def test_scan_file_binary(self):
     vt = PublicApi(API_KEY)
     vt.scan_file()
     try:
         print(
             json.dumps(vt.scan_file('virus_total_apis/test/test.exe'),
                        sort_keys=False,
                        indent=4))
     except Exception as e:
         self.fail(e)
Esempio n. 2
0
    def test_scan_file_stream(self):
        vt = PublicApi(API_KEY)

        try:
            print json.dumps(vt.scan_file(EICAR), sort_keys=False, indent=4)
        except Exception as e:
            self.fail(e)
    def test_scan_file_stringio(self):
        vt = PublicApi(API_KEY)

        try:
            print json.dumps(vt.scan_file(StringIO.StringIO(EICAR)), sort_keys=False, indent=4)
        except Exception as e:
            self.fail(e)
Esempio n. 4
0
def submit2vt(filename):

	"""Submit a new file to VT for scanning"""

	# Check VT score
	vt = VirusTotalPublicApi(config['apiKey'])
	response = vt.scan_file(filename)

	# DEBUG
	fp = open('/tmp/vt.debug', 'a')
	fp.write(json.dumps(response, sort_keys=False, indent=4))
	fp.close()

	if response['response_code'] == 200:
		writeLog("VT Reply: %s" % response['results']['verbose_msg'])
	else:
		writeLog('VT Error: %s' % response['error'])

	if config['esServer']:
		# Save results to Elasticsearch
		try:
			response['@timestamp'] = time.strftime("%Y-%m-%dT%H:%M:%S+01:00")
			res = es.index(index=config['esIndex'], doc_type="VTresult", body=json.dumps(response))
		except:
			writeLog("Cannot index to Elasticsearch")
	return
    def test_scan_file_stream(self):
        vt = PublicApi(API_KEY)

        try:
            print(json.dumps(vt.scan_file(EICAR, from_disk=False), sort_keys=False, indent=4))
        except Exception as e:
            self.fail(e)
    def test_scan_file_binary(self):
        vt = PublicApi(API_KEY)

        try:
            print(json.dumps(vt.scan_file('virus_total_apis/test/test.exe'), sort_keys=False, indent=4))
        except Exception as e:
            self.fail(e)
Esempio n. 7
0
def send_request(file, from_disk, original_path):
    logger.add(" " * 10)
    logger.add("File {0}".format(original_path))
    api_key = str(config['Main']['ApiKey'])
    vt = VirusTotalPublicApi(api_key)

    scanned_file = {'response_code': 000}
    report = {'response_code': 000}

    while scanned_file['response_code'] != 200:

        scanned_file = json.loads(
            json.dumps(vt.scan_file(this_file=file, from_disk=from_disk),
                       sort_keys=True,
                       indent=4))

        try:
            logger.add("Response: scan_file: {0}".format(
                scanned_file['results']['verbose_msg']))
        except KeyError:
            logger.add("Error in scan_file: {0}".format(scanned_file))
            pass

        while report['response_code'] != 200:

            report = vt.get_file_report(scanned_file['results']['resource'])

            if report['response_code'] == 204:
                logger.add("Sleeping for 15 seconds: {0}".format(report))
                sleep(15)
                continue

            try:
                logger.add("Response: get_file_report: {0} & {1}".format(
                    report['response_code'],
                    report['results']['response_code']))
            except KeyError:
                logger.add("Error in get_file_report: {0}".format(report))
                pass
            if report['response_code'] == 200 and report['results'][
                    'response_code'] != 1:
                logger.add("API bad Response. File lost in queue, rescanning")
                check_one_file_on_virustotal([file])
                break
            try:
                ratio = round(
                    report['results']['positives'] /
                    report['results']['total'] * 100, 2)
                logger.add("Positives: {0} , Total {1}".format(
                    report['results']['positives'],
                    report['results']['total']))
                logger.add("Ratio is: {0}".format(ratio))

                if ratio < 85.0:
                    add_to_whitelist(original_path)
            except KeyError:
                pass
    return 0
Esempio n. 8
0
    def test_scan_file_binary(self):
        vt = PublicApi(API_KEY)

        try:
            print json.dumps(vt.scan_file('test.exe'),
                             sort_keys=False,
                             indent=4)
        except Exception as e:
            self.fail(e)
    def test_scan_file_stream_filename(self):
        vt = PublicApi(API_KEY)

        try:
            print(
                json.dumps(vt.scan_file(EICAR,
                                        from_disk=False,
                                        filename='my_eicar_file.txt'),
                           sort_keys=False,
                           indent=4))
        except Exception as e:
            self.fail(e)
Esempio n. 10
0
    def test_scan_file_binary_filename(self):
        vt = PublicApi(API_KEY)

        try:
            print(
                json.dumps(vt.scan_file(
                    'C:\\Users\\YES24\\Desktop\\자료정리\\분류전\\cmd.exe',
                    filename='othertest.exe'),
                           sort_keys=False,
                           indent=4))
        except Exception as e:
            self.fail(e)
Esempio n. 11
0
def scan(path):
    # Fill in your VirusTotal public api key
    api_key = ''
    if api_key != '':
        try:
            vt = PublicApi(api_key)
            res = vt.scan_file(path)

            if res["response_code"] == 200:
                print("Complete Requesting Scan", path)
            else:
                print("Error")
        except Exception as e:
            print("Error:", e)
    else:
        print("Need VirusTotal API Key")
Esempio n. 12
0
def is_dangerous(con, file_to_scan, extract_mail, email_id, file_name):
    try:
        virus_total_scanner = PublicApi(API_KEY)
        response = virus_total_scanner.scan_file(file_to_scan, from_disk=False)
        time.sleep(1)
        f_md5 = hashlib.md5(file_to_scan).hexdigest()
        response = virus_total_scanner.get_file_report(f_md5)
        if response['results']['positives'] > 0:
            delete_email(con, email_id)
            print(
                "\n---> System filtered-out an email from {}. Reason: dangerous attachment detected\n"
                .format(extract_mail))
            return True
    except Exception as e:
        print('Scan file Failed: {}'.format(e))

    download_attachment(file_name, file_to_scan)
    return False
Esempio n. 13
0
class VirusTotalEngine(BaseEngine):
    name = "VirusTotal"
    delay = 60 / 4  # 4 requests of any nature per minute

    def __init__(self):
        self.client = PublicApi(settings.VIRUSTOTAL_API_KEY)

    def send_scan(self, this_file, filename):
        resp = self.client.scan_file(this_file, from_disk=False, filename=filename)
        sleep(self.delay)
        return {
            "engine_id": resp["results"]["scan_id"],
            "engine_link": resp["results"]["permalink"],
            "status": Request.STATUS.queued,
        }

    def receive_result(self, engine_id):
        resp = self.client.get_file_report(engine_id)
        sleep(self.delay)
        results = resp["results"]
        if results["response_code"] not in [1, -2]:
            raise Exception(
                "Unknown response code of VirusTotal: {}".format(resp["response_code"])
            )
        if results["response_code"] == 1 and results["total"] < 10:
            raise Exception(
                "Low level of VirusTotal scanning: {}".format(resp["total"])
            )
        result = {
            "engine_id": results["resource"],
        }
        if results["response_code"] == -2:
            result["status"] = Request.STATUS.queued
        elif results["positives"] == 0:
            result["status"] = Request.STATUS.not_detected
            result["engine_report"] = results
            result["engine_link"] = results["permalink"]
        else:
            result["status"] = Request.STATUS.infected
            result["engine_report"] = results
            result["engine_link"] = results["permalink"]

        return result
Esempio n. 14
0
def submit2vt(filename):

	"""Submit a new file to VT for scanning"""

	# Check VT score
	vt = VirusTotalPublicApi(config['apiKey'])
	response = vt.scan_file(filename)

	# DEBUG
	fp = open('/tmp/vt.debug', 'a')
	fp.write(json.dumps(response, sort_keys=False, indent=4))
	fp.close()

	if config['esServer']:
		# Save results to Elasticsearch
		try:
			response['@timestamp'] = time.strftime("%Y-%m-%dT%H:%M:%S+01:00")
			res = es.index(index=config['esIndex'], doc_type="VTresult", body=json.dumps(response))
		except:
			writeLog("Cannot index to Elasticsearch")
	return
Esempio n. 15
0
            print(colored('[+]', 'green')+ item +': ', colored('Limpio', 'green'))
        else:
            print(colored('[+]', 'red')+ item +': ', colored('detectado', 'red'))

    
def menu():
    cprint('\n   ██    ██ ██ ██████  ██    ██ ███████     ███████  ██████  █████  ███    ██ ', 'green')
    cprint('   ██    ██ ██ ██   ██ ██    ██ ██          ██      ██      ██   ██ ████   ██ ', 'green')
    cprint('   ██    ██ ██ ██████  ██    ██ ███████     ███████ ██      ███████ ██ ██  ██ ', 'green')
    cprint('    ██  ██  ██ ██   ██ ██    ██      ██          ██ ██      ██   ██ ██  ██ ██ ', 'green')
    cprint('     ████   ██ ██   ██  ██████  ███████     ███████  ██████ ██   ██ ██   ████ ', 'green')
    
    cprint('\n                             [+]By devkernnel', 'red')
    cprint('                             [+]github: https://github.com/kenderperez', 'red')
    cprint('                             [+]VirusTotal', 'red')
    
API_KEY = "198bde2e7a2c6675b70a6bf02b1d3504d19d2e4df5ca9df329f10e502ac4ca80"
api = PublicApi(API_KEY)
menu()
nombre_archivo = str(input(colored('\n          [+]Ingrese el nombre del archivo que desea escanear!\n          archivo: ', 'cyan')))
    
responsefile = api.scan_file(nombre_archivo)

md5 = responsefile['results']['md5']

cprint('[+]Nuestros duendecitos estan trabajando en su archivo espere por favor a que obtengan un resultado...', 'magenta')

time.sleep(200)

consultarScan()
Esempio n. 16
0
def detailGET(request):
    if request.POST:
        search_term = request.POST['search']
        print(search_term)
        try:
            obj = File.objects.filter(SHA256=search_term).first()
            obj2 = Hash.objects.filter(SHA256=search_term).first()

            print(obj2.MD5)
            print(obj2.SHA256)
            """ AV Detection """
            vt = VirusTotalPublicApi('38afdb6f1267ae26374823c5e80d84fc977ed7b326b152d21fedd15ca29f36dc')

