_log_file_handler(module_logger)
 
             m = module(target_path=self.target_path,
                        results_path=self.results_path,

mvt/common/help.py

@@ -10,6 +10,7 @@ HELP_MSG_FAST = "Avoid running time/resource consuming features"
 HELP_MSG_LIST_MODULES = "Print list of available modules and exit"
 HELP_MSG_MODULE = "Name of a single module you would like to run instead of all"
 HELP_MSG_HASHES = "Generate hashes of all the files analyzed"
+HELP_MSG_VERBOSE = "Verbose mode"
 
 # Android-specific.
 HELP_MSG_SERIAL = "Specify a device serial number or HOST:PORT connection string"