mvt-project · DonnchaC · Feb 7, 2025 · Feb 10, 2025 · Feb 11, 2025
diff --git a/src/mvt/android/cmd_check_adb.py b/src/mvt/android/cmd_check_adb.py
@@ -7,6 +7,7 @@
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.adb import ADB_MODULES
 
@@ -19,17 +20,23 @@ def __init__(
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
+            hashes=hashes,
+            sub_command=sub_command,
             log=log,
         )
 

diff --git a/src/mvt/android/cmd_check_androidqf.py b/src/mvt/android/cmd_check_androidqf.py
@@ -10,58 +10,182 @@
 from typing import List, Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
+
+from mvt.android.cmd_check_bugreport import CmdAndroidCheckBugreport
+from mvt.android.cmd_check_backup import CmdAndroidCheckBackup
 
 from .modules.androidqf import ANDROIDQF_MODULES
+from .modules.androidqf.base import AndroidQFModule
 
 log = logging.getLogger(__name__)
 
 
+class NoAndroidQFTargetPath(Exception):
+    pass
+
+
+class NoAndroidQFBugReport(Exception):
+    pass
+
+
+class NoAndroidQFBackup(Exception):
+    pass
+
+
 class CmdAndroidCheckAndroidQF(Command):
     def __init__(
         self,
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
         )
 
         self.name = "check-androidqf"
         self.modules = ANDROIDQF_MODULES
 
-        self.format: Optional[str] = None
-        self.archive: Optional[zipfile.ZipFile] = None
-        self.files: List[str] = []
+        self.__format: Optional[str] = None
+        self.__zip: Optional[zipfile.ZipFile] = None
+        self.__files: List[str] = []
 
     def init(self):
         if os.path.isdir(self.target_path):
-            self.format = "dir"
+            self.__format = "dir"
             parent_path = Path(self.target_path).absolute().parent.as_posix()
             target_abs_path = os.path.abspath(self.target_path)
             for root, subdirs, subfiles in os.walk(target_abs_path):
                 for fname in subfiles:
                     file_path = os.path.relpath(os.path.join(root, fname), parent_path)
-                    self.files.append(file_path)
+                    self.__files.append(file_path)
         elif os.path.isfile(self.target_path):
-            self.format = "zip"
-            self.archive = zipfile.ZipFile(self.target_path)
-            self.files = self.archive.namelist()
+            self.__format = "zip"
+            self.__zip = zipfile.ZipFile(self.target_path)
+            self.__files = self.__zip.namelist()
+
+    def module_init(self, module: AndroidQFModule) -> None:  # type: ignore[override]
+        if self.__format == "zip" and self.__zip:
+            module.from_zip(self.__zip, self.__files)
+            return
+
+        if not self.target_path:
+            raise NoAndroidQFTargetPath
+
+        parent_path = Path(self.target_path).absolute().parent.as_posix()
+        module.from_dir(parent_path, self.__files)
+
+    def load_bugreport(self) -> zipfile.ZipFile:
+        bugreport_zip_path = None
+        for file_name in self.__files:
+            if file_name.endswith("bugreport.zip"):
+                bugreport_zip_path = file_name
+                break
+        else:
+            raise NoAndroidQFBugReport
+
+        if self.__format == "zip" and self.__zip:
+            handle = self.__zip.open(bugreport_zip_path)
+            return zipfile.ZipFile(handle)
 