            """Check if file is in VT's cache"""

            response = vt.get_file_report(obj2.MD5)
            json_dump = json.dumps(response, sort_keys=False, indent=4)
            json_list = json.loads(json_dump)
            verbose_msg = ""
            for item_key, item_values in json_list.items():
                if 'results' in item_key:
                    print("Scanning... ")
                    verbose_msg = json_list['results']['verbose_msg']
            print(verbose_msg)

            if verbose_msg != "Scan finished, information embedded":
                print("Uploading file..")
                path = "/root/Desktop/OmegaVirus/OmegaVirusWeb/core/uploads/" + obj.name
                print(path)

                vt.scan_file(path)
                verbose_msg = ""
            """Scanning file"""

            time_check = 0
            while verbose_msg != "Scan finished, information embedded":
                """if verbose_msg == "Scan finished, information embedded":
                    break"""
                response = vt.get_file_report(obj2.MD5)
                json_dump = json.dumps(response, sort_keys=False, indent=4)
                json_list = json.loads(json_dump)
                for item_key, item_values in json_list.items():
                    if 'results' in item_key:
                        verbose_msg2 = verbose_msg
                        verbose_msg = json_list['results']['verbose_msg']
                        if verbose_msg != verbose_msg2:
                            if verbose_msg != "The requested resource is not among the finished, queued or pending scans":
                                print(verbose_msg)
                # time.sleep(8)
                if time_check >= 120:
                    print("Time limit surpassed")
                    sys.exit(0)
                if verbose_msg == "Your resource is queued for analysis":
                    """time_check += 8
                    print("Scanning... " + str(time_check) + " seconds elapsed..")"""

            print("outside while")
            response_code = json_list['response_code']
            scan_id = json_list['results']['scan_id']
            sha1 = json_list['results']['sha1']
            resource = json_list['results']['resource']
            scan_date = json_list['results']['scan_date']
            permalink = json_list['results']['permalink']
            sha256 = json_list['results']['sha256']
            positives = json_list['results']['positives']
            total = json_list['results']['total']
            md5 = json_list['results']['md5']

            # Liste AV -- Resultat
            liste_AV = [i for i in json_list["results"]["scans"]]
            liste_AV_result_html = [(str(i), str(json_list["results"]["scans"][i]["detected"])) for i in liste_AV]

            html = str()
            cptdetected = 0
            cptnodetected = 0
            for i, j in liste_AV_result_html:
                if j == "True":
                    html += '<tr><th scope="row"><b>' + i + '</b></th><td style="color:red;"><b>' + "Detected" + '</b></td></tr>'
                    cptdetected += 1
                if j == "False":
                    html += '<tr><th scope="row"><b>' + i + '</b></th><td style="color:green;"><b>' + "Not detected" + '</b></td></tr>'
                    cptnodetected += 1

            ###########
            # Liste Hash --- New Version
            liste_hash = [("MD5", obj2.MD5), ("SHA1", obj2.SHA1), ("SHA256", obj2.SHA256), ("SHA512", obj2.SHA512),
                          ("SSDEEP", obj2.SSDEEP), ("TLSH", obj2.TLSH)]
            html_hash = str()
            for i, j in liste_hash:
                html_hash += '<tr><th scope="row" style="color:red;"><b>' + i + '</b></th><td style="color:blue;"><b>' + j + '</b></td></tr>'
            ##############################

            ## Yara ##
            html_yara = str()
            yara_matched = (("yararule1", "posay", "30"), ("yararule2", "posay", "80"), ("yararule2", "posay", "30"),
                            ("yararule3", "posay", "80"))
            for nom_regle, j, k in yara_matched:
                html_yara += '<tr><th scope="row" style="color:red;"><b>' + nom_regle + '</b></th></tr>'

            ################# Json #############
            with open("/root/Desktop/OmegaVirus/scripts/report.json") as json_cuckoo:
                data_cuckoo = json.load(json_cuckoo)
            cuckoo_score = float(data_cuckoo["info"]["score"])
            html_cuckoo = str()
            for i in data_cuckoo["info"]:
                dico = data_cuckoo["info"][i]
                if i != "score":
                    html_cuckoo += '<tr><th scope="row">' + str(i) + '</th><td>' + str(dico) + '</td></tr>'

            ###############################################################
            html_notation = str()
            av_notation = str(cptdetected) + "/" + str(cptdetected + cptnodetected)
            av_notation_pourcent = str(int((int(cptdetected) / int(cptdetected + cptnodetected)) * 100))

            detection = (str(int((positives * 100 / total))))
            obj.detection = str(int((positives * 100 / total)))
            File.objects.filter(name=obj.name).update(detection=detection)
            obj.refresh_from_db()

            if int(float(av_notation_pourcent)) > 80:
                progress_bar_color = "success"
            elif int(float(av_notation_pourcent)) > 40:
                progress_bar_color = "primary"
            else:
                progress_bar_color = "danger"

            cuckoo_note = str(float(cuckoo_score))
            cuckoo_note_pourcent = str(int((float(cuckoo_score) / 10) * 100))

            if int(float(cuckoo_note_pourcent)) > 80:
                progress_bar_color1 = "success"
            elif int(float(cuckoo_note_pourcent)) > 40:
                progress_bar_color1 = "primary"
            else:
                progress_bar_color1 = "danger"

            html_notation += '<tr><th scope="row">Antivirus Detection</th><td>' + av_notation + '</td><td><div class="d-flex align-items-center"><span class="mr-2">' + av_notation_pourcent + '%</span><div><div class="progress"><div class="progress-bar bg-gradient-' + progress_bar_color + '" role="progressbar" aria-valuenow="60" aria-valuemin="0" aria-valuemax="100" style="width: ' + av_notation_pourcent + '%;"></div></div></div></div></td></tr>'
            html_notation += '<tr><th scope="row">Cuckoo Detection</th><td>' + cuckoo_note + '/10</td><td><div class="d-flex align-items-center"><span class="mr-2">' + cuckoo_note_pourcent + '%</span><div><div class="progress"><div class="progress-bar bg-gradient-' + progress_bar_color1 + '" role="progressbar" aria-valuenow="60" aria-valuemin="0" aria-valuemax="100" style="width: ' + cuckoo_note_pourcent + '%;"></div></div></div></div></td></tr>'

            print(response_code)
            print(scan_id)
            print(sha1)
            print(resource)
            print(scan_date)
            print(permalink)
            print(verbose_msg)
            print(sha256)
            print(positives)
            print(total)
            print(md5)
            print("Scan time taken: " + str(time_check) + " seconds.")

            context = {
                "name": obj.name,
                "id": obj.id,
                "SHA256": obj.SHA256,
                "filepath": obj.filepath,
                "size": obj.size,
                "date": obj.date,
                "MD5": obj2.MD5,
                "SHA1": obj2.SHA1,
                "SHA512": obj2.SHA512,
                "SSDEEP": obj2.SSDEEP,
                "TLSH": obj2.TLSH,
                "total": total,
                "positives": positives,
                "html": mark_safe(html),
                "html_hash": mark_safe(html_hash),
                "html_yara": mark_safe(html_yara),
                "cuckoo_score": cuckoo_score,
                "cuckoo_info": mark_safe(html_cuckoo),
                "html_notation": mark_safe(html_notation)
            }
            URLS = []
            URLS = urls()
            print("Found " + str(len(URLS)) + " URLs in this file.")
            signatures = []
            signatures = Signatures()
            cuckoo_info = str()
            cuckoo_info += "<tr><td><b>Found " + str(len(URLS)) + " URLs in this file.</b></td></tr>"
            for x in URLS:
                cuckoo_info += '<tr><td>' + x + '</td></tr>'

            for y in signatures:
                cuckoo_info += '<tr><td>' + y + '</td></tr>'

            context2 = {
                "cuckoo_information": mark_safe(cuckoo_info)
            }
            context.update(context2)

            if positives == 0:
                safety = "OmegaVirus flagged this file as safe"
                context2 = {
                    "safety": safety
                }
                context.update(context2)
            else:
                safety = str(positives) + " OmegaVirus flagged this file as malicious"
                context2 = {
                    "safetyPos": safety
                }
                context.update(context2)
            return render(request, "index.html", context)
        except ObjectDoesNotExist:
            return render(request, "index.html")
Esempio n. 17
0
class VirusTotalAnalyzer(Analyzer):

    def __init__(self):
        Analyzer.__init__(self)
        self.service = self.get_param('config.service', None, 'Service parameter is missing')
        self.virustotal_key = self.get_param('config.key', None, 'Missing VirusTotal API key')
        self.polling_interval = self.get_param('config.polling_interval', 60)
        self.proxies = self.get_param('config.proxy', None)
        self.vt = VirusTotalPublicApi(self.virustotal_key, self.proxies)

    def wait_file_report(self, id):
        results = self.check_response(self.vt.get_file_report(id))
        code = results.get('response_code', None)
        if code == 1:
            self.report(results)
        else:
            time.sleep(self.polling_interval)
            self.wait_file_report(id)

    def wait_url_report(self, id):
        results = self.check_response(self.vt.get_url_report(id))
        code = results.get('response_code', None)
        if code == 1 and (results.get('scan_id') == id):
            self.report(results)
        else:
            time.sleep(self.polling_interval)
            self.wait_url_report(id)

    def check_response(self, response):
        if type(response) is not dict:
            self.error('Bad response : ' + str(response))
        status = response.get('response_code', -1)
        if status == 204:
            self.error('VirusTotal api rate limit exceeded (Status 204).')
        if status != 200:
            self.error('Bad status : ' + str(status))
        results = response.get('results', {})
        if 'Missing IP address' in results.get('verbose_msg', ''):
            results['verbose_msg'] = 'IP address not available in VirusTotal'
        return results

