From 3cdc6da4285f61e67470c6e54bd563a0fefb73bd Mon Sep 17 00:00:00 2001 From: Nex Date: Wed, 6 Jul 2022 13:01:55 +0200 Subject: [PATCH] Temporarily removed mvt-ios check-usb command --- mvt/ios/cli.py | 32 -------------------- mvt/ios/cmd_check_usb.py | 46 ----------------------------- mvt/ios/modules/usb/__init__.py | 10 ------- mvt/ios/modules/usb/applications.py | 46 ----------------------------- mvt/ios/modules/usb/base.py | 25 ---------------- mvt/ios/modules/usb/device_info.py | 39 ------------------------ mvt/ios/modules/usb/processes.py | 42 -------------------------- setup.cfg | 1 - tests/ios_usb/__init__.py | 0 tests/ios_usb/test_applications.py | 35 ---------------------- tests/ios_usb/test_device_info.py | 34 --------------------- tests/ios_usb/test_processes.py | 29 ------------------ 12 files changed, 339 deletions(-) delete mode 100644 mvt/ios/cmd_check_usb.py delete mode 100644 mvt/ios/modules/usb/__init__.py delete mode 100644 mvt/ios/modules/usb/applications.py delete mode 100644 mvt/ios/modules/usb/base.py delete mode 100644 mvt/ios/modules/usb/device_info.py delete mode 100644 mvt/ios/modules/usb/processes.py delete mode 100644 tests/ios_usb/__init__.py delete mode 100644 tests/ios_usb/test_applications.py delete mode 100644 tests/ios_usb/test_device_info.py delete mode 100644 tests/ios_usb/test_processes.py diff --git a/mvt/ios/cli.py b/mvt/ios/cli.py index 65eba46..b9bc9e7 100644 --- a/mvt/ios/cli.py +++ b/mvt/ios/cli.py @@ -20,7 +20,6 @@ from mvt.common.updates import IndicatorsUpdates from .cmd_check_backup import CmdIOSCheckBackup from .cmd_check_fs import CmdIOSCheckFS -from .cmd_check_usb import CmdIOSCheckUSB from .decrypt import DecryptBackup from .modules.backup import BACKUP_MODULES from .modules.fs import FS_MODULES @@ -216,34 +215,3 @@ def check_iocs(ctx, iocs, list_modules, module, folder): def download_iocs(): ioc_updates = IndicatorsUpdates() ioc_updates.update() - - -#============================================================================== -# Command: check-usb -#============================================================================== -@cli.command("check-usb", help="Extract artifacts from a live iPhone through USB / lockdown") -@click.option("--serial", "-s", type=str, help=HELP_MSG_SERIAL) -@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True, - default=[], help=HELP_MSG_IOC) -@click.option("--output", "-o", type=click.Path(exists=False), help=HELP_MSG_OUTPUT) -@click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST) -@click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES) -@click.option("--module", "-m", help=HELP_MSG_MODULE) -# TODO: serial -# @click.argument("BACKUP_PATH", type=click.Path(exists=True)) -@click.pass_context -def check_usb(ctx, serial, iocs, output, fast, list_modules, module): - cmd = CmdIOSCheckUSB(results_path=output, ioc_files=iocs, - module_name=module, fast_mode=fast, - serial=serial) - - if list_modules: - cmd.list_modules() - return - - log.info("Checking iPhone through USB, this may take a while") - cmd.run() - - if len(cmd.timeline_detected) > 0: - log.warning("The analysis of the data produced %d detections!", - len(cmd.timeline_detected)) diff --git a/mvt/ios/cmd_check_usb.py b/mvt/ios/cmd_check_usb.py deleted file mode 100644 index 0a48f1d..0000000 --- a/mvt/ios/cmd_check_usb.py +++ /dev/null @@ -1,46 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import logging -import sys - -from pymobiledevice3.exceptions import ConnectionFailedError -from pymobiledevice3.lockdown import LockdownClient - -from mvt.common.command import Command - -from .modules.usb import USB_MODULES - -log = logging.getLogger(__name__) - - -class CmdIOSCheckUSB(Command): - - name = "check-usb" - modules = USB_MODULES - - def __init__(self, target_path: str = None, results_path: str = None, - ioc_files: list = [], module_name: str = None, serial: str = None, - fast_mode: bool = False): - super().__init__(target_path=target_path, results_path=results_path, - ioc_files=ioc_files, module_name=module_name, - serial=serial, fast_mode=fast_mode, log=log) - self.lockdown = None - - def init(self): - try: - if self.serial: - self.lockdown = LockdownClient(udid=self.serial) - else: - self.lockdown = LockdownClient() - except ConnectionRefusedError: - log.error("Unable to connect to the device over USB. Try to unplug, plug the device and start again.") - sys.exit(-1) - except ConnectionFailedError: - log.error("Unable to connect to the device %s", self.serial) - sys.exit(-1) - - def module_init(self, module): - module.lockdown = self.lockdown diff --git a/mvt/ios/modules/usb/__init__.py b/mvt/ios/modules/usb/__init__.py