def judge(self, filepath):
'''
virustotal에 특정 파일 검사
:param filepath: 검사 대상 path
:param api_key: virustotal API_KEY
:return: 결과 boolean True : Non-malware, False : malware
'''
# Normal Initialisation.
vtotal = Virustotal(self.api_key)
result = vtotal.file_scan(filepath)
print('>> Virustotal Search report. <<')
json_resp = result['json_resp']
md5 = json_resp['md5'].strip()
print('result link : ', json_resp['permalink'])
url = 'https://www.virustotal.com/vtapi/v2/file/report'
params = {'apikey': self.api_key, 'resource': md5}
response = requests.get(url, params=params)
total = response.json()['total']
positives = response.json()['positives']
print('Result : (' + str(total) + ' / ' + str(positives) + ')')
if positives == 0:
vtotal_judge = True
else:
vtotal_judge = False
# 최종 검사 결과, 탐지 횟 수
return vtotal_judge, positives, total, json_resp['permalink']
def virustotal(host):
# VT接口,主要用来查询PDNS,绕过CDN
pdns = []
history_ip = []
# sys.stdout.write(bcolors.RED + "\nPDNS:\n" + bcolors.ENDC)
if VIRUSTOTAL_API:
try:
vtotal = Virustotal(VIRUSTOTAL_API)
if re.search(r'\d+\.\d+\.\d+\.\d+', host):
return None
resp = vtotal.domain_report(host)
if resp.get('status_code') != 403:
for i in resp.get('json_resp').get('resolutions'):
address = i.get('ip_address')
timeout = i.get('last_resolved')
if iscdn(address):
history_ip.append(address + ' : ' + timeout)
pdns = history_ip[10:]
except:
pass
pdns.extend(ipinfo(host))
if pdns:
for i in pdns[:10]:
console('PDNS', host, i + '\n')
else:
console('PDNS', host, 'None\n')
return pdns
def isBadFileHash(self, fileHash, virustotal_api=None, session_id=None):
try:
if not virustotal_api:
virustotal_api = ht.Config.getAPIKey('virustotal_api',
session_id)
self.vtotal = Virustotal(virustotal_api)
resp = self.vtotal.file_report([fileHash])
if resp["status_code"] in (200, 204):
if resp["status_code"] == 204:
Logger.printMessage(
message="isBadFileHash",
description="Testing - {hash} - Waiting 2 seconds...".
format(hash=fileHash),
debug_module=True)
time.sleep(2)
return self.isBadFileHash(fileHash, virustotal_api)
while resp["json_resp"]["response_code"] == -2:
Logger.printMessage(
message="isBadFileHash",
description="Testing - {hash} - Waiting 2 seconds...".
format(hash=fileHash),
debug_module=True)
time.sleep(2)
return self.isBadFileHash(fileHash, virustotal_api)
no_detected_list = []
detected_list = []
detected_types = []
for antivirus in resp["json_resp"]["scans"]:
if resp["json_resp"]["scans"][antivirus]["detected"]:
detected_list.append(
(antivirus,
resp["json_resp"]["scans"][antivirus]["version"]))
if not resp["json_resp"]["scans"][antivirus][
"result"] in detected_types:
detected_types.append(resp["json_resp"]["scans"]
[antivirus]["result"])
else:
no_detected_list.append(
(antivirus,
resp["json_resp"]["scans"][antivirus]["version"]))
if detected_list:
data = {}
data["detected_list"] = detected_list
data["detected_types"] = detected_types
data["no_detected_list"] = no_detected_list
return json.dumps({"Detected": data},
indent=4,
sort_keys=True)
return json.dumps({"No detected": no_detected_list},
indent=4,
sort_keys=True)
return resp
except Exception as e:
Logger.printMessage(message="isBadFileHash",
description=str(e),
is_error=True)
return str(e)
def check_api(key):
try:
urllib.request.urlopen('https://www.duckduckgo.com') # opens url to check internet connection
scanner = Virustotal(key)
scanner.url_scan(['www.vulnweb.com'])
report = scanner.url_report(['www.vulnweb.com'])
if report['status_code'] == 403: # checks if status code is 403
return True
else:
return False
except urllib.error.URLError:
input('Connect to internet...')