        # 0 => not found
        # -2 => in queue
        # 1 => ready

    def read_scan_response(self, response, func):
        results = self.check_response(response)
        code = results.get('response_code', None)
        scan_id = results.get('scan_id', None)
        if code == 1 and scan_id is not None:
            func(scan_id)
        else:
            self.error('Scan not found')

    def summary(self, raw):
        taxonomies = []
        level = "info"
        namespace = "VT"
        predicate = "GetReport"
        value = "0"

        if self.service == "scan":
            predicate = "Scan"

        result = {
            "has_result": True
        }

        if raw["response_code"] != 1:
            result["has_result"] = False

        result["positives"] = raw.get("positives", 0)
        result["total"] = raw.get("total", 0)

        if "scan_date" in raw:
            result["scan_date"] = raw["scan_date"]

        if self.service == "get":
            if "scans" in raw:
                result["scans"] = len(raw["scans"])
                value = "{}/{}".format(result["positives"], result["total"])
                if result["positives"] == 0:
                    level = "safe"
                elif result["positives"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

            if "resolutions" in raw:
                result["resolutions"] = len(raw["resolutions"])
                value = "{} resolution(s)".format(result["resolutions"])
                if result["resolutions"] == 0:
                    level = "safe"
                elif result["resolutions"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"
            if "detected_urls" in raw:
                result["detected_urls"] = len(raw["detected_urls"])
                value = "{} detected_url(s)".format(result["detected_urls"])
                if result["detected_urls"] == 0:
                    level = "safe"
                elif result["detected_urls"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

            if "detected_downloaded_samples" in raw:
                result["detected_downloaded_samples"] = len(
                    raw["detected_downloaded_samples"])

        if self.service == "scan":
            if "scans" in raw:
                result["scans"] = len(raw["scans"])
                value = "{}/{}".format(result["positives"], result["total"])
                if result["positives"] == 0:
                    level = "safe"
                elif result["positives"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}

    def run(self):
        if self.service == 'scan':
            if self.data_type == 'file':
                filename = self.get_param('filename', 'noname.ext')
                filepath = self.get_param('file', None, 'File is missing')
                self.read_scan_response(
                    self.vt.scan_file(filepath, from_disk=True, filename=filename),
                    self.wait_file_report
                )
            elif self.data_type == 'url':
                data = self.get_param('data', None, 'Data is missing')
                self.read_scan_response(
                    self.vt.scan_url(data), self.wait_url_report)
            else:
                self.error('Invalid data type')
        elif self.service == 'get':
            if self.data_type == 'domain':
                data = self.get_param('data', None, 'Data is missing')
                self.report(self.check_response(
                    self.vt.get_domain_report(data)))
            elif self.data_type == 'fqdn':
                data = self.get_param('data', None, 'Data is missing')
                self.report(self.check_response(
                    self.vt.get_domain_report(data)))
            elif self.data_type == 'ip':
                data = self.get_param('data', None, 'Data is missing')
                self.report(self.check_response(self.vt.get_ip_report(data)))
            elif self.data_type == 'file':
                hashes = self.get_param('attachment.hashes', None)
                if hashes is None:
                    filepath = self.get_param('file', None, 'File is missing')
                    hash = hashlib.sha256(open(filepath, 'rb').read()).hexdigest()
                else:
                    # find SHA256 hash
                    hash = next(h for h in hashes if len(h) == 64)

                self.report(self.check_response(self.vt.get_file_report(hash)))
            elif self.data_type == 'hash':
                data = self.get_param('data', None, 'Data is missing')
                self.report(self.check_response(self.vt.get_file_report(data)))
            elif self.data_type == 'url':
                data = self.get_param('data', None, 'Data is missing')
                self.report(self.check_response(self.vt.get_url_report(data)))
            else:
                self.error('Invalid data type')
        else:
            self.error('Invalid service')
Esempio n. 18
0
	pass
	
shutil.copy( 'install\\CrossMgrVideo_Setup.exe', 'install\\' + newExeName )
six.print_( 'executable copied to: ' + newExeName )

# Create comprssed executable.
os.chdir( 'install' )
newExeName = os.path.basename( newExeName )
newZipName = newExeName.replace( '.exe', '.zip' )

try:
	os.remove( newZipName )
except:
	pass

z = zipfile.ZipFile(newZipName, "w")
z.write( newExeName )
z.close()
six.print_( 'executable compressed.' )

shutil.copy( newZipName, googleDrive )

from virus_total_apis import PublicApi as VirusTotalPublicApi
API_KEY = '64b7960464d4dbeed26ffa51cb2d3d2588cb95b1ab52fafd82fb8a5820b44779'
vt = VirusTotalPublicApi(API_KEY)
print ( 'VirusTotal Scan' )
vt.scan_file( os.path.abspath(newExeName) )



Esempio n. 19
0
    pass

shutil.copy(os.path.join('install', 'CrossMgrAlien_Setup.exe'),
            os.path.join('install', newExeName))
print('executable copied to: ' + newExeName)

# Create compressed executable.
os.chdir('install')
newExeName = os.path.basename(newExeName)
newZipName = newExeName.replace('.exe', '.zip')

try:
    os.remove(newZipName)
except:
    pass

z = zipfile.ZipFile(newZipName, "w")
z.write(newExeName)
z.close()
print('executable compressed.')

shutil.copy(newZipName, googleDrive)
#shutil.copy( '../CrossMgrAlienReadme.pdf', googleDrive  )

from virus_total_apis import PublicApi as VirusTotalPublicApi

API_KEY = '64b7960464d4dbeed26ffa51cb2d3d2588cb95b1ab52fafd82fb8a5820b44779'
vt = VirusTotalPublicApi(API_KEY)
print('VirusTotal Scan')
vt.scan_file(os.path.abspath(newExeName))
Esempio n. 20
0
class App(Daemon):
    def __init__(self, config, log):
        if not isfile(realpath(expanduser(config))):
            print('Run \'sh configure.sh\' first!')
            exit()
        else:
            with open(realpath(expanduser(config)), 'r') as handler:
                self.host = handler.readline().strip('\n')
                self.port = int(handler.readline().strip('\n'))
                self.username = handler.readline().strip('\n')
                self.password = handler.readline().strip('\n')
                self.from_ = handler.readline().strip('\n')
                self.to = handler.readline().strip('\n')
                self.vt = PublicApi(handler.readline().strip('\n'))
                self.dlfolder = realpath(expanduser(handler.readline().strip('\n')))
                self.stfolder = realpath(expanduser(handler.readline().strip('\n')))
                handler.close()

        Daemon.__init__(self, join(self.stfolder, "pidfile"))
        logging.basicConfig(filename=realpath(expanduser(log)), 
                            format='%(asctime)s %(message)s', 
                            datefmt='%m/%d/%Y %I:%M:%S %p',
                            level=logging.INFO)

    def run(self):
        # Touch known_hashes
        if not isdir(self.stfolder):
            makedirs(self.stfolder)
        open(join(self.stfolder, "known_hashes"), "a").close()
        # Read out known_hashes
        hash_handler = open(join(self.stfolder, "known_hashes"), "r+")
        hashlist = hash_handler.read().split("\n")
        hashlist = {i[:64]:i[67:] for i in hashlist}

        while True:
            dlcontent = listdir(self.dlfolder)

            # Rescan all 60 seconds for new files
            if not dlcontent:
                sleep(60)
                continue

            today = date.today()
            year = today.year
            month = today.month
            day = today.day
            datestring = str(year)+"-"+str(month)+"-"+str(day)

            for i in dlcontent:
                # Check if download of file hash finished
                size = stat(join(self.dlfolder, i)).st_size
                sleep(1)
                if stat(join(self.dlfolder, i)).st_size != size:
                    continue

                with open(join(self.dlfolder, i), "rb") as h:
                    # Hash file in dl folder and look if it's known
                    hashit = sha256()
                    hashit.update(h.read())

                    if hashit.hexdigest() in hashlist.keys():
                        # Just remove already known files
                        logging.info("Found already known file "+hashlist[hashit.hexdigest()])
                        remove(join(self.dlfolder, i))
                    else:
                        # Save and scan unknown files and remember the hash
                        hashdigest = hashit.hexdigest()
                        hashlist[hashdigest] = join(datestring, i)
                        hash_handler.write(hashdigest+" > "+join(datestring, i)+"\n")
                        hash_handler.flush()

                        if not isdir(join(self.stfolder, datestring)):
                            makedirs(join(self.stfolder, datestring))

                        move(join(self.dlfolder, i), join(self.stfolder, datestring, i))

                        response = self.scan(hashdigest, join(self.stfolder, datestring, i), today)

                        if not isdir(join(self.stfolder, "reports", datestring)):
                            makedirs(join(self.stfolder, "reports", datestring))

                        open(join(self.stfolder, "reports", datestring, i), "a").close()
                        with open(join(self.stfolder, "reports", datestring, i), "r+") as report:
                            report.write(dumps(response, sort_keys=False, indent=4))
                            report.flush()
                        
    def scan(self, hashdigest, filepath, today):
        scan_flag = True
        while True:
            # First look if file is known to VirusTotal
            response = self.vt.get_file_report(hashdigest)
            if response["response_code"] == 204:
                logging.info("Submission limit reached. I'll sleep for 60 seconds")
                sleep(60)
            elif response["results"]["response_code"] == 1:
                # Rescan needed?
                #scan_date = datetime.strptime(response["results"]["scan_date"][:10],
                                              #"%Y-%m-%d")
                #if abs((today-scan_date).days) >= 30:
                    #self.vt.rescan_file(hashdigest)
                    #continue

                # Send report for unknown file
                msg = """From: %s
To: %s
Subject: Virustotal report

%s""" % (self.from_, self.to, dumps(response, sort_keys=False, indent=4))

                self.send(msg)
                logging.info("Sent report for "+filepath)
                return response
            else:
                # Submit the unknown file
                if scan_flag:
                    # Workaround for download bug
                    # Another test for unfinished downloads
                    # Sadly as the file is already moved
                    # the file is lost for analysis :(
                    with open(filepath, "rb") as h:
                        hashit = sha256()
                        hashit.update(h.read())
                        if hashit.hexdigest() != hashdigest:
                            logging.info("File for submission has another hash as in download folder!")
                            logging.info("Filepath is %s" % (filepath))
                            break

                    response = self.vt.scan_file(filepath)
                    msg = """From: %s
To: %s
Subject: Virustotal submit

Submitted unknown file %s with hash %s for scan.

