-
Notifications
You must be signed in to change notification settings - Fork 1
/
XPlist.py
executable file
·165 lines (117 loc) · 4.22 KB
/
XPlist.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/usr/bin/python
import os, re, sys, time
from urllib import urlopen
from Foundation import NSArray, NSDictionary, NSString, NSURL
# ---------------------------------------------------------------------------
def init_with_files(fmeta, fdata):
meta = NSDictionary.dictionaryWithContentsOfFile_(fmeta)
data = NSArray.arrayWithContentsOfFile_(fdata)
return meta, data
def init_with_sucatalog(sucatalog, pkg_re = "^.*/XProtectPlistConfigData.*\.pkg$"):
meta = None
data = None
pkg_url = None
u = NSURL.URLWithString_(sucatalog)
d = NSDictionary.dictionaryWithContentsOfURL_(u)
if not d:
raise Exception("Invalid CatalogURL.", sucatalog)
for k, v in d["Products"].items():
for package in v["Packages"]:
r = re.compile(pkg_re)
if r.findall(package["URL"]) != []:
pkg_url = package["URL"]
if not pkg_url:
raise Exception("Package not found.", sucatalog, pkg_name)
tmp_t = "%f" % time.time()
tmp_pkg = "/tmp/xplist_%s.pkg" % tmp_t
tmp_dir = "/tmp/xplist_%s" % tmp_t
tmp_tar = "/tmp/xplist_%s/Payload" % tmp_t
cmds = [ "/usr/bin/curl -s -o '%s' '%s'" %(tmp_pkg, pkg_url),
"/usr/sbin/pkgutil --expand '%s' '%s'" %(tmp_pkg, tmp_dir),
"/usr/bin/tar xf '%s' -C '%s' -s '|.*/||'" %(tmp_tar, tmp_dir) +
"".join(map(lambda s: " --include '*/%s'" % s,
["XProtect.meta.plist", "XProtect.plist", "XProtect.yara"]))
]
for cmd in cmds:
retcode = os.system(cmd)
if retcode != 0:
raise Exception("Error processing package.", pkg_url, retcode, cmd)
fmeta = "%s/XProtect.meta.plist" % tmp_dir
fdata = "%s/XProtect.plist" % tmp_dir
if os.path.exists(fmeta) and os.path.exists(fdata):
meta, data = init_with_files(fmeta, fdata)
return meta, data, pkg_url
def init_with_url(url):
contents = urlopen(url).read()
start = contents.find("<?xml ")
plist = NSString.stringWithString_(contents[start:]).propertyList()
if not isinstance(plist, NSDictionary):
raise Exception("Invalid URL contents.", url, contents)
return plist["meta"], plist["data"]
def parse_description(description):
sp = description.split(".")
if len(sp) > 2:
name = ".".join(sp[:-1])
variant = sp[-1]
return name, variant
return description, ""
def count_matches(matches):
count = 0
for match in matches:
if match["MatchType"] in [ "Match", "MatchAll" ]:
count += 1
elif match["MatchType"] == "MatchAny":
count += len(match["Matches"])
else:
raise Exception("Invalid MatchType.")
return count
# ---------------------------------------------------------------------------
if __name__ == "__main__":
XPROTECTS = NSArray.arrayWithContentsOfFile_(os.path.join(sys.path[0], "XPlist.plist"))
if not XPROTECTS:
raise Exception("Invalid URLs property list file.")
for xprotect in XPROTECTS:
# print target
print xprotect["name"]
# print source
# init meta and data
if xprotect.has_key("url"):
print xprotect["url"]
meta, data = init_with_url(xprotect["url"])
elif xprotect.has_key("surl"):
print xprotect["surl"]
if xprotect.has_key("pkg_re"):
meta, data, pkg_url = init_with_sucatalog(xprotect["surl"], xprotect["pkg_re"])
else:
meta, data, pkg_url = init_with_sucatalog(xprotect["surl"])
print pkg_url
elif xprotect.has_key("data"):
print xprotect["data"]
print xprotect["meta"]
meta, data = init_with_files(xprotect["meta"], xprotect["data"])
if not meta or not data:
raise Exception("Invalid meta or data.")
# parse data
try:
from collections import OrderedDict
d = OrderedDict()
except ImportError: # Snow Leopard fallback
d = {}
for entry in data:
name, variant = parse_description(entry["Description"])
count = count_matches(entry["Matches"])
if d.has_key(name):
if variant not in d[name]["variants"]:
d[name]["variants"].append(variant)
d[name]["count"] += count
else:
d[name] = { "variants": [variant], "count": count }
# print results
total_variants = 0
total_count = 0
for k, v in d.items():
total_variants += len(v["variants"])
total_count += v["count"]
print "{0:<20} {1:>3} {2:<45}".format(k, v["count"], ", ".join(v["variants"]))
print "%d threats, %d variants, %d signatures (version %d)." % (len(d), total_variants, total_count, meta["Version"])
print