Refactors DumpsysBatteryHistory and adds related androidqf module

tests/android/test_artifact_dumpsys_battery_history.py

@@ -0,0 +1,44 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+import logging
+
+from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
+from mvt.common.indicators import Indicators
+
+from ..utils import get_artifact
+
+
+class TestDumpsysBatteryHistoryArtifact:
+    def test_parsing(self):
+        dba = DumpsysBatteryHistoryArtifact()
+        file = get_artifact("android_data/dumpsys_battery.txt")
+        with open(file) as f:
+            data = f.read()
+
+        assert len(dba.results) == 0
+        dba.parse(data)
+        assert len(dba.results) == 5
+        assert dba.results[0]["package_name"] == "com.samsung.android.app.reminder"
+        assert dba.results[1]["event"] == "end_job"
+        assert dba.results[2]["event"] == "start_top"
+        assert dba.results[2]["uid"] == "u0a280"
+        assert dba.results[2]["package_name"] == "com.whatsapp"
+        assert dba.results[3]["event"] == "end_top"
+        assert dba.results[4]["package_name"] == "com.sec.android.app.launcher"
+
+    def test_ioc_check(self, indicator_file):
+        dba = DumpsysBatteryHistoryArtifact()
+        file = get_artifact("android_data/dumpsys_battery.txt")
+        with open(file) as f:
+            data = f.read()
+        dba.parse(data)
+
+        ind = Indicators(log=logging.getLogger())
+        ind.parse_stix2(indicator_file)
+        ind.ioc_collections[0]["app_ids"].append("com.samsung.android.app.reminder")
+        dba.indicators = ind
+        assert len(dba.detected) == 0
+        dba.check_indicators()
+        assert len(dba.detected) == 2

tests/android/test_dumpsys_parser.py

@@ -3,31 +3,12 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-from mvt.android.parsers.dumpsys import (
-    parse_dumpsys_battery_history,
-    parse_dumpsys_packages,
-)
+from mvt.android.parsers.dumpsys import parse_dumpsys_packages
 
 from ..utils import get_artifact
 
 
 class TestDumpsysParsing:
-    def test_battery_history_parsing(self):
-        file = get_artifact("android_data/dumpsys_battery.txt")
-        with open(file) as f:
-            data = f.read()
-
-        res = parse_dumpsys_battery_history(data)
-
-        assert len(res) == 5
-        assert res[0]["package_name"] == "com.samsung.android.app.reminder"
-        assert res[1]["event"] == "end_job"
-        assert res[2]["event"] == "start_top"
-        assert res[2]["uid"] == "u0a280"
-        assert res[2]["package_name"] == "com.whatsapp"
-        assert res[3]["event"] == "end_top"
-        assert res[4]["package_name"] == "com.sec.android.app.launcher"
-
     def test_packages_parsing(self):
         file = get_artifact("android_data/dumpsys_packages.txt")
         with open(file) as f:

tests/android_androidqf/test_dumpsys_battery_history.py

@@ -0,0 +1,24 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from pathlib import Path
+
+from mvt.android.modules.androidqf.dumpsys_battery_history import DumpsysBatteryHistory
+from mvt.common.module import run_module
+
+from ..utils import get_android_androidqf, list_files
+
+
+class TestDumpsysBatteryHistoryModule:
+    def test_parsing(self):
+        data_path = get_android_androidqf()
+        m = DumpsysBatteryHistory(target_path=data_path)
+        files = list_files(data_path)
+        parent_path = Path(data_path).absolute().parent.as_posix()
+        m.from_folder(parent_path, files)
+        run_module(m)
+        assert len(m.results) == 6
+        assert len(m.timeline) == 0
+        assert len(m.detected) == 0

tests/artifacts/androidqf/dumpsys.txt

@@ -304,6 +304,13 @@ Battery History (0% used, 11KB used of 4096KB, 79 strings using 9632):
              +2s042ms (2) 100 c0000020 +wake_lock=u0a12:"Wakeful StateMachine: GeofencerStateMachine"
              +2s044ms (1) 100 80000020 -wake_lock
              +2s050ms (2) 100 c0000020 +wake_lock=u0a12:"NlpWakeLock"
+         +23m32s163ms (2) 100 c0000020 +job=u0a134:"com.google.android.gm/com.google.android.libraries.internal.growth.growthkit.internal.jobs.impl.GrowthKitJobService"
+         +23m33s713ms (2) 100 c0000020 +job=u0a134:"com.google.android.gm/.job.ProviderCreatedJob$ProviderCreatedJobService"
+         +23m33s752ms (2) 100 c0000020 +job=u0a134:"com.google.android.gm/com.android.mail.widget.NotifyDatasetChangedJob$NotifyDatasetChangedJobService"
+         +23m33s786ms (2) 100 c0000020 -job=u0a134:"com.google.android.gm/.job.ProviderCreatedJob$ProviderCreatedJobService"
+         +23m33s867ms (2) 100 c0000020 -job=u0a134:"com.google.android.gm/com.google.android.libraries.internal.growth.growthkit.internal.jobs.impl.GrowthKitJobService"
+         +23m33s910ms (2) 100 c0000020 -job=u0a134:"com.google.android.gm/com.android.mail.widget.NotifyDatasetChangedJob$NotifyDatasetChangedJobService"
+
 
 Daily stats:
   Current start time: 2023-07-27-02-02-56

tests/common/test_utils.py

@@ -62,5 +62,5 @@ class TestHashes:
         assert hashes[1]["file_path"] == os.path.join(path, "dumpsys.txt")
         assert (
             hashes[1]["sha256"]
-            == "009f9eaa04658acdd179b463e05e1ea1fffea132e6e7ee556f0c385ee69a0811"
+            == "cfae0e04ef139b5a2ae1e2b3d400ce67eb98e67ff66f56ba2a580fe41bc120d0"
         )