deleted file mode 100644 index b957a4d..0000000 --- a/mvt/ios/modules/usb/__init__.py +++ /dev/null @@ -1,10 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -from .applications import Applications -from .device_info import DeviceInfo -from .processes import Processes - -USB_MODULES = [Applications, DeviceInfo, Processes] diff --git a/mvt/ios/modules/usb/applications.py b/mvt/ios/modules/usb/applications.py deleted file mode 100644 index 9cb0dfc..0000000 --- a/mvt/ios/modules/usb/applications.py +++ /dev/null @@ -1,46 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import logging - -from pymobiledevice3.services.installation_proxy import \ - InstallationProxyService - -from .base import IOSUSBExtraction - - -class Applications(IOSUSBExtraction): - """This class extracts all applications installed on the phone""" - - def __init__(self, file_path: str = None, target_path: str = None, - results_path: str = None, fast_mode: bool = False, - log: logging.Logger = None, results: list = []) -> None: - super().__init__(file_path=file_path, target_path=target_path, - results_path=results_path, fast_mode=fast_mode, - log=log, results=results) - - def check_indicators(self) -> None: - if not self.indicators: - return - - for result in self.results: - ioc = self.indicators.check_app_id(result["CFBundleIdentifier"]) - if ioc: - result["matched_indicator"] = ioc - self.detected.append(result) - - def run(self) -> None: - user_apps = InstallationProxyService(lockdown=self.lockdown).get_apps("User") - for user_app in user_apps: - user_app["type"] = "user" - - system_apps = InstallationProxyService(lockdown=self.lockdown).get_apps("System") - for system_app in system_apps: - system_app["type"] = "system" - - self.results = user_apps + system_apps - - self.log.info("Identified %d applications installed on the device", - len(self.results)) diff --git a/mvt/ios/modules/usb/base.py b/mvt/ios/modules/usb/base.py deleted file mode 100644 index e08e232..0000000 --- a/mvt/ios/modules/usb/base.py +++ /dev/null @@ -1,25 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import logging - -from mvt.common.module import MVTModule - -log = logging.getLogger(__name__) - - -class IOSUSBExtraction(MVTModule): - """This class provides a base for all iOS USB extraction modules.""" - - def __init__(self, file_path: str = None, target_path: str = None, - results_path: str = None, fast_mode: bool = False, - log: logging.Logger = None, results: list = []) -> None: - super().__init__(file_path=file_path, target_path=target_path, - results_path=results_path, fast_mode=fast_mode, - log=log, results=results) - - self.device = None - self.serial = None - self.lockdown = None diff --git a/mvt/ios/modules/usb/device_info.py b/mvt/ios/modules/usb/device_info.py deleted file mode 100644 index 57b1de5..0000000 --- a/mvt/ios/modules/usb/device_info.py +++ /dev/null @@ -1,39 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import base64 -import logging - -from mvt.ios.versions import latest_ios_version - -from .base import IOSUSBExtraction - - -class DeviceInfo(IOSUSBExtraction): - """This class extracts all processes running on the phone.""" - - def __init__(self, file_path: str = None, target_path: str = None, - results_path: str = None, fast_mode: bool = False, - log: logging.Logger = None, results: list = []) -> None: - super().__init__(file_path=file_path, target_path=target_path, - results_path=results_path, fast_mode=fast_mode, - log=log, results=results) - - def run(self) -> None: - self.results = self.lockdown.all_values - - for entry in self.results: - if isinstance(self.results[entry], bytes): - self.results[entry] = base64.b64encode(self.results[entry]) - elif isinstance(self.results[entry], dict): - for second_entry in self.results[entry]: - if isinstance(self.results[entry][second_entry], bytes): - self.results[entry][second_entry] = base64.b64encode(self.results[entry][second_entry]) - - if "ProductVersion" in self.results: - latest = latest_ios_version() - if self.results["ProductVersion"] != latest["version"]: - self.log.warning("This phone is running an outdated iOS version: %s (latest is %s)", - self.results["ProductVersion"], latest['version']) diff --git a/mvt/ios/modules/usb/processes.py b/mvt/ios/modules/usb/processes.py deleted file mode 100644 index 786d0a0..0000000 --- a/mvt/ios/modules/usb/processes.py +++ /dev/null @@ -1,42 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import logging - -from pymobiledevice3.services.os_trace import OsTraceService - -from .base import IOSUSBExtraction - - -class Processes(IOSUSBExtraction): - """This class extracts all processes running on the phone.""" - - def __init__(self, file_path: str = None, target_path: str = None, - results_path: str = None, fast_mode: bool = False, - log: logging.Logger = None, results: list = []) -> None: - super().