%s""" % (self.from_, self.to, filepath, hashdigest, dumps(response, sort_keys=False, indent=4))

                    self.send(msg)
                    logging.info("Submitted unknown file "+filepath+" with hash "+hashdigest+" for scan")
                    logging.info("I will sleep know for 60 seconds and try to receive the result after that")
                    sleep(60)
                    scan_flag = False
                else:
                    logging.info("Scan seems not finished. Will sleep for another 30 seconds")
                    sleep(30)

    def send(self, msg):
        smtp = smtplib.SMTP(self.host, self.port)
        smtp.starttls()
        smtp.login(self.username, self.password)
        smtp.sendmail(self.from_, self.to, msg)
Esempio n. 21
0
        f = open(sample_file, "rb")
        sample_file_content = f.read()
        f.close()
        sample_file_md5 = hashlib.md5(sample_file_content).hexdigest()

        if collection.find({'results.md5':sample_file_md5}).count() == 0:
                vt_response =  vt.get_file_report(sample_file_md5)
                if vt_response['response_code'] == 200 and vt_response['results']['response_code'] == 1:
                        collection.insert(vt_response)
                        print "Sample " + sample_file_md5 + " added to database"
                        print
                elif vt_response['response_code'] == 204:
                		print "Hit API Limit; cooling off for 15 seconds"
                                print "The standard VirusTotal API Key allows 4 requests per minute"
                                file_list.append(sample_file)
                		sleep(15)
                		print
                else:
                        print 'Sample not found; submitting to VirusTotal'
                        vt_response = vt.scan_file(sample_file)
                        if vt_response['response_code'] == 200 and vt_response['results']['response_code'] == 1:
                                print "Sample submiited successfully; checking back later"
                                file_list.insert(0,sample_file)
                                print
                        else:
                                print "Sample submit failed; try again later"
                                print
        else:
                print "Sample " + sample_file_md5 + " already exists in database"
                print
    def _virustotal_function(self, event, *args, **kwargs):
        """Function: perform different scans on the following types:
            ip addresses
            hash - this will attempt to find an existing file report on the hash
            domain
            url - this will attempt to find an existing file report on the url. If none exist, a new scan is queued
            file - this will start a new scan for the file and queue for a report later.
        """
        try:
            validateFields(('incident_id', 'vt_type'), kwargs)  # required

            # Init RequestsCommon with app.config options
            rc = RequestsCommon(opts=self.opts, function_opts=self.options)

            # Create a VirusTotal instance with the API Token and any proxies gathered by RequestsCommon
            vt = VirusTotal(self.options['api_token'], rc.get_proxies())

            # Get the function parameters:
            incident_id = kwargs.get("incident_id")  # number
            artifact_id = kwargs.get("artifact_id")  # number
            attachment_id = kwargs.get("attachment_id")  # number
            vt_type = kwargs.get("vt_type")  # text
            vt_data = kwargs.get("vt_data")  # text

            self.log = logging.getLogger(__name__)
            self.log.info("incident_id: %s", incident_id)
            self.log.info("artifact_id: %s", artifact_id)
            self.log.info("attachment_id: %s", attachment_id)
            self.log.info("vt_type: %s", vt_type)
            self.log.info("vt_data: %s", vt_data)

            yield StatusMessage("starting...")

            # determine next steps based on the API call to make
            if vt_type.lower() == 'file':
                entity = get_input_entity(get_resilient_client(self.resilient),
                                          incident_id, attachment_id,
                                          artifact_id)
                # Create a temporary file to write the binary data to.
                with tempfile.NamedTemporaryFile(
                        'w+b', delete=False) as temp_file_binary:
                    # Write binary data to a temporary file. Make sure to close the file here...this
                    # code must work on Windows and on Windows the file cannot be opened a second time
                    # While open.  Floss will open the file again to read the data, so close before
                    # calling Floss.
                    temp_file_binary.write(entity["data"])
                    temp_file_binary.close()
                    try:
                        response = vt.scan_file(temp_file_binary.name,
                                                filename=entity["name"])
                    except Exception as err:
                        raise err
                    finally:
                        os.unlink(temp_file_binary.name)

                file_result = self.return_response(response,
                                                   vt.get_file_report,
                                                   time.time())

                ## was a sha-256 returned? try an existing report first
                if file_result.get("sha256"):
                    response = vt.get_file_report(file_result.get("sha256"))
                    report_result = self.return_response(
                        response, None, time.time())

                    if report_result.get(
                            "response_code") and report_result.get(
                                "response_code") == 1:
                        result = report_result
                    else:
                        result = file_result

            elif vt_type.lower() == 'url':
                # attempt to see if a report already exists
                response = vt.get_url_report(vt_data)
                result = self.return_response(response, None, time.time())

                # check if result is not found, meaning no report exists
                if result['response_code'] == RC_NOT_FOUND:
                    response = vt.scan_url(vt_data)
                    result = self.return_response(response, vt.get_url_report,
                                                  time.time())

            elif vt_type.lower() == 'ip':
                response = vt.get_ip_report(vt_data)
                result = self.return_response(response, None, time.time())

            elif vt_type.lower() == 'domain':
                response = vt.get_domain_report(vt_data)
                result = self.return_response(response, None, time.time())

            elif vt_type.lower() == 'hash':
                response = vt.get_file_report(vt_data)
                result = self.return_response(response, None, time.time())

            else:
                raise ValueError(
                    "Unknown type field: {}. Check workflow pre-processor script."
                    .format(vt_type))

            results = {"scan": result}

            self.log.debug("scan: {}".format(results))

            # Produce a FunctionResult with the results
            yield FunctionResult(results)
        except Exception:
            yield FunctionError()
Esempio n. 23
0
    def module_run(self, params):
        key = self.get_key("virus_total_api")

        if key == "":
            self.error("No key defined for virus_total_api")
            return

        self.output("Got key: %s" % key)

        api = Api(key)

        for i in params:
            location, product_name, version = i

            self.output("Scanning: %s" % location)
            if not os.path.exists(location):
                self.error("%s does not exist")
                continue

            size = os.path.getsize(location)
            if (size / (1024 * 1024.0)) > 32:
                self.error(
                    "%s is larger than 32Mb..cannot submit to virus total" %
                    location)
                continue

            is_local = not "://" in location

            response = api.scan_file(location, from_disk=is_local)
            result_code = response["response_code"]
            scan_id = response["results"]["scan_id"]

            self.output("Got response code: %s, scan_id: %s" %
                        (result_code, scan_id))

            if result_code == 200:
                tries = self.options['retries']

                while tries > 1:
                    self.output("Sleeping %ss to wait for response" %
                                self.options['sleep_time'])
                    time.sleep(self.options['sleep_time'])

                    response = api.get_file_report(scan_id)

                    if response["response_code"] == 204:
                        self.output(
                            "Exeeded api request limit sleeping an extra %ss" %
                            self.options['extra_sleep_time'])
                        time.sleep(self.options['extra_sleep_time'])
                        continue

                    if not "scans" in response["results"]:
                        tries -= 1
                        continue

                    detected = [
                        s for s in response["results"]["scans"]
                        if response["results"]["scans"][s]["detected"] == True
                    ]
                    total_scans = response["results"]["total"]
                    found = response["results"]["positives"]
                    scans = response["results"]["scans"]

                    for d in detected:
                        self.add_virus(product_name, version, d,
                                       scans[d]["version"], scans[d]["update"],
                                       scans[d]["result"])

                    self.output("%s/%s scanners detected viruses" %
                                (found, total_scans))
                    break
Esempio n. 24
0
    '38afdb6f1267ae26374823c5e80d84fc977ed7b326b152d21fedd15ca29f36dc')
"""Check if file is in VT's cache"""

response = vt.get_file_report(file_md5)
json_dump = json.dumps(response, sort_keys=False, indent=4)
json_list = json.loads(json_dump)
verbose_msg = ""
for item_key, item_values in json_list.items():
    if 'results' in item_key:
        print("Scanning... ")
        verbose_msg = json_list['results']['verbose_msg']
print(verbose_msg)

if verbose_msg != "Scan finished, information embedded":
    print("Uploading file..")
    vt.scan_file(filename)
    """while verbose_msg == "The requested resource is not among the finished, queued or pending scans":
        vt.scan_file(filename)
        response = vt.get_file_report(file_md5)
        json_dump = json.dumps(response, sort_keys=False, indent=4)
        json_list = json.loads(json_dump)
        verbose_msg = ""
        for item_key, item_values in json_list.items():
            if 'results' in item_key:
                verbose_msg = json_list['results']['verbose_msg']
                print(verbose_msg)"""
if verbose_msg != "Scan finished, information embedded":
    verbose_msg = ""
"""Scanning file"""