-    def module_init(self, module):
-        if self.format == "zip":
-            module.from_zip_file(self.archive, self.files)
+        if self.__format == "dir" and self.target_path:
+            parent_path = Path(self.target_path).absolute().parent.as_posix()
+            bug_report_path = os.path.join(parent_path, bugreport_zip_path)
+            return zipfile.ZipFile(bug_report_path)
+
+        raise NoAndroidQFBugReport
+
+    def load_backup(self) -> bytes:
+        backup_ab_path = None
+        for file_name in self.__files:
+            if file_name.endswith("backup.ab"):
+                backup_ab_path = file_name
+                break
         else:
+            raise NoAndroidQFBackup
+
+        if self.__format == "zip" and self.__zip:
+            backup_file_handle = self.__zip.open(backup_ab_path)
+            return backup_file_handle.read()
+
+        if self.__format == "dir" and self.target_path:
             parent_path = Path(self.target_path).absolute().parent.as_posix()
-            module.from_folder(parent_path, self.files)
+            backup_path = os.path.join(parent_path, backup_ab_path)
+            with open(backup_path, "rb") as backup_file:
+                backup_ab_data = backup_file.read()
+            return backup_ab_data
+
+        raise NoAndroidQFBackup
+
+    def run_bugreport_cmd(self) -> bool:
+        try:
+            bugreport = self.load_bugreport()
+        except NoAndroidQFBugReport:
+            self.log.warning(
+                "Skipping bugreport modules as no bugreport.zip found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBugreport(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_zip(bugreport)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def run_backup_cmd(self) -> bool:
+        try:
+            backup = self.load_backup()
+        except NoAndroidQFBackup:
+            self.log.warning(
+                "Skipping backup modules as no backup.ab found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBackup(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_ab(backup)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def finish(self) -> None:
+        """
+        Run the bugreport and backup modules if the respective files are found in the AndroidQF data.
+        """
+        self.run_bugreport_cmd()
+        self.run_backup_cmd()
diff --git a/src/mvt/android/cmd_check_backup.py b/src/mvt/android/cmd_check_backup.py
@@ -20,6 +20,7 @@
     parse_backup_file,
 )
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.backup import BACKUP_MODULES
 
@@ -32,19 +33,23 @@ def __init__(
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
         )
 
@@ -55,42 +60,43 @@ def __init__(
         self.backup_archive: Optional[tarfile.TarFile] = None
         self.backup_files: List[str] = []
 
+    def from_ab(self, ab_file_bytes: bytes) -> None:
+        self.backup_type = "ab"
+        header = parse_ab_header(ab_file_bytes)
+        if not header["backup"]:
+            log.critical("Invalid backup format, file should be in .ab format")
+            sys.exit(1)
+
+        password = None
+        if header["encryption"] != "none":
+            password = prompt_or_load_android_backup_password(log, self.module_options)
+            if not password:
+                log.critical("No backup password provided.")
+                sys.exit(1)
+        try:
+            tardata = parse_backup_file(ab_file_bytes, password=password)
+        except InvalidBackupPassword:
+            log.critical("Invalid backup password")
+            sys.exit(1)
+        except AndroidBackupParsingError as exc:
+            log.critical("Impossible to parse this backup file: %s", exc)
+            log.critical("Please use Android Backup Extractor (ABE) instead")
+            sys.exit(1)
+
+        dbytes = io.BytesIO(tardata)
+        self.backup_archive = tarfile.open(fileobj=dbytes)
+        for member in self.backup_archive:
+            self.backup_files.append(member.name)
+
     def init(self) -> None:
         if not self.target_path:
             return
 
         if os.path.isfile(self.target_path):
             self.backup_type = "ab"
             with open(self.target_path, "rb") as handle:
-                data = handle.read()
-
-            header = parse_ab_header(data)
-            if not header["backup"]:
-                log.critical("Invalid backup format, file should be in .ab format")
-                sys.exit(1)
-
-            password = None
-            if header["encryption"] != "none":
-                password = prompt_or_load_android_backup_password(
-                    log, self.module_options
-                )
-                if not password:
-                    log.critical("No backup password provided.")
-                    sys.exit(1)
-            try:
-                tardata = parse_backup_file(data, password=password)
-            except InvalidBackupPassword:
-                log.critical("Invalid backup password")
-                sys.exit(1)
-            except AndroidBackupParsingError as exc:
-                log.critical("Impossible to parse this backup file: %s", exc)
-                log.critical("Please use Android Backup Extractor (ABE) instead")
-                sys.exit(1)
-
-            dbytes = io.BytesIO(tardata)
-            self.backup_archive = tarfile.open(fileobj=dbytes)
-            for member in self.backup_archive:
-                self.backup_files.append(member.name)
+                ab_file_bytes = handle.read()
+            self.from_ab(ab_file_bytes)
 
         elif os.path.isdir(self.target_path):
             self.backup_type = "folder"
@@ -109,6 +115,6 @@ def init(self) -> None:
 
     def module_init(self, module: BackupExtraction) -> None:  # type: ignore[override]
         if self.backup_type == "folder":
-            module.from_folder(self.target_path, self.backup_files)
+            module.from_dir(self.target_path, self.backup_files)
         else:
             module.from_ab(self.target_path, self.backup_archive, self.backup_files)