-
Notifications
You must be signed in to change notification settings - Fork 24
/
virustotal.py
executable file
·188 lines (165 loc) · 5.67 KB
/
virustotal.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
#!/usr/bin/python
import httplib, mimetypes, simplejson, urllib, urllib2
import hashlib, time
import sys, getopt
apikey = ""
class bcolors:
GREEN = '\033[92m'
RED = '\033[91m'
ENDC = '\033[0m'
def disable(self):
self.GREEN = ''
self.RED = ''
self.ENDC = ''
# From VirusTotal API example https://www.virustotal.com/documentation/public-api/
# Upload file support
def post_multipart(host, selector, fields, files):
"""
Post fields and files to an http host as multipart/form-data.
fields is a sequence of (name, value) elements for regular form fields.
files is a sequence of (name, filename, value) elements for data to be uploaded as files
Return the server's response page.
"""
content_type, body = encode_multipart_formdata(fields, files)
h = httplib.HTTP(host)
h.putrequest('POST', selector)
h.putheader('content-type', content_type)
h.putheader('content-length', str(len(body)))
h.endheaders()
h.send(body)
errcode, errmsg, headers = h.getreply()
return h.file.read()
def encode_multipart_formdata(fields, files):
"""
fields is a sequence of (name, value) elements for regular form fields.
files is a sequence of (name, filename, value) elements for data to be uploaded as files
Return (content_type, body) ready for httplib.HTTP instance
"""
BOUNDARY = '----------ThIs_Is_tHe_bouNdaRY_$'
CRLF = '\r\n'
L = []
for (key, value) in fields:
L.append('--' + BOUNDARY)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
for (key, filename, value) in files:
L.append('--' + BOUNDARY)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
L.append('Content-Type: %s' % get_content_type(filename))
L.append('')
L.append(value)
L.append('--' + BOUNDARY + '--')
L.append('')
body = CRLF.join(L)
content_type = 'multipart/form-data; boundary=%s' % BOUNDARY
return content_type, body
def get_content_type(filename):
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
# Return sha256 of a file
def filetohash(filename):
file