time_check = 0
Esempio n. 25
0
class VirusTotalAnalyzer(Analyzer):
    def __init__(self):
        Analyzer.__init__(self)
        self.service = self.get_param("config.service", None,
                                      "Service parameter is missing")
        self.virustotal_key = self.get_param("config.key", None,
                                             "Missing VirusTotal API key")
        self.polling_interval = self.get_param("config.polling_interval", 60)
        self.rescan_hash_older_than_days = self.get_param(
            "config.rescan_hash_older_than_days", None)
        self.highlighted_antivirus = self.get_param(
            "config.highlighted_antivirus", None)
        self.download_sample = self.get_param("config.download_sample", False)
        self.download_sample_if_highlighted = self.get_param(
            "config.download_sample_if_highlighted", False)
        self.obs_path = None
        self.proxies = self.get_param("config.proxy", None)
        if (self.download_sample or self.download_sample_if_highlighted
                or self.service == "download"):
            self.vt_pay = PrivateApi(self.virustotal_key, self.proxies)
        self.vt = PublicApi(self.virustotal_key, self.proxies)

    def get_file(self, hash):
        self.obs_path = "{}/{}".format(tempfile.gettempdir(), hash)
        response = self.vt_pay.get_file(hash)
        if response.get("response_code", None) == 200:
            with open(self.obs_path, "wb") as f:
                f.write(response["results"])
            kind = filetype.guess(self.obs_path)
            if kind and kind.extension != None:
                os.rename(self.obs_path,
                          "{}.{}".format(self.obs_path, kind.extension))
                self.obs_path = "{}.{}".format(self.obs_path, kind.extension)

    def wait_file_report(self, id):
        results = self.check_response(self.vt.get_file_report(id))
        code = results.get("response_code", None)
        if code == 1:
            if self.data_type == "hash" and (
                    self.download_sample or
                (self.download_sample_if_highlighted
                 and self.highlighted_antivirus and any([
                     results.get("scans", {}).get(av, {}).get(
                         "detected", None) == False
                     for av in self.highlighted_antivirus
                 ]))):
                self.get_file(self.get_param("data", None, "Data is missing"))
            self.report(results)
        else:
            time.sleep(self.polling_interval)
            self.wait_file_report(id)

    def wait_url_report(self, id):
        results = self.check_response(self.vt.get_url_report(id))
        code = results.get("response_code", None)
        if code == 1 and (results.get("scan_id") == id):
            self.report(results)
        else:
            time.sleep(self.polling_interval)
            self.wait_url_report(id)

    def check_response(self, response):
        if type(response) is not dict:
            self.error("Bad response : " + str(response))
        status = response.get("response_code", -1)
        if status == 204:
            self.error("VirusTotal api rate limit exceeded (Status 204).")
        if status != 200:
            self.error("Bad status : " + str(status))
        results = response.get("results", {})
        if "Missing IP address" in results.get("verbose_msg", ""):
            results["verbose_msg"] = "IP address not available in VirusTotal"
        return results

        # 0 => not found
        # -2 => in queue
        # 1 => ready

    def read_scan_response(self, response, func):
        results = self.check_response(response)
        code = results.get("response_code", None)
        scan_id = results.get("scan_id", None)
        if code == 1 and scan_id is not None:
            func(scan_id)
        else:
            self.error("Scan not found")

    def artifacts(self, raw):
        artifacts = []
        if self.obs_path:
            tags = []
            # This will work only in scan/rescan workflow, not in download only
            if self.highlighted_antivirus:
                for av in self.highlighted_antivirus:
                    detected = raw.get("scans",
                                       {}).get(av, {}).get("detected", None)
                    if detected == False:
                        tags.append("to_{}".format(av))
            artifacts.append(
                self.build_artifact("file", self.obs_path, tags=tags))
        return artifacts

    def summary(self, raw):
        taxonomies = []
        level = "info"
        namespace = "VT"
        predicate = "GetReport"
        value = "0"

        if self.service == "scan":
            predicate = "Scan"
        elif self.service == "rescan":
            predicate = "Rescan"
        elif self.service == "download":
            return {"taxonomies": taxonomies}

        result = {"has_result": True}

        if raw["response_code"] != 1:
            result["has_result"] = False

        result["positives"] = raw.get("positives", 0)
        result["total"] = raw.get("total", 0)

        if "scan_date" in raw:
            result["scan_date"] = raw["scan_date"]

        if self.service == "get":
            if "scans" in raw:
                result["scans"] = len(raw["scans"])
                value = "{}/{}".format(result["positives"], result["total"])
                if result["positives"] == 0:
                    level = "safe"
                elif result["positives"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

            if "resolutions" in raw:
                result["resolutions"] = len(raw["resolutions"])
                value = "{} resolution(s)".format(result["resolutions"])
                if result["resolutions"] == 0:
                    level = "safe"
                elif result["resolutions"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

            if "detected_urls" in raw:
                result["detected_urls"] = len(raw["detected_urls"])
                value = "{} detected_url(s)".format(result["detected_urls"])
                if result["detected_urls"] == 0:
                    level = "safe"
                elif result["detected_urls"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

            if "detected_downloaded_samples" in raw:
                result["detected_downloaded_samples"] = len(
                    raw["detected_downloaded_samples"])

        if self.service in ["scan", "rescan"]:
            if "scans" in raw:
                result["scans"] = len(raw["scans"])
                value = "{}/{}".format(result["positives"], result["total"])
                if result["positives"] == 0:
                    level = "safe"
                elif result["positives"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

        taxonomies.append(
            self.build_taxonomy(level, namespace, predicate, value))

        if self.highlighted_antivirus:
            for av in self.highlighted_antivirus:
                detected = raw.get("scans", {}).get(av,
                                                    {}).get("detected", None)
                if detected == False:
                    taxonomies.append(
                        self.build_taxonomy("info", namespace, av,
                                            "Not detected!"))

        return {"taxonomies": taxonomies}

    def run(self):
        if self.service == "scan":
            if self.data_type == "file":
                filename = self.get_param("filename", "noname.ext")
                filepath = self.get_param("file", None, "File is missing")
                self.read_scan_response(
                    self.vt.scan_file(filepath,
                                      from_disk=True,
                                      filename=filename),
                    self.wait_file_report,
                )
            elif self.data_type == "url":
                data = self.get_param("data", None, "Data is missing")
                self.read_scan_response(self.vt.scan_url(data),
                                        self.wait_url_report)
            else:
                self.error("Invalid data type")

        elif self.service == "rescan":
            if self.data_type == "hash":
                data = self.get_param("data", None, "Data is missing")
                self.read_scan_response(self.vt.rescan_file(data),
                                        self.wait_file_report)
            else:
                self.error("Invalid data type")

        elif self.service == "download":
            if self.data_type == "hash":
                data = self.get_param("data", None, "Data is missing")
                self.get_file(data)
                self.report({"message": "file downloaded"})

        elif self.service == "get":
            if self.data_type == "domain":
                data = self.get_param("data", None, "Data is missing")
                results = self.check_response(self.vt.get_domain_report(data))

            elif self.data_type == "fqdn":
                data = self.get_param("data", None, "Data is missing")
                results = self.check_response(self.vt.get_domain_report(data))

            elif self.data_type == "ip":
                data = self.get_param("data", None, "Data is missing")
                results = self.check_response(self.vt.get_ip_report(data))

            elif self.data_type == "file":
                hashes = self.get_param("attachment.hashes", None)
                if hashes is None:
                    filepath = self.get_param("file", None, "File is missing")
                    hash = hashlib.sha256(open(filepath,
                                               "rb").read()).hexdigest()
                else:
                    hash = next(h for h in hashes if len(h) == 64)
                results = self.check_response(self.vt.get_file_report(hash))

            elif self.data_type == "hash":
                data = self.get_param("data", None, "Data is missing")
                results = self.check_response(self.vt.get_file_report(data))

            elif self.data_type == "url":
                data = self.get_param("data", None, "Data is missing")
                results = self.check_response(self.vt.get_url_report(data))
            else:
                self.error("Invalid data type")

            # if aged and enabled rescan
            if self.data_type == "hash" and self.rescan_hash_older_than_days:
                if (datetime.strptime(results["scan_date"],
                                      "%Y-%m-%d %H:%M:%S") - datetime.now()
                    ).days > self.rescan_hash_older_than_days:
                    self.read_scan_response(self.vt.rescan_file(data),
                                            self.wait_file_report)

            # download if hash, dangerous and not seen by av
            if (self.data_type == "hash"
                    and (results.get("response_code", None) == 1)
                    and (results.get("positives", 0) >= 5)
                    and (self.download_sample or
                         (self.download_sample_if_highlighted
                          and self.highlighted_antivirus and any([
                              results.get("scans", {}).get(av, {}).get(
                                  "detected", None) == False
                              for av in self.highlighted_antivirus
                          ])))):
                self.get_file(data)
            self.report(results)

        else:
            self.error("Invalid service")
Esempio n. 26
0
    from virus_total_apis import PublicApi as VirusTotalPublicApi
except:
    print(
        '**** virus_total_apis module not found.  Do "pip install virustotal-api"'
    )
    raise

API_KEY = '64b7960464d4dbeed26ffa51cb2d3d2588cb95b1ab52fafd82fb8a5820b44779'
vt = VirusTotalPublicApi(API_KEY)

parser = argparse.ArgumentParser(
    description='Submit executabes to virustotal.')
parser.add_argument('executables',
                    type=str,
                    nargs='+',
                    help='executable files')
parser.add_argument("-v",
                    "--verbose",
                    action="store_true",
                    help="verbose output")

args = parser.parse_args()
for exe in args.executables:
    if args.verbose:
        print('submitting "{}" to virustotal...'.format(exe))
    if not os.path.exists(exe):
        raise ValueError('File not found: "{}"'.format(exe))
    vt.scan_file(exe)

sys.exit(0)
Esempio n. 27
0
    def run(self):
        db = Database()

        if 'file_id' in self.request.POST:
            # Get file object from DB
            file_id = self.request.POST['file_id']
            file_object = db.get_filebyid(file_id)
            sha256 = file_object.sha256


            print self.config['virustotal']['api_key'], type(self.config['virustotal']['api_key'])
            if self.config['virustotal']['api_key'] == 'None':
                state = 'error'
                vt_results = 'No API Key set in volutility.conf'
            else:
                # Init the API with key from config
                vt = PublicApi(self.config['virustotal']['api_key'])