exit()
def virustotal(host):
# VT接口,主要用来查询PDNS,绕过CDN
vtotal = Virustotal(virustotal_api)
if re.search(r'\d+\.\d+\.\d+\.\d+', host):
return ['None']
resp = vtotal.domain_report(host)
history_ip = []
if resp.get('status_code') != 403:
for i in resp.get('json_resp').get('resolutions'):
address = i.get('ip_address')
timeout = i.get('last_resolved')
if iscdn(address):
history_ip.append(address + ' : ' + timeout)
return history_ip[-10:]
else:
return ['None']
def check_file(key, file):
msg() # prints scanning message
scanner = Virustotal(key) # passing api key to Virustotal class
scanner.file_scan(file) # scans the file for virus
with open(file, 'rb') as f: # opens file in read binary mode
read = f.read() # reads opened file
file_hash = hashlib.sha256(read).hexdigest() # Get sha256 hash of file
report = scanner.file_report([file_hash]) # passing hash value of file to file_report function and returns report
try:
print('\n\nREPORT:\nStatus code:', report['status_code']) # Prints all the reports
print('Scan date:', report['json_resp']['scan_date'])
print('Verbose msg:', report['json_resp']['verbose_msg'])
print('Antivirus Scanned:', report['json_resp']['total'])
print('Positives:', report['json_resp']['positives'])
print('sha256:', report['json_resp']['sha256'])
print('md5:', report['json_resp']['md5'])
except KeyError:
print('\n""Maximum four scans per minute""')
def check_url(key):
url = input('\nEnter URL: ') # Get url from the user
try:
urllib.request.urlopen('http://' + url) # Checks the given url is valid
msg() # prints scanning message
scanner = Virustotal(key) # passing api key to Virustotal class
scanner.url_scan([url]) # passing url to url_scan function
report = scanner.url_report([url]) # returns report of the url
try:
print('\n\nREPORT:\nStatus_code:', report['status_code']) # Prints all the reports
print('Scan date:', report['json_resp']['scan_date'])
print('URL:', report['json_resp']['url'])
print('Verbose msg:', report['json_resp']['verbose_msg'])
print('Total Scanned:', report['json_resp']['total'])
print('Positives:', report['json_resp']['positives'])
except KeyError:
print('\n""Maximum four scans per minute""') # prints if you reach maximum attempts
except:
print('Invalid URL')
def isBadFile(self, filename, virustotal_api=None):
try:
if not virustotal_api:
virustotal_api = ht.Config.config['API']['virustotal']
Logger.printMessage(message="isBadFile",
description=filename,
debug_module=True)
self.vtotal = Virustotal(virustotal_api)
response = self.vtotal.file_scan(filename)
if response["status_code"] == 200:
scan_id = str(response["json_resp"]["scan_id"])
time.sleep(2)
resp = self.isBadFileHash(scan_id, virustotal_api)
return resp
except Exception as e:
Logger.printMessage(message="isBadFile",
description=str(e),
is_error=True)
return str(e)
class VirusTotalExtractor(FeatureExtractor):
def __init__(self, file, pefile_parsed=None, lief_parsed=None):
super().__init__(file, pefile_parsed, lief_parsed)
self.endpoint = Virustotal(API_KEY=VIRUSTOTAL_API_KEY)
def extract(self, **kwargs):
features = {}
# First hash the file so we don't re-request analysis on previously analyzed files
md5_hash = hashlib.md5(open(self.file, 'rb').read()).hexdigest()
# Should there be a delay before analysis_response?
analysis_response = self.endpoint.request("file/report", {
"resource": md5_hash
}).json()
# Send over the file if we don't have a response
if analysis_response["response_code"] == 0:
encoding = {
"file": (os.path.basename(self.file),
open(os.path.abspath(self.file), "rb"))
}
queue_response = self.endpoint.request("file/scan",
files=encoding,
method="POST").json()
analysis_response = self.endpoint.request(
"file/report", {
"resource": queue_response["resource"]
}).json()
# Features for each scanner
for scan in analysis_response['scans']:
features['virustotal_' +
scan] = analysis_response['scans'][scan]['detected']
# Total # of positives
features['virustotal_total_positives'] = analysis_response['positives']
for key, value in features.items():
features[key] = int(value)
return features
def virustotal_object(request):
API_KEY = "Insert API Key Here."
yield Virustotal(API_KEY)
def fin():
"""
Sleep for 30 seconds after each test; to avoid Virustotal 403 rate quota limit.
"""
print("Sleeping for 30 seconds...")
sleep(30)
request.addfinalizer(fin)
class StartModule():
def __init__(self):
self._main_gui_func_ = 'isBadFile'
self.__gui_label__ = 'Virustotal Search'
def help(self):
Logger.printMessage(
message=ht.getFunctionsNamesFromModule('ht_virustotal'),
debug_module=True)
def isBadFileHash(self, fileHash, virustotal_api=None, session_id=None):
try:
if not virustotal_api:
virustotal_api = ht.Config.getAPIKey('virustotal_api',
session_id)
self.vtotal = Virustotal(virustotal_api)
resp = self.vtotal.file_report([fileHash])
if resp["status_code"] in (200, 204):
if resp["status_code"] == 204:
Logger.printMessage(
message="isBadFileHash",
description="Testing - {hash} - Waiting 2 seconds...".
format(hash=fileHash),
debug_module=True)
time.sleep(2)
return self.isBadFileHash(fileHash, virustotal_api)
while resp["json_resp"]["response_code"] == -2:
Logger.printMessage(
message="isBadFileHash",
description="Testing - {hash} - Waiting 2 seconds...".
