Move Enumerate.py to DBParser.py

Tweak command line options for -i
iSECPartners · Nov 9, 2013 · f6bc8f7 · f6bc8f7
1 parent c6c01c1
commit f6bc8f7
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 37 deletions.
diff --git a/analyzer/DBParser.py b/analyzer/DBParser.py
@@ -57,6 +57,45 @@ def get_traced_calls_as_JSON(self):
         return json.dumps(tracedCalls_dict, default=self._json_serialize)
 
 
+    def get_all_URLs(self):
+        """Returns the list of all URLs accessed within the traced calls."""
+        urlsList = []
+        for call in self.tracedCalls:
+            if 'request' in call.argsAndReturnValue['arguments']:
+                urlsList.append(call.argsAndReturnValue['arguments']['request']['URL']['absoluteString'])
+        # Sort and remove duplicates
+        urlsList = dict(map(None,urlsList,[])).keys()
+        urlsList.sort()
+        return urlsList
+
+
+    def get_all_files(self):
+        """Returns the list of all files accessed within the traced calls."""
+        filesList = []
+        for call in self.tracedCalls:
+            if 'url' in call.argsAndReturnValue['arguments']:
+                filesList.append(call.argsAndReturnValue['arguments']['url']['absoluteString'])
+            if 'path' in call.argsAndReturnValue['arguments']:
+                filesList.append(call.argsAndReturnValue['arguments']['path'])
+        # Sort and remove duplicates
+        filesList = dict(map(None,filesList,[])).keys()
+        filesList.sort()
+        return filesList
+
+
+# TODO: This code crashes with my DB
+#    def get_all_keys(self):
+#        keysList = []
+#        for call in self.traced_calls:
+#            if call.method == "SecItemAdd":
+#                keysList.append("{0} = {1}".format(call.argsAndReturnValue['arguments']['attributes']['acct'],
+#                    call.argsAndReturnValue['arguments']['attributes']['v_Data']))
+#            elif call.method == "SecItemUpdate":
+#                keysList.append("{0} = {1}".format(call.argsAndReturnValue['arguments']['query']['acct'],
+#                    call.argsAndReturnValue['arguments']['attributesToUpdate']['v_Data']))
+#        return keysList
+
+
     def _sanitize_args_dict(self, argsDict):
         """Goes through a dict of arguments or return values and replaces specific values to make them easier to read."""
         for (arg, value) in argsDict.items():

diff --git a/analyzer/Enumerate.py b/analyzer/Enumerate.py
diff --git a/analyzer/introspy.py b/analyzer/introspy.py
@@ -15,7 +15,6 @@
 from DBParser import DBParser
 from HTMLReportGenerator import HTMLReportGenerator
 from APIGroups import APIGroups
-from Enumerate import Enumerate
 
 
 
@@ -42,8 +41,8 @@ def main(argv):
         help="Filter by signature sub-group")
     stats_group = parser.add_argument_group('additional command-line options')
     stats_group.add_argument("-i", "--info",
-        choices=['http', 'fileio', 'keys'],
-	help="Enumerate URLs, files accessed, keychain items, etc.")
+        choices=['urls', 'files'],#, 'keys'],
+	help="Enumerate URLs or files accessed within the traced calls")#' and keychain items, etc.")
     stats_group.add_argument("-d", "--delete",
         action="store_true",
         help="Remove all introspy databases on a given remote device")
@@ -79,9 +78,15 @@ def main(argv):
 
     else: # Print DB info to the console
 
-        if args.info: # Enumerate urls/files
-            # TODO: refactor this and Enumerate
-            Enumerate(analyzedDB.tracedCalls, args.info)
+        if args.info: # Enumerate URLs/files
+            if args.info == "urls":
+                for url in analyzedDB.get_all_URLs():
+                    print url
+            elif args.info == "files":
+                for path in analyzedDB.get_all_files():
+                    print path
+            #elif args.info == "keys":
+            # TODO
 
         elif args.list: # Print all traced calls
             # TODO: Call print() here instead of inside the method