                # If we upload
                if 'upload' in self.request.POST:
                    response = vt.scan_file(file_object.read(), filename=file_object.filename, from_disk=False)
                    if response['results']['response_code'] == 1 and 'Scan request successfully queued' in response['results']['verbose_msg']:
                        print "File Uploaded and pending"
                        state = 'pending'
                    else:
                        print response
                        state = 'error'
                    vt_results = None

                # Else just get the results
                else:

                    # get results from VT
                    response = vt.get_file_report(sha256)

                    vt_results = {}

                    # Valid response
                    if response['response_code'] == 200:
                        print "Valid Response from server"

                    #  Not present in data set prompt to uploads
                    if response['results']['response_code'] == 0:
                        state = 'missing'


                    # Still Pending
                    elif response['results']['response_code'] == -2:
                        # Still Pending
                        state = 'pending'

                    # Results availiable
                    elif response['results']['response_code'] == 1:
                        vt_results['permalink'] = response['results']['permalink']
                        vt_results['total'] = response['results']['total']
                        vt_results['positives'] = response['results']['positives']
                        vt_results['scandate'] = response['results']['scan_date']
                        vt_results['scans'] = response['results']['scans']
                        # Store the results in datastore
                        state = 'complete'


                store_data = {'file_id': file_id, 'vt': vt_results}
                db.create_datastore(store_data)

            self.render_type = 'file'
            self.render_data = {'VirusTotalSearch': {'state': state, 'vt_results': vt_results, 'file_id': file_id}}
Esempio n. 28
0
original = open(sys.argv[2], 'w')

API_KEY = ''
with open('API_KEY2', 'r') as f:
    API_KEY = f.read().strip()

executables = [
    exe for exe in os.listdir(sys.argv[1])
    if os.path.isfile(os.path.join(sys.argv[1], exe))
]

vt = PublicApi(API_KEY)
for exe in executables:
    print('Uploading {}'.format(exe))
    vtreport = vt.scan_file(os.path.join(sys.argv[1], exe))

    while vtreport['response_code'] != 200:
        print('Reached maximum requests/minute, waiting 30 seconds')
        time.sleep(30)
        vtreport = vt.scan_file(os.path.join(sys.argv[1], exe))

    r = vtreport['results']
    if r['response_code'] != 1:
        print('Error rescaning file {}'.format(exe))
        original.write('{:<50s}{}\n'.format(exe, 'An error occurred'))
    else:
        original.write('{:<50s}{}\n'.format(exe, r['permalink']))

    original.flush()
    os.fsync(original.fileno())
    f.close()
    sample_file_md5 = hashlib.md5(sample_file_content).hexdigest()

    if collection.find({'results.md5': sample_file_md5}).count() == 0:
        vt_response = vt.get_file_report(sample_file_md5)
        if vt_response['response_code'] == 200 and vt_response['results'][
                'response_code'] == 1:
            collection.insert(vt_response)
            print "Sample " + sample_file_md5 + " added to database"
            print
        elif vt_response['response_code'] == 204:
            print "Hit API Limit; cooling off for 15 seconds"
            print "The standard VirusTotal API Key allows 4 requests per minute"
            file_list.append(sample_file)
            sleep(15)
            print
        else:
            print 'Sample not found; submitting to VirusTotal'
            vt_response = vt.scan_file(sample_file)
            if vt_response['response_code'] == 200 and vt_response['results'][
                    'response_code'] == 1:
                print "Sample submiited successfully; checking back later"
                file_list.insert(0, sample_file)
                print
            else:
                print "Sample submit failed; try again later"
                print
    else:
        print "Sample " + sample_file_md5 + " already exists in database"
        print
Esempio n. 30
0
def scan_virus_total(target_file_list):
    '''
    if there is no hash result, then do file upload
    :param filename: absolute file path, no exceptions
    :return: there is no return
    '''
    conn = MongoClient(MONGODB_URI_SCHEME)
    db = conn[MONGODB_DATABASE]
    collections = db[MONGODB_COLLECTIONS]
    history = db[MONGODB_SCAN_HISTORY]
    time_elapsed = [10, 15, 20, 30]
    time_elapsed_pool = cycle(time_elapsed)
    init_time_pool = cycle(time_elapsed)
    valid_account_list = list(
        filter(lambda x: x['valid'] == True, VIRUSTOTAL_ACCOUNT))
    account_number = len(valid_account_list)
    valid_account_pool = cycle(valid_account_list)
    counter = 0
    init = valid_account_list[-1]['apikey']
    for dir_path in target_file_list:
        for filename in target_file_list[dir_path]:
            sha1 = binary_sha1(filename)
            while True:
                apikey = next(valid_account_pool)['apikey']
                if init == apikey:
                    elapsed = next(init_time_pool)
                    messageBold("    wait for time elapsed (%d)" % elapsed)
                    time.sleep(elapsed)
                vt = PublicApi(apikey)
                resp = vt.get_file_report(sha1)
                resp_code = resp.get('response_code', -1)
                normalBold("# %s -> scan (%d)" % (filename, resp_code))
                if resp_code == 204:
                    # exceeded request rate limit (4 request / min)
                    epoch = next(time_elapsed_pool)
                    if epoch == 30:
                        criticalBold("there is no virustotal response")
                        break
                    messageBold("    Wait for time elapsed (%d)" % epoch)
                    time.sleep(epoch)
                    break
                elif resp_code == 200:
                    scan_report = resp.get('results')
                    scan_resp_code = scan_report.get('response_code')
                    if scan_resp_code == 1:
                        # pymongo code is here
                        resp['filename'] = filename
                        collections.insert(resp)
                        break
                    elif scan_resp_code == 0:
                        # pending, or has no data in virustotal, so that upload file
                        tmp = vt.scan_file(filename)
                        tmp['filename'] = filename
                        history.insert(tmp)
                        continue
                    elif scan_resp_code == -2:
                        warningBold("    Resource is pending for check")
                        pprint(resp)
                        break
                    else:
                        warningBold(
                            "    No Normal Response Code From VirusTotal ")
                        warningBold(json.dump(resp, sort_keys=True, indent=4))
                        break
                elif resp_code == -1:
                    # connection error
                    criticalBold('VirusTotal Response >>>>>>')
                    pprint(resp)
                    criticalBold('<<<<<<')
                    continue

                # add for trace
                resp['filepath'] = filename
Esempio n. 31
0
from pymongo import MongoClient
from virus_total_apis import ApiError, PublicApi
import json
import pprint
# MongoDB URI Format
#client = MongoClient('mongodb://*****:*****@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*".encode('utf-8')
vt = PublicApi(API_KEY)
data = vt.get_file_report('44cda81782dc2a346abd7b2285530c5f')
data2 = vt.scan_file('C:\\Users\\YES24\\Desktop\\자료정리\\분류전\\cmd.exe')
#pprint.pprint(data)
print(type(data))
data['chuka'] = "c:\\users\\fuckyou.exe"
print(db.scan_result.insert(data))
print(db.scan_result.insert(data2))
Esempio n. 32
0
    def run(self):
        db = Database()
        #self.render_javascript = "function test(){  alert(1); }; test();"
        self.render_javascript = ""
        if not self.config['virustotal']['api_key'] or not VT_LIB:
            self.render_type = 'error'
            self.render_data = "Unable to use Virus Total. No Key or Library Missing. Check the Console for details"

        if 'file_id' in self.request.POST:
            # Get file object from DB
            file_id = self.request.POST['file_id']
            file_object = db.get_filebyid(file_id)
            sha256 = file_object.sha256

            # Init the API with key from config
            vt = PublicApi(self.config.api_key)

            # If we upload
            if 'upload' in self.request.POST:
                response = vt.scan_file(file_object.read(),
                                        filename=file_object.filename,
                                        from_disk=False)
                if response['results'][
                        'response_code'] == 1 and 'Scan request successfully queued' in response[
                            'results']['verbose_msg']:
                    print "File Uploaded and pending"
                    state = 'pending'
                else:
                    print response
                    state = 'error'
                vt_results = None

            # Else just get the results
            else:

                # get results from VT
                response = vt.get_file_report(sha256)

                vt_results = {}

                # Valid response
                if response['response_code'] == 200:
                    print "Valid Response from server"

                #  Not present in data set prompt to uploads
                if response['results']['response_code'] == 0:
                    state = 'missing'

                # Still Pending
                elif response['results']['response_code'] == -2:
                    # Still Pending
                    state = 'pending'

                # Results availiable
                elif response['results']['response_code'] == 1:
                    vt_results['permalink'] = response['results']['permalink']
                    vt_results['total'] = response['results']['total']
                    vt_results['positives'] = response['results']['positives']
                    vt_results['scandate'] = response['results']['scan_date']
                    vt_results['scans'] = response['results']['scans']
                    # Store the results in datastore
                    state = 'complete'

            store_data = {'file_id': file_id, 'vt': vt_results, 'state': state}
            db.create_datastore(store_data)

            self.render_type = 'file'
            self.render_data = {
                'VirusTotalSearch': {
                    'state': state,
                    'vt_results': vt_results,
                    'file_id': file_id
                }
            }
Esempio n. 33
0
def ajax_handler(request, command):
    """
    return data requested by the ajax handler in volutility.js
    :param request:
    :param command:
    :return:
    """

    if command == 'pollplugins':
        if 'session_id' in request.POST:
            # Get Current Session
            session_id = request.POST['session_id']

            session = db.get_session(ObjectId(session_id))

            plugin_rows = db.get_pluginbysession(ObjectId(session_id))

            # Check for new registered plugins

            # Get compatible plugins


            profile = session['session_profile']

            session_path = session['session_path']

            vol_int = RunVol(profile, session_path)

            plugin_list = vol_int.list_plugins()


            # Plugin Options
            plugin_filters = vol_interface.plugin_filters
            refresh_rows = False
            existing_plugins = []
            for row in plugin_rows:
                existing_plugins.append(row['plugin_name'])