format(hash=fileHash),
debug_module=True)
time.sleep(2)
return self.isBadFileHash(fileHash, virustotal_api)
no_detected_list = []
detected_list = []
detected_types = []
for antivirus in resp["json_resp"]["scans"]:
if resp["json_resp"]["scans"][antivirus]["detected"]:
detected_list.append(
(antivirus,
resp["json_resp"]["scans"][antivirus]["version"]))
if not resp["json_resp"]["scans"][antivirus][
"result"] in detected_types:
detected_types.append(resp["json_resp"]["scans"]
[antivirus]["result"])
else:
no_detected_list.append(
(antivirus,
resp["json_resp"]["scans"][antivirus]["version"]))
if detected_list:
data = {}
data["detected_list"] = detected_list
data["detected_types"] = detected_types
data["no_detected_list"] = no_detected_list
return json.dumps({"Detected": data},
indent=4,
sort_keys=True)
return json.dumps({"No detected": no_detected_list},
indent=4,
sort_keys=True)
return resp
except Exception as e:
Logger.printMessage(message="isBadFileHash",
description=str(e),
is_error=True)
return str(e)
def isBadFile(self, filename, virustotal_api=None):
try:
if not virustotal_api:
virustotal_api = ht.Config.config['API']['virustotal']
Logger.printMessage(message="isBadFile",
description=filename,
debug_module=True)
self.vtotal = Virustotal(virustotal_api)
response = self.vtotal.file_scan(filename)
if response["status_code"] == 200:
scan_id = str(response["json_resp"]["scan_id"])
time.sleep(2)
resp = self.isBadFileHash(scan_id, virustotal_api)
return resp
except Exception as e:
Logger.printMessage(message="isBadFile",
description=str(e),
is_error=True)
return str(e)
class ExternalTesting:
# This requires a virustotal API key
VIRUSTOTAL = 4
# This requires the installation of the Malice multiscanner along with installed scanner plugins
MALICE = 2
NONE = 0
MALICE_SCANNERS = [
'malice/avast', 'malice/avg', 'malice/clamav', 'malice/comodo',
'malice/escan', 'malice/fprot', 'malice/fsecure', 'malice/mcafee',
'malice/sophos', 'malice/zoner'
]
# Initialize module logfile and tool output file to STDOUT, initialize output headers
def __init__(self):
self.logfile = stdout
self.output = False
self.virus_total = None
self.virus_total_output_path = ''
self.malice_output_path = ''
self.scanners = ExternalTesting.NONE
@staticmethod
def check_or_make_path(target_path):
if not path.isdir(target_path):
mkdir(target_path)
def get_scanners(self):
return self.MALICE_SCANNERS
# Specify module logfile manually
def set_logfile(self, logfile_path):
self.logfile = open(logfile_path, 'w')
# Specify module logfile directory, but use default name for logfile
def set_logfile_by_directory(self, logfile_directory):
self.logfile = open(
path.join(logfile_directory, 'external_scanner.log'), 'w')
# Flush module logfile
def flush_logfile(self):
self.logfile.flush()
# Close module logfile
def close_logfile(self):
if self.logfile != stdout:
self.logfile.close()
# Specify tool output file
def set_output_directory(self, output_path):
self.check_or_make_path(output_path)
if self.scanners and self.VIRUSTOTAL:
self.virus_total_output_path = path.join(output_path, 'VirusTotal')
ExternalTesting.check_or_make_path(self.virus_total_output_path)
if self.scanners and self.MALICE:
self.malice_output_path = path.join(output_path, 'Malice')
ExternalTesting.check_or_make_path(self.malice_output_path)
self.output = True
# Flush tool output file
def flush_output(self):
self.output.flush()
# Close tool output file
def close_output(self):
if self.output != stdout:
self.output.close()
# Close all logfiles (tool output, module logs)
def close(self):
self.close_logfile()
self.close_output()
def set_virus_total_key(self, key):
self.virus_total = Virustotal(key)
def set_external_scanners(self, setting):
if setting in [
ExternalTesting.NONE, ExternalTesting.MALICE,
ExternalTesting.VIRUSTOTAL,
ExternalTesting.MALICE | ExternalTesting.VIRUSTOTAL
]:
self.scanners = setting
return True
else:
return False
def check_virus_total(self):
if self.virus_total:
return True
else:
return False
# This function expects input in the form of destination filename, md5 sum, and path to file to scan. The output is
# a .json file (if the VirusTotal api is enabled) and an .md file (if the Malice command is enabled).
def process_file_list_multiscanner(self, md5_list):
if (self.scanners == self.NONE):
return False
if (self.scanners
and self.VIRUSTOTAL) and not (self.check_virus_total()):
raise AttributeError(
'VirusTotal API invoked without providing a key using the virus_total_key(key) method'
)
for entry in md5_list:
if self.scanners and self.VIRUSTOTAL:
self.logfile.write('Invoking VirusTotal on {}.'.format(
entry[2]))
destination_file_path = path.join(self.virus_total_output_path,
'{}.json'.format(entry[0]))
print(destination_file_path)
virus_total_report = self.virus_total.file_report([entry[1]])
if self.output:
with open(destination_file_path, 'w') as write_file:
pprint(virus_total_report, write_file)
self.logfile.write(
"Wrote VirusTotal report for {} to {}".format(
entry[2], destination_file_path))
else:
pprint(virus_total_report)
if self.scanners and self.MALICE:
self.logfile.write('Invoking Malice Scanner on {}.'.format(
entry[2]))
destination_file_path = path.join(self.malice_output_path,
'{}.md'.format(entry[0]))
malice_output = ""
for scanner in self.MALICE_SCANNERS:
print(entry[2], scanner)
command = "docker run --rm -v {}:/malware:ro {} -t " \
"/malware/{}".format(path.dirname(entry[2]), scanner, path.basename(entry[2]))
malice = run(command,
shell=True,
encoding=getfilesystemencoding(),
stdout=PIPE)
malice_output += malice.stdout
if self.output:
with open(destination_file_path, 'w') as write_file:
write_file.write(malice_output)
self.logfile.write(
"Wrote Malice output {} to {}".format(
entry[2], destination_file_path))
else:
print(malice_output)
return True
CONFIG = json.load(f)
except FileNotFoundError:
with open("Config.json", "w") as f:
json.dump(
{
'Discord_Bot_Token': 'YOURTOKEN',
'VirusTotalToken': 'YOURTOKEN',
'YourDiscordId': '0',
'Prefix': '&'
}, f)
raise Exception(
"Missing Config.json. I added it, please fill it out yourself! (Intended at first excecution)"
)
print("url tester unit loaded with key " + CONFIG['VirusTotalToken'])
vtotal = Virustotal(API_KEY=CONFIG['VirusTotalToken'], API_VERSION="v3")
async def get_url_embed(url: str, ctx):
embed = discord.Embed(title="VirusTotalBot URL Check",
description="Information about " + url,
color=discord.Colour.green())
embed.set_author(name=str(ctx.author))
try:
# See https://github.com/dbrennand/virustotal-python
resp = vtotal.request("urls", data={"url": url}, method="POST")
await sleep(
12
) # This is supoptimal but seems to be necessary in order of ensuring that the url gets testet
url_id = urlsafe_b64encode(url.encode()).decode().strip("=")
analysis_resp = vtotal.request(f"urls/{url_id}")
#!/usr/bin/python3
#Author: Nicholas Roddy
#The goal of this program is to take a malicious URL and defang it inorder to allow it to be shared safely, or for it to be refanged for further analysis.