__init__(file_path=file_path, target_path=target_path, - results_path=results_path, fast_mode=fast_mode, - log=log, results=results) - - def check_indicators(self) -> None: - if not self.indicators: - return - - for result in self.results: - ioc = self.indicators.check_process(result["name"]) - if ioc: - result["matched_indicator"] = ioc - self.detected.append(result) - - def run(self) -> None: - processes = OsTraceService(lockdown=self.lockdown).get_pid_list().get("Payload") - for pid in processes: - self.results.append({ - "pid": pid, - "name": processes[pid]["ProcessName"] - }) - - self.log.info("Identified %d processes running on the device", - len(self.results)) diff --git a/setup.cfg b/setup.cfg index ec0976c..7f89bff 100644 --- a/setup.cfg +++ b/setup.cfg @@ -33,7 +33,6 @@ install_requires = adb-shell >=0.4.2 libusb1 >=2.0.1 cryptography >=36.0.1 - pymobiledevice3 >=1.23.9 pyyaml >=6.0 [options.packages.find] diff --git a/tests/ios_usb/__init__.py b/tests/ios_usb/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/tests/ios_usb/test_applications.py b/tests/ios_usb/test_applications.py deleted file mode 100644 index 90607ea..0000000 --- a/tests/ios_usb/test_applications.py +++ /dev/null @@ -1,35 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import logging - -from pymobiledevice3.lockdown import LockdownClient - -from mvt.common.module import run_module -from mvt.ios.modules.usb.applications import Applications - - -class TestUSBApplication: - def test_run(self, mocker): - mocker.patch("pymobiledevice3.lockdown.LockdownClient.start_service") - mocker.patch("pymobiledevice3.usbmux.select_device") - mocker.patch("pymobiledevice3.service_connection.ServiceConnection.create") - mocker.patch( - "pymobiledevice3.lockdown.LockdownClient.query_type", - return_value="com.apple.mobile.lockdown") - mocker.patch( - "pymobiledevice3.lockdown.LockdownClient.validate_pairing", - return_value=True) - mocker.patch( - "pymobiledevice3.services.installation_proxy.InstallationProxyService.get_apps", - return_value=[{"CFBundleIdentifier": "com.bad.app"}] - ) - - lockdown = LockdownClient() - - m = Applications(log=logging) - m.lockdown = lockdown - run_module(m) - assert len(m.results) == 2 diff --git a/tests/ios_usb/test_device_info.py b/tests/ios_usb/test_device_info.py deleted file mode 100644 index 349623d..0000000 --- a/tests/ios_usb/test_device_info.py +++ /dev/null @@ -1,34 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import logging - -from pymobiledevice3.lockdown import LockdownClient - -from mvt.common.module import run_module -from mvt.ios.modules.usb.device_info import DeviceInfo - - -class TestUSBDeviceInfo: - def test_run(self, mocker): - mocker.patch("pymobiledevice3.usbmux.select_device") - mocker.patch("pymobiledevice3.service_connection.ServiceConnection.create") - mocker.patch( - "pymobiledevice3.lockdown.LockdownClient.query_type", - return_value="com.apple.mobile.lockdown") - mocker.patch( - "pymobiledevice3.lockdown.LockdownClient.validate_pairing", - return_value=True) - mocker.patch( - "pymobiledevice3.lockdown.LockdownClient.get_value", - return_value={'DeviceClass': 'iPhone', 'ProductVersion': '14.3'} - ) - - lockdown = LockdownClient() - - m = DeviceInfo(log=logging) - m.lockdown = lockdown - run_module(m) - assert len(m.results) == 2 diff --git a/tests/ios_usb/test_processes.py b/tests/ios_usb/test_processes.py deleted file mode 100644 index 26c446f..0000000 --- a/tests/ios_usb/test_processes.py +++ /dev/null @@ -1,29 +0,0 @@ -# Mobile Verification Toolkit (MVT) -# Copyright (c) 2021-2022 Claudio Guarnieri. -# Use of this software is governed by the MVT License 1.1 that can be found at -# https://license.mvt.re/1.1/ - -import logging - -from mvt.common.indicators import Indicators -from mvt.common.module import run_module -from mvt.ios.modules.usb.processes import Processes - - -class TestUSBProcesses: - def test_run(self, mocker, indicator_file): - mocker.patch("pymobiledevice3.services.base_service.BaseService.__init__") - mocker.patch( - "pymobiledevice3.services.os_trace.OsTraceService.get_pid_list", - return_value={"Payload": {"1": {"ProcessName": "storebookkeeperd"}, "1854": {"ProcessName": "cfprefssd"}}} - ) - - ind = Indicators(log=logging) - ind.parse_stix2(indicator_file) - ind.ioc_collections[0]["processes"].append("cfprefssd") - - m = Processes(log=logging) - m.indicators = ind - run_module(m) - assert len(m.results) == 2 - assert len(m.detected) == 1