            # For each plugin create the entry
            for plugin in plugin_list:

                # Ignore plugins we cant handle
                if plugin[0] in plugin_filters['drop']:
                    continue

                if plugin[0] in existing_plugins:
                    continue

                else:
                    db_results = {}
                    db_results['session_id'] = ObjectId(session_id)
                    db_results['plugin_name'] = plugin[0]
                    db_results['help_string'] = plugin[1]
                    db_results['created'] = None
                    db_results['plugin_output'] = None
                    db_results['status'] = None
                    # Write to DB
                    db.create_plugin(db_results)
                    refresh_rows = True

            if refresh_rows:
                plugin_rows = db.get_pluginbysession(ObjectId(session_id))

            return render(request, 'plugin_poll.html', {'plugin_output': plugin_rows})
        else:
            return HttpResponseServerError

    if command == 'dropplugin':
        if 'plugin_id' in request.POST:
            plugin_id = request.POST['plugin_id']
            # update the plugin
            new_values = {'created': None,'plugin_output': None, 'status': None}
            db.update_plugin(ObjectId(plugin_id), new_values)
            return HttpResponse('OK')

    if command == 'runplugin':
        if 'plugin_id' in request.POST and 'session_id' in request.POST:
            plugin_name = run_plugin(request.POST['session_id'], request.POST['plugin_id'])
            return HttpResponse(plugin_name)

    if command == 'plugin_dir':

        # Platform PATH seperator
        seperator = ':'
        if sys.platform.startswith('win'):
            seperator = ';'

        # Set Plugins
        if 'plugin_dir' in request.POST:
            plugin_dir = request.POST['plugin_dir']

            if os.path.exists(volrc_file):
                with open(volrc_file, 'a') as out:
                    output = '{0}{1}'.format(seperator, plugin_dir)
                    out.write(output)
                return HttpResponse(' No Plugin Path Provided')
            else:
                # Create new file.
                with open(volrc_file, 'w') as out:
                    output = '[DEFAULT]\nPLUGINS = {0}'.format(plugin_dir)
                    out.write(output)
                return HttpResponse(' No Plugin Path Provided')
        else:
            return HttpResponse(' No Plugin Path Provided')

    if command == 'filedetails':
        if 'file_id' in request.POST:
            file_id = request.POST['file_id']
            file_object = db.get_filebyid(ObjectId(file_id))
            file_datastore = db.search_datastore({'file_id': ObjectId(file_id)})

            vt_results = None
            yara_match = None
            string_list = None
            state = 'notchecked'

            for row in file_datastore:

                if 'vt' in row:
                    vt_results = row['vt']
                    state = 'complete'
                if 'yara' in row:
                    yara_match = row['yara']

            # New String Store
            new_strings = db.get_strings(file_id)
            if new_strings:
                string_list = new_strings._id

            yara_list = sorted(os.listdir('yararules'))
            return render(request, 'file_details.html', {'file_details': file_object,
                                                         'file_id': file_id,
                                                         'yara_list': yara_list,
                                                         'yara': yara_match,
                                                         'vt_results': vt_results,
                                                         'string_list': string_list,
                                                         'state': state,
                                                         'error': None
                                                         })

    if command == 'hivedetails':
        if 'plugin_id' and 'rowid' in request.POST:
            pluginid = request.POST['plugin_id']
            rowid = request.POST['rowid']

            plugin_details = db.get_pluginbyid(ObjectId(pluginid))

            key_name = 'hive_keys_{0}'.format(rowid)

            if key_name in plugin_details:
                hive_details = plugin_details[key_name]
            else:
                session_id = plugin_details['session_id']

                session = db.get_session(session_id)

                plugin_data = plugin_details['plugin_output']

                for row in plugin_data['rows']:
                    if str(row[0]) == rowid:
                        hive_offset = str(row[1])

                # Run the plugin
                vol_int = RunVol(session['session_profile'], session['session_path'])
                hive_details = vol_int.run_plugin('hivedump', hive_offset=hive_offset)

                # update the plugin / session
                new_values = {key_name: hive_details}
                db.update_plugin(ObjectId(ObjectId(pluginid)), new_values)
                # Update the session
                new_sess = {}
                new_sess['modified'] = datetime.now()
                db.update_session(session_id, new_sess)


            return render(request, 'hive_details.html', {'hive_details': hive_details})

    if command == 'dottree':
        session_id = request.POST['session_id']
        session = db.get_session(ObjectId(session_id))
        vol_int = RunVol(session['session_profile'], session['session_path'])
        results = vol_int.run_plugin('pstree', output_style='dot')
        return HttpResponse(results)

    if command == 'timeline':
        logger.debug('Running Timeline')
        session_id = request.POST['session_id']
        session = db.get_session(ObjectId(session_id))
        vol_int = RunVol(session['session_profile'], session['session_path'])
        results = vol_int.run_plugin('timeliner', output_style='dot')
        return HttpResponse(results)

    if command == 'virustotal':
        if not config.api_key or not VT_LIB:
            logger.error('No Virustotal key provided in volutitliy.conf')
            return HttpResponse("Unable to use Virus Total. No Key or Library Missing. Check the Console for details")

        if 'file_id' in request.POST:
            file_id = request.POST['file_id']

            file_object = db.get_filebyid(ObjectId(file_id))
            sha256 = file_object.sha256
            vt = PublicApi(config.api_key)

            if 'upload' in request.POST:
                response = vt.scan_file(file_object.read(), filename=file_object.filename, from_disk=False)
                if response['results']['response_code'] == 1:
                    return render(request, 'file_details_vt.html', {'state': 'pending',
                                                                    'vt_results': '',
                                                                    'file_id': file_id})
                else:
                    return render(request, 'file_details_vt.html', {'state': 'error',
                                                                    'vt_results': '',
                                                                    'file_id': file_id})
            else:

                response = vt.get_file_report(sha256)

                vt_fields = {}

                if response['results']['response_code'] == 1:
                    vt_fields['permalink'] = response['results']['permalink']
                    vt_fields['total'] = response['results']['total']
                    vt_fields['positives'] = response['results']['positives']
                    vt_fields['scandate'] = response['results']['scan_date']
                    vt_fields['scans'] = response['results']['scans']

                    # Store the results in datastore
                    store_data = {}
                    store_data['file_id'] = ObjectId(file_id)
                    store_data['vt'] = vt_fields

                    update = db.create_datastore(store_data)
                    return render(request, 'file_details_vt.html', {'state': 'complete',
                                                                    'vt_results': vt_fields,
                                                                    'file_id': file_id})

                elif response['results']['response_code'] == -2:
                    # Still Pending Analysis
                    return render(request, 'file_details_vt.html', {'state': 'pending',
                                                                    'vt_results': vt_fields,
                                                                    'file_id': file_id})

                elif response['results']['response_code'] == 0:
                    # Not present in data set prompt to uploads
                    return render(request, 'file_details_vt.html', {'state': 'missing',
                                                                    'vt_results': vt_fields,
                                                                    'file_id': file_id})

    if command == 'yara-string':

        session_id = request.POST['session_id']

        if request.POST['yara-string'] != '':
            yara_string = request.POST['yara-string']
        else:
            yara_string = False

        if request.POST['yara-pid'] != '':
            yara_pid = request.POST['yara-pid']
        else:
            yara_pid = None

        if request.POST['yara-file'] != '':
            yara_file = os.path.join('yararules', request.POST['yara-file'])

        yara_hex = request.POST['yara-hex']
        if yara_hex != '':
            yara_hex = int(yara_hex)
        else:
            yara_hex = 256

        yara_reverse = request.POST['yara-reverse']
        if yara_reverse != '':
            yara_reverse = int(yara_reverse)
        else:
            yara_reverse = 0

        yara_case = request.POST['yara-case']
        if yara_case == 'true':
            yara_case = True
        else:
            yara_case = None

        yara_kernel = request.POST['yara-kernel']
        if yara_kernel == 'true':
            yara_kernel = True
        else:
            yara_kernel = None

        yara_wide = request.POST['yara-wide']
        if yara_wide == 'true':
            yara_wide = True
        else:
            yara_wide = None

        logger.debug('Yara String Scanner')

        try:
            session = db.get_session(ObjectId(session_id))
            vol_int = RunVol(session['session_profile'], session['session_path'])

            if yara_string:
                results = vol_int.run_plugin('yarascan', output_style='json', pid=yara_pid, plugin_options={'YARA_RULES': yara_string,
                                                                                          'CASE': yara_case,
                                                                                          'ALL': yara_kernel,
                                                                                          'WIDE': yara_wide,
                                                                                          'SIZE': yara_hex,
                                                                                          'REVERSE': yara_reverse})

            elif yara_file:
                results = vol_int.run_plugin('yarascan', output_style='json', pid=yara_pid, plugin_options={'YARA_FILE': yara_file,
                                                                                          'CASE': yara_case,
                                                                                          'ALL': yara_kernel,
                                                                                          'WIDE': yara_wide,
                                                                                          'SIZE': yara_hex,
                                                                                          'REVERSE': yara_reverse})

            else:
                return



            if 'Data' in results['columns']:
                row_loc = results['columns'].index('Data')

                for row in results['rows']:
                    try:
                        row[row_loc] = string_clean_hex(row[row_loc].decode('hex'))
                    except Exception as e:
                        logger.warning('Error converting hex to str: {0}'.format(e))

            return render(request, 'file_details_yara.html', {'yara': results, 'error': None})
            #return render(request, 'plugin_output_nohtml.html', {'plugin_results': results,
                                                          #'plugin_id': None,
                                                          #'bookmarks': []})
            #return HttpResponse(results)
        except Exception as error:
            logger.error(error)

    if command == 'yara':
        file_id = rule_file = False
        if 'file_id' in request.POST:
            file_id = request.POST['file_id']

        if 'rule_file' in request.POST:
            rule_file = request.POST['rule_file']

        if rule_file and file_id and YARA:
            file_object = db.get_filebyid(ObjectId(file_id))
            file_data = file_object.read()

            rule_file = os.path.join('yararules', rule_file)

            if os.path.exists(rule_file):
                rules = yara.compile(rule_file)
                matches = rules.match(data=file_data)
                results = {'rows': [], 'columns': ['Rule', 'process', 'Offset', 'Data']}
                for match in matches:
                    for item in match.strings:
                        results['rows'].append([match.rule, file_object.filename, item[0], string_clean_hex(item[2])])

            else:
                return render(request, 'file_details_yara.html', {'yara': None, 'error': 'Could not find Rule File'})

            if len(results) > 0:

                # Store the results in datastore
                store_data = {}
                store_data['file_id'] = ObjectId(file_id)
                store_data['yara'] = results

                update = db.create_datastore(store_data)

            return render(request, 'file_details_yara.html', {'yara': results, 'error': None})

        else:
            return HttpResponse('Either No file ID or No Yara Rule was provided')

    if command == 'strings':
        if 'file_id' in request.POST:
            file_id = request.POST['file_id']
            file_object = db.get_filebyid(ObjectId(file_id))
            file_data = file_object.read()
            chars = r"A-Za-z0-9/\-:.,_$%'()[\]<>@=+ "
            shortest_run = 4
            regexp = '[%s]{%d,}' % (chars, shortest_run)
            pattern = re.compile(regexp)
            string_list = pattern.findall(file_data)
            logger.debug('Joining Strings')
            string_list = '\n'.join(string_list)

            '''
            String lists can get larger than the 16Mb bson limit
            Need to store in GridFS
            '''
            # Store the list in datastore
            store_data = {}
            store_data['file_id'] = ObjectId(file_id)
            store_data['string_list'] = string_list
            logger.debug('Store Strings in DB')

            string_id = db.create_file(string_list, 'session_id', 'sha256', '{0}_strings.txt'.format(file_id))
            # Write to DB
            #db.create_datastore(store_data)

            return HttpResponse('<td><a class="btn btn-success" role="button" href="/download/file/{0}">Download</a></td>'.format(string_id))

    if command == 'dropsession':
        if 'session_id' in request.POST:
            session_id = ObjectId(request.POST['session_id'])
            db.drop_session(session_id)
            return HttpResponse('OK')

    if command == 'memhex':
        if 'session_id' in request.POST:
            session_id = ObjectId(request.POST['session_id'])
            session = db.get_session(session_id)
            mem_path = session['session_path']
            if 'start_offset' and 'end_offset' in request.POST:
                try:
                    start_offset = int(request.POST['start_offset'], 0)
                    end_offset = int(request.POST['end_offset'], 0)
                    hex_cmd = 'hexdump -C -s {0} -n {1} {2}'.format(start_offset, end_offset - start_offset, mem_path)
                    hex_output = hex_dump(hex_cmd)
                    return HttpResponse(hex_output)
                except Exception as e:
                    return HttpResponse(e)

    if command == 'memhexdump':
        if 'session_id' in request.POST:
            session_id = ObjectId(request.POST['session_id'])
            session = db.get_session(session_id)
            mem_path = session['session_path']
            if 'start_offset' and 'end_offset' in request.POST:
                try:
                    start_offset = int(request.POST['start_offset'], 0)
                    end_offset = int(request.POST['end_offset'], 0)
                    mem_file = open(mem_path, 'rb')
                    # Get to start
                    mem_file.seek(start_offset)
                    file_data = mem_file.read(end_offset - start_offset)
                    response = HttpResponse(file_data, content_type='application/octet-stream')
                    response['Content-Disposition'] = 'attachment; filename="{0}-{1}.bin"'.format(start_offset, end_offset)
                    return response
                except Exception as e:
                    logger.error('Error Getting hex dump: {0}'.format(e))

    if command == 'addcomment':
        html_resp = ''
        if 'session_id' and 'comment_text' in request.POST:
            session_id = request.POST['session_id']
            comment_text = request.POST['comment_text']
            comment_data = {'session_id': ObjectId(session_id), 'comment_text': comment_text, 'date_added': datetime.now()}
            db.create_comment(comment_data)

            # now return all the comments for the ajax update

            for comment in db.get_commentbysession(ObjectId(session_id)):
                html_resp += '<pre>{0}</pre>'.format(comment['comment_text'])

        return HttpResponse(html_resp)

    if command == 'searchbar':
        if 'search_type' and 'search_text' and 'session_id' in request.POST:
            search_type = request.POST['search_type']
            search_text = request.POST['search_text']
            session_id = request.POST['session_id']

            logger.debug('{0} search for {1}'.format(search_type, search_text))

            if search_type == 'plugin':
                results = {'rows':[]}
                results['columns'] = ['Plugin Name', 'View Results']
                rows = db.search_plugins(search_text, session_id=ObjectId(session_id))
                for row in rows:
                    results['rows'].append([row['plugin_name'], '<a href="#" onclick="ajaxHandler(\'pluginresults\', {{\'plugin_id\':\'{0}\'}}, false ); return false">View Output</a>'.format(row['_id'])])
                return render(request, 'plugin_output.html', {'plugin_results': results})

            if search_type == 'hash':
                pass
            if search_type == 'string':
                logger.debug('yarascan for string')
                # If search string ends with .yar assume a yara rule
                if any(ext in search_text for ext in ['.yar', '.yara']):
                    if os.path.exists(search_text):
                        try:
                            session = db.get_session(ObjectId(session_id))
                            vol_int = RunVol(session['session_profile'], session['session_path'])
                            results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_FILE': search_text})
                            return render(request, 'plugin_output_nohtml.html', {'plugin_results': results})
                        except Exception as error:
                            logger.error(error)
                    else:
                        logger.error('No Yara Rule Found')
                else:
                    try:
                        session = db.get_session(ObjectId(session_id))
                        vol_int = RunVol(session['session_profile'], session['session_path'])
                        results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_RULES': search_text})
                        return render(request, 'plugin_output_nohtml.html', {'plugin_results': results})
                    except Exception as error:
                        logger.error(error)

            if search_type == 'registry':

                logger.debug('Registry Search')
                try:
                    session = db.get_session(ObjectId(session_id))
                    vol_int = RunVol(session['session_profile'], session['session_path'])
                    results = vol_int.run_plugin('printkey', output_style='json', plugin_options={'KEY': search_text})
                    return render(request, 'plugin_output.html', {'plugin_results': results})
                except Exception as error:
                    logger.error(error)

            if search_type == 'vol':
                # Run a vol command and get the output
                session = db.get_session(ObjectId(session_id))
                search_text = search_text.replace('%profile%', '--profile={0}'.format(session['session_profile']))
                search_text = search_text.replace('%path%', '-f {0}'.format(session['session_path']))

                vol_output = getoutput('vol.py {0}'.format(search_text))

                results = {'rows': [['<pre>{0}</pre>'.format(vol_output)]], 'columns': ['Volatility Raw Output']}

                # Consider storing the output here as well.

                return render(request, 'plugin_output.html', {'plugin_results': results,
                                                              'bookmarks': []})

            return HttpResponse('No valid search query found.')

    if command == 'pluginresults':
        if 'plugin_id' in request.POST:
            plugin_id = ObjectId(request.POST['plugin_id'])
            plugin_id = ObjectId(plugin_id)
            plugin_results = db.get_pluginbyid(plugin_id)

            try:
                bookmarks = db.get_pluginbyid(plugin_id)['bookmarks']
            except:
                bookmarks = []

            return render(request, 'plugin_output.html', {'plugin_results': plugin_results['plugin_output'],
                                                          'plugin_id': plugin_id,
                                                          'bookmarks': bookmarks,
                                                          'plugin_name': plugin_results['plugin_name']})

    if command == 'bookmark':
        if 'row_id' in request.POST:
            plugin_id, row_id = request.POST['row_id'].split('_')
            plugin_id = ObjectId(plugin_id)
            row_id = int(row_id)
            # Get Bookmarks for plugin
            try:
                bookmarks = db.get_pluginbyid(plugin_id)['bookmarks']
            except:
                bookmarks = []
            # Update bookmarks
            if row_id in bookmarks:
                bookmarks.remove(row_id)
                bookmarked = 'remove'
            else:
                bookmarks.append(row_id)
                bookmarked = 'add'

            # Update Plugins
            new_values = {'bookmarks': bookmarks}
            db.update_plugin(ObjectId(plugin_id), new_values)
            return HttpResponse(bookmarked)

    if command == 'procmem':
        if 'row_id' in request.POST and 'session_id' in request.POST:
            plugin_id, row_id = request.POST['row_id'].split('_')
            session_id = request.POST['session_id']
            plugin_id = ObjectId(plugin_id)
            row_id = int(row_id)
            plugin_data = db.get_pluginbyid(ObjectId(plugin_id))['plugin_output']
            row = plugin_data['rows'][row_id - 1]
            pid = row[2]

            plugin_row = db.get_plugin_byname('memdump', ObjectId(session_id))

            logger.debug('Running Plugin: memdump with pid {0}'.format(pid))

            res = run_plugin(session_id, plugin_row['_id'], pid=pid)
            return HttpResponse(res)

    if command == 'filedump':
        if 'row_id' in request.POST and 'session_id' in request.POST:
            plugin_id, row_id = request.POST['row_id'].split('_')
            session_id = request.POST['session_id']
            plugin_id = ObjectId(plugin_id)
            row_id = int(row_id)
            plugin_data = db.get_pluginbyid(ObjectId(plugin_id))['plugin_output']
            row = plugin_data['rows'][row_id - 1]
            offset = row[0]

            plugin_row = db.get_plugin_byname('dumpfiles', ObjectId(session_id))

            logger.debug('Running Plugin: dumpfiles with offset {0}'.format(offset))

            res = run_plugin(session_id, plugin_row['_id'], plugin_options={'PHYSOFFSET':str(offset), 'NAME':True, 'REGEX':None})
            return HttpResponse(res)

    return HttpResponse('No valid search query found.')