#Additionally, this program takes the refanged URL and runs scans against it using the Virus Total API and returns the results for initial analysis.
#Imports modules for menu and defanging process
import argparse
from pprint import pprint
from defang import defang, refang
from pyfiglet import Figlet
from colorama import init, Fore, Style
from virustotal_python import Virustotal
from virustotal_python.virustotal import VirustotalError
init(convert=True) #Allows colorama to be initialized
vtotal = Virustotal(API_KEY="ENTER API KEY") #imports Virus Total API
#Takes a Malcious URL and defangs them
def defang_func():
#Determines fonts
custom_fig = Figlet(font='doom')
subtext_fig = Figlet(font='digital')
sub = "With all the stuff you care about & none of the stuff you don\'t!" #Subtext for menu
#Main Menu
print(Fore.CYAN + custom_fig.renderText('URL Pacifier v4.1'))
print(Style.DIM + Fore.YELLOW + subtext_fig.renderText(sub.center(40)))
print(
Fore.CYAN +
def set_virus_total_key(self, key):
self.virus_total = Virustotal(key)
# Obtain the URL ID
URL_ID = urlsafe_b64encode(DOMAIN.encode()).decode().strip("=")
# Example IP address (Google DNS)
IP = "8.8.8.8"
# Example ID of a graph
## NOTE: There are no comments on this graph so an empty list is returned
GRAPH_ID = "g70fae134aefc4e2f90f069aba47d15a92e0073564310443aa0b6ca3384f5240d"
# Example comment ID
COMMENT_ID = "f-9f101483662fc071b7c10f81c64bb34491ca4a877191d464ff46fd94c7247115-07457619"
# v2 examples
vtotal = Virustotal(API_KEY=API_KEY)
# Retrieve comments for a given file ID
resp = vtotal.request("comments/get", params={"resource": FILE_ID})
pprint(resp.json())
# Create a comment for a given file ID
resp = vtotal.request("comments/put", params={"resource": FILE_ID, "comment": "Wow, this looks like a #malicious file!"}, method="POST")
pprint(resp.json())
# v3 examples
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
## Retriving comments for resources
import olefile
import os
import sys
import shutil
import hashlib
from virustotal_python import Virustotal
import json
from pprint import pprint
BUFFER_SIZE=8899
file_l=[]
virus_total = Virustotal("#virus_total api key")
def hash_to_vtotal():
global ole_win
file_hash_SHA256= hashlib.sha256()
file_hash_MD5=hashlib.md5()
for file in file_l:
with open(file,'rb') as f:
file_bs=f.read(BUFFER_SIZE)
while len(file_bs)>0:
file_bs=f.read(BUFFER_SIZE)
file_hash_SHA256.update(file_bs)
file_hash_MD5.update(file_bs)
print(file)
print(file+":macro/vba detected")
print(os.path.abspath(file))
print('SHA-256:',file_hash_SHA256.hexdigest())
print('MD5:',file_hash_MD5.hexdigest())
meta=ole_win.get_metadata()
shutil.copy(file,sys.argv[2])
print('Macro copied to',sys.argv[2])
from virustotal_python import Virustotal
import time
import json
from pprint import pprint
import re
# api_key = <YOUR VIRUSTOTAL API KEY> get one here: https://developers.virustotal.com/reference
# save your api key in a text file named "vt_api.txt". This snippet of code will read the api key instead of hardcoding it, for security.
# or delete this and hard code it above
with open("vt_api.txt", "r") as f:
api_key = f.readline()
vtotal = Virustotal(api_key) # virustotal API key
# the urls flagged malicious are saved here
LIKELY_PHISHES = []
API_LIMIT_SECONDS = 15
GET_SCAN_REPORT_SECONDS = 5
def main():
print(
"Welcome. Enter 1 or more URLS. Press ENTER again after last entry:")
urls = get_urls()
decoded_urls = decode_url(urls)
scan_all_urls(decoded_urls)
print(
str(len(LIKELY_PHISHES)) + " out of " + str(len(decoded_urls)) +
" are phishes.\nHere they are:")
display_phishes()
Retrieve information about a file from the VirusTotal API.
Documentation:
* v2 documentation - https://developers.virustotal.com/reference#file-report
* v3 documentation - https://developers.virustotal.com/v3.0/reference#file-info
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# The ID (either SHA-256, SHA-1 or MD5) identifying the file
FILE_ID = "9f101483662fc071b7c10f81c64bb34491ca4a877191d464ff46fd94c7247115"
# v2 example
vtotal = Virustotal(API_KEY=API_KEY)
resp = vtotal.request("file/report", {"resource": FILE_ID})
print(resp.response_code)
pprint(resp.json())
# v3 example
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
resp = vtotal.request(f"files/{FILE_ID}")
pprint(resp.data)
Documentation:
* v2 documentation - https://developers.virustotal.com/reference#ip-address-report
* v3 documentation - https://developers.virustotal.com/v3.0/reference#ip-addresses
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# Example IP address (Google DNS)
IP = "8.8.8.8"
# v2 examples
vtotal = Virustotal(API_KEY=API_KEY)
## Retrieve information about an IP address
resp = vtotal.request("ip-address/report", params={"ip": IP})
pprint(resp.json())
# v3 examples
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
# Retrieve information about an IP address
resp = vtotal.request(f"ip_addresses/{IP}")
# Retrieve objects (relationships) related to an IP address
# Retrieve historical_whois relationship to the IP address
# For other relationships, see the table at: https://developers.virustotal.com/v3.0/reference#ip-relationships
resp = vtotal.request(f"ip_addresses/{IP}/historical_whois")
def virustotal(host):
# VT接口,主要用来查询PDNS,绕过CDN
vtotal = Virustotal(virustotal_api)
if re.search(r'\d+\.\d+\.\d+\.\d+', host):
return ['None']
resp = vtotal.domain_report(host)
history_ip = []
# 通过VT查询pdns,然后排除国内外常见的cdn段,如果出现极有可能是真实ip
cdns = [
'173.245.48.0/20', '103.21.244.0/22', '103.22.200.0/22',
'103.31.4.0/22', '141.101.64.0/18', '108.162.192.0/18',
'190.93.240.0/20', '188.114.96.0/20', '197.234.240.0/22',
'198.41.128.0/17', '162.158.0.0/15', '104.16.0.0/12', '172.64.0.0/13',
'131.0.72.0/22', '13.124.199.0/24', '144.220.0.0/16', '34.226.14.0/24',
'52.124.128.0/17', '54.230.0.0/16', '54.239.128.0/18',
'52.82.128.0/19', '99.84.0.0/16', '52.15.127.128/26',
'35.158.136.0/24', '52.57.254.0/24', '18.216.170.128/25',
'13.54.63.128/26', '13.59.250.0/26', '13.210.67.128/26',
'35.167.191.128/26', '52.47.139.0/24', '52.199.127.192/26',
'52.212.248.0/26', '205.251.192.0/19', '52.66.194.128/26',
'54.239.192.0/19', '70.132.0.0/18', '13.32.0.0/15', '13.224.0.0/14',
'13.113.203.0/24', '34.195.252.0/24', '35.162.63.192/26',
'34.223.12.224/27', '13.35.0.0/16', '204.246.172.0/23',
'204.246.164.0/22', '52.56.127.0/25', '204.246.168.0/22',
'13.228.69.0/24', '34.216.51.0/25', '71.152.0.0/17', '216.137.32.0/19',
'205.251.249.0/24', '99.86.0.0/16', '52.46.0.0/18', '52.84.0.0/15',
'54.233.255.128/26', '130.176.0.0/16', '64.252.64.0/18',
'52.52.191.128/26', '204.246.174.0/23', '64.252.128.0/18',
'205.251.254.0/24', '143.204.0.0/16', '205.251.252.0/23',
'52.78.247.128/26', '204.246.176.0/20', '52.220.191.0/26',
'13.249.0.0/16', '54.240.128.0/18', '205.251.250.0/23',
'52.222.128.0/17', '54.182.0.0/16', '54.192.0.0/16',
'34.232.163.208/29', '58.250.143.0/24', '58.251.121.0/24',
'59.36.120.0/24', '61.151.163.0/24', '101.227.163.0/24',
'111.161.109.0/24', '116.128.128.0/24', '123.151.76.0/24',
'125.39.46.0/24', '140.207.120.0/24', '180.163.22.0/24',
'183.3.254.0/24', '223.166.151.0/24', '113.107.238.0/24',
'106.42.25.0/24', '183.222.96.0/24', '117.21.219.0/24',
'116.55.250.0/24', '111.202.98.0/24', '111.13.147.0/24',
'122.228.238.0/24', '58.58.81.0/24', '1.31.128.0/24',
'123.155.158.0/24', '106.119.182.0/24', '180.97.158.0/24',
'113.207.76.0/24', '117.23.61.0/24', '118.212.233.0/24',
'111.47.226.0/24', '219.153.73.0/24', '113.200.91.0/24',
'1.32.240.0/24', '203.90.247.0/24', '183.110.242.0/24',
'202.162.109.0/24', '182.23.211.0/24', '1.32.242.0/24',
'1.32.241.0/24', '202.162.108.0/24', '185.254.242.0/24',
'109.94.168.0/24', '109.94.169.0/24', '1.32.243.0/24',
'61.120.154.0/24', '1.255.41.0/24', '112.90.216.0/24',
'61.213.176.0/24', '1.32.238.0/24', '1.32.239.0/24', '1.32.244.0/24',
'111.32.135.0/24', '111.32.136.0/24', '125.39.174.0/24',
'125.39.239.0/24', '112.65.73.0/24', '112.65.74.0/24',
'112.65.75.0/24', '119.84.92.0/24', '119.84.93.0/24',
'113.207.100.0/24', '113.207.101.0/24', '113.207.102.0/24',
'180.163.188.0/24', '180.163.189.0/24', '163.53.89.0/24',
'101.227.206.0/24', '101.227.207.0/24', '119.188.97.0/24',
'119.188.9.0/24', '61.155.149.0/24', '61.156.149.0/24',
'61.155.165.0/24', '61.182.137.0/24', '61.182.136.0/24',
'120.52.29.0/24', '120.52.113.0/24', '222.216.190.0/24',
'219.159.84.0/24', '183.60.235.0/24', '116.31.126.0/24',
'116.31.127.0/24', '117.34.13.0/24', '117.34.14.0/24',
'42.236.93.0/24', '42.236.94.0/24', '119.167.246.0/24',
'150.138.149.0/24', '150.138.150.0/24', '150.138.151.0/24',
'117.27.149.0/24', '59.51.81.0/24', '220.170.185.0/24',
'220.170.186.0/24', '183.61.236.0/24', '14.17.71.0/24',
'119.147.134.0/24', '124.95.168.0/24', '124.95.188.0/24',
'61.54.46.0/24', '61.54.47.0/24', '101.71.55.0/24', '101.71.56.0/24',
'183.232.51.0/24', '183.232.53.0/24', '157.255.25.0/24',
'157.255.26.0/24', '112.25.90.0/24', '112.25.91.0/24', '58.211.2.0/24',
'58.211.137.0/24', '122.190.2.0/24', '122.190.3.0/24',
'183.61.177.0/24', '183.61.190.0/24', '117.148.160.0/24',
'117.148.161.0/24', '115.231.186.0/24', '115.231.187.0/24',
'113.31.27.0/24', '222.186.19.0/24', '122.226.182.0/24',
'36.99.18.0/24', '123.133.84.0/24', '221.204.202.0/24',
'42.236.6.0/24', '61.130.28.0/24', '61.174.9.0/24', '223.94.66.0/24',
'222.88.94.0/24', '61.163.30.0/24', '223.94.95.0/24',
'223.112.227.0/24', '183.250.179.0/24', '120.241.102.0/24',
'125.39.5.0/24', '124.193.166.0/24', '122.70.134.0/24',
'111.6.191.0/24', '122.228.198.0/24', '121.12.98.0/24',
'60.12.166.0/24', '118.180.50.0/24', '183.203.7.0/24',
'61.133.127.0/24', '113.7.183.0/24', '210.22.63.0/24',
'60.221.236.0/24', '122.227.237.0/24', '123.6.13.0/24',
'202.102.85.0/24', '61.160.224.0/24', '182.140.227.0/24',
'221.204.14.0/24', '222.73.144.0/24', '61.240.144.0/24',
'36.27.212.0/24', '125.88.189.0/24', '120.52.18.0/24',
'119.84.15.0/24', '180.163.224.0/24'
]
if resp.get('status_code') != 403:
for i in resp.get('json_resp').get('resolutions'):
address = i.get('ip_address')
timeout = i.get('last_resolved')
result = True
for cdn in cdns:
if (ipaddress.ip_address(address)
in ipaddress.ip_network(cdn)):
result = False
if result:
history_ip.append(address + ' : ' + timeout)
return history_ip[-10:]
else:
return ['None']
def main():
parser = argparse.ArgumentParser(
description=
"Scan a single file in VirusTotal and waits until report is complete")
parser.add_argument('file', help='File to be scanned')
args = parser.parse_args()
if 'VT_API_KEY' not in os.environ:
LOGGER.error('VT_API_KEY environment variable not set.')
sys.exit(SCAN_ERROR)
LOGGER.debug('Initialzing VirusTotal API')
vt_api_key = os.environ['VT_API_KEY']
vt = Virustotal(vt_api_key)
# Hash file
LOGGER.info('Checking if report already exists via file hash.')
file_hash = sha256sum(args.file)
try:
response = vt.file_report([file_hash])
except ConnectionError as e:
err_str = str(e)
LOGGER.error(f"Connection error to VT: {err_str}.")
sys.exit(SCAN_ERROR)
ret = parse_response(response)
# If report is available, just exit with the appropriate RC
if ret != SCAN_NOT_FOUND:
ret_str = RET_STR_INFECTED if ret else RET_STR_CLEAN
LOGGER.info(f"Report found. Status: {ret_str}.")
sys.exit(ret)
# Send file to VT for scanning
try:
LOGGER.info(
'Report not found. Sending file to VirusTotal for scanning.')
vt.file_scan(args.file)
except ConnectionError as e:
err_str = str(e)
LOGGER.error(f"Connection error to VT: {err_str}")
sys.exit(SCAN_ERROR)
while ret == SCAN_NOT_FOUND:
LOGGER.info(f"Scan still running, sleeping for {WAIT_TIME} seconds.")
sleep(WAIT_TIME)
# Try again
try:
response = vt.file_report([file_hash])
except ConnectionError as e:
err_str = str(e)
LOGGER.error(
f"Temporary connection error to VT: {err_str}... Retrying in {WAIT_TIME} seconds."
)
continue
ret = parse_response(response)
ret_str = RET_STR_INFECTED if ret else RET_STR_CLEAN
LOGGER.info(f"Scan finished. Status: {ret_str}.")
sys.exit(ret)
import requests
from virustotal_python import Virustotal
import os.path
import time
import 文件操作
# 初始化对象,填入API_Key
# vtotal = Virustotal("51f9194a2d0e7d60cb7952f8bed2849a65617614e9edaa615c1e7d3ea45cb954")
vtotal = Virustotal(
"5af41c462b8cb6b9b02f1641ab3ebbbe6bc289b723de142c9765beb691f704b6")
# 上传文件,参数为文件路径,返回值为查询结果
def scanFile(filePath):
file_hash_list = [文件操作.getFileMD5(filePath)]
try:
resp = vtotal.file_report(file_hash_list)
except Exception as e:
print(e)
time.sleep(5)
try:
resp = vtotal.file_report(file_hash_list)
except Exception as err:
print("重试失败")
print(err)
return None
file_report_num = 0
while resp["status_code"] == 204:
print("超过请求速率", filePath, "将在60S后重试")
time.sleep(60)
try:
Documentation:
* v3 documentation - https://developers.virustotal.com/v3.0/reference#search-1
* https://developers.virustotal.com/v3.0/reference#metadata
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# The ID (either SHA-256, SHA-1 or MD5) identifying the file
FILE_ID = "9f101483662fc071b7c10f81c64bb34491ca4a877191d464ff46fd94c7247115"
# v3 examples
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
## Search the VirusTotal API for google.com
resp = vtotal.request("search", params={"query": "google.com"})
## Search the VirusTotal API for information related to Google's DNS (8.8.8.8)
resp = vtotal.request("search", params={"query": "8.8.8.8"})
## Search the VirusTotal API for a file ID
resp = vtotal.request("search", params={"query": FILE_ID})
## Search the VirusTotal API for the tag comment '#malicious'
resp = vtotal.request("search", params={"query": "#malicious"})
## Retrieve VirusTotal metadata
resp = vtotal.request("metadata")
## Print out a list of VirusTotal's supported engines
resp = vtotal.request("metadata")
engines_dict = resp.data["engines"]
from virustotal_python import Virustotal
from pprint import pprint
import json
import streamlit as st
url = st.text_input('Enter the url')
vtotal = Virustotal(
"939b160778c93a24ed0985dbc90a98d2def25cf82ed92046a95cfe553f63ade1")
url_scan = vtotal.url_report([url])
a = url_scan['json_resp']['positives']
if (a > 0):
print('malicious website')
else:
print('Clean Website')
from virustotal_python import Virustotal
import os
# from dotenv import load_dotenv
import random
# load_dotenv(dotenv_path='./secret.env')
# Normal Initialisation.
vtotal = Virustotal(os.environ.get('VIRUS_TOTAL_API_KEY'))
observations = [
"This is disgusting. I hate my life.",
"This URL may contain harmful code. . . Let's let Marvin look at it first :unamused:",
"I hope this kills me.",
"This could be my last web request. . .",
"This is @ihuman 's fault, and I will never forget."
]
def get_scan(url):
# mock_report =
# report = json.loads(mock_report)
# Query url(s) to VirusTotal.
# A list containing a url to be scanned by VirusTotal.
# resp = vtotal.url_scan(["ihaveaproblem.info"]) # Query a single url.
# A list of url(s) to be scanned by VirusTotal (MAX 4 per standard request rate).
scan = vtotal.url_scan(
[url]
)
# Retrieve scan report(s) for given file(s) from Virustotal.
# A list containing the resource (SHA256) HASH of a known malicious file.
report = vtotal.url_report(
import os
import sqlite3
import json
import shutil
import hashlib
from virustotal_python import Virustotal
vtotal = Virustotal("Insert API key here")
cwd = "/home/pixelweaver/.cuckoo"
init_db = False
if not os.path.isfile('samples.db'):
init_db = True
else:
if os.path.isfile('samples.bak'):
os.remove('samples.bak')
shutil.copyfile('samples.db', 'samples.bak')
conn = sqlite3.connect('samples.db')
c = conn.cursor()
if init_db:
c.execute('''CREATE TABLE samples
(rowid INTEGER PRIMARY KEY, sha256 TEXT, mark_count INTEGER)''')
c.execute('''CREATE TABLE snapshots
(sample_id INTEGER,
cpu_user REAL, cpu_system REAL, cpu_idle REAL, cpu_interrupt REAL, cpu_dpc REAL,
v_mem_total INTEGER, v_mem_available INTEGER, v_mem_used INTEGER, v_mem_free INTEGER,
s_mem_total INTEGER, s_mem_used INTEGER, s_mem_free INTEGER, s_mem_per REAL, s_mem_sin INTEGER, s_mem_sout INTEGER,
d_io_read_count INTEGER, d_io_write_count INTEGER, d_io_read_bytes INTEGER, d_io_write_bytes REAL, d_io_read_time INTEGER, d_io_write_time INTEGER,
n_io_bytes_sent INTEGER, m_io_bytes_recv INTEGER, n_io_packets_sent INTEGER, n_io_packets_recv INTEGER,
async def vt(event):
await event.edit(f"Analyzing Datas......")
input_str = event.pattern_match.group(1)
if not os.path.isdir(TEMP_DOWNLOAD_DIRECTORY):
os.makedirs(TEMP_DOWNLOAD_DIRECTORY)
if "|" in input_str:
url, file_name = input_str.split("|")
url = url.strip()
file_name = file_name.strip()
head, tail = os.path.split(file_name)
if head:
if not os.path.isdir(os.path.join(TEMP_DOWNLOAD_DIRECTORY, head)):
os.makedirs(os.path.join(TEMP_DOWNLOAD_DIRECTORY, head))
file_name = os.path.join(head, tail)
downloaded_file_name = TEMP_DOWNLOAD_DIRECTORY + "" + file_name
downloader = SmartDL(url, downloaded_file_name, progress_bar=False)
downloader.start(blocking=False)
c_time = time.time()
display_message = None
while not downloader.isFinished():
status = downloader.get_status().capitalize()
total_length = downloader.filesize if downloader.filesize else None
downloaded = downloader.get_dl_size()
now = time.time()
diff = now - c_time
percentage = downloader.get_progress() * 100
speed = downloader.get_speed()
elapsed_time = round(diff) * 1000
progress_str = "[{0}{1}] {2}%".format(
''.join(["█" for i in range(math.floor(percentage / 10))]),
''.join(["░"
for i in range(10 - math.floor(percentage / 10))]),
round(percentage, 2))
estimated_total_time = downloader.get_eta(human=True)
try:
current_message = f"{status}..\
\nURL: {url}\
\nFile Name: {file_name}\
\n{progress_str}\
\n{humanbytes(downloaded)} of {humanbytes(total_length)}\
\nETA: {estimated_total_time}"
if round(diff %
10.00) == 0 and current_message != display_message:
await event.edit(current_message)
display_message = current_message
except Exception as e:
LOGS.info(str(e))
if downloader.isSuccessful():
await event.edit(f"{text} \n\nDownloaded successfully !!")
else:
await event.edit("Incorrect URL\n{}".format(url))
elif event.reply_to_msg_id:
try:
c_time = time.time()
downloaded_file_name = await event.client.download_media(
await event.get_reply_message(),
TEMP_DOWNLOAD_DIRECTORY,
progress_callback=lambda d, t: asyncio.get_event_loop(
).create_task(
progress(d, t, event, c_time, f"{text} \n\nDownloading...")))
except Exception as e: # pylint:disable=C0103,W0703
await event.edit(str(e))
else:
await event.edit(f"{text} \n\nDownloaded successfully !!")
else:
return await event.edit(f"Error\n`Reply to a file to scan.`")
await event.edit(" `Scanning......`")
vscan = downloaded_file_name
if a ==2:
return await event.edit("`You need to Update wolfs to use this command.......`")
if not vscan:
return await event.edit("`Unknown command type !help virus_scan for more info`")
try:
vtotal = Virustotal(Vapi)
except:
return await event.edit("Failed to connect virus total , is api key added? type `!help virus_scan` for more info")
try:
vr = vtotal.file_scan(vscan)
except:
return await event.edit("`Unknown command type !help virus_scan for more info")
test = vr['json_resp'] ; link = test['permalink'] ; scan_id = test['scan_id'] ; response_code = test['response_code']
return await event.edit(""
f"• **Virus Total Response Code:** `{response_code}`\n"
f"• **Scan Results:** [ClickHere]({link}) ")
from virustotal_python import Virustotal
from pprint import pprint
from json2html import *
import json
vtotal = Virustotal(
"50473a41f47913496c613e67dee646f6a36ebf434ce4e99fec30198f5014d29c")
resp = vtotal.file_report(
["09de776902ca7d32abdab8a7ccd177fb917addf502bd4bd5aa25a93ab41cc869"])
data = json.dumps(resp)
data = data.replace("'", '"')
html_parser = json2html.convert(json=data)
with open("./templates/program/data_tep.html", "w") as f:
f.write(html_parser)
Auth = 'Bearer ' + Access_Token
headers2 = {'Authorization': Auth, 'Content-Type': 'text/plain'}
response2 = requests.post(Url2, headers=headers2, data=payload2).json()
print("[+] Incident Details were received Successfully")
#Entities loading
Entities = response2["Tables"][0]["Rows"][0][21]
Parsed_Entities = json.loads(Entities)
print("[+] Entities were received Successfully")
for i in range(len(Parsed_Entities)):
if "Value" in Parsed_Entities[i]:
hash = Parsed_Entities[i]["Value"]
vtotal = Virustotal(API_KEY=VT_API_KEY, API_VERSION="v3")
"""
Public API constraints and restrictions
The Public API is limited to 500 requests per day and a rate of 4 requests per minute.
The Public API must not be used in commercial products or services.
The Public API must not be used in business workflows that do not contribute new files.
"""
VT_resp = vtotal.request(f"files/{hash}").json()
results = VT_resp["data"]["attributes"]["last_analysis_results"]
magic = VT_resp["data"]["attributes"]["magic"]
print("[+] The File Magic is: " + magic)
for key, value in results.items():
print("[+] " + value["engine_name"] + " - The scan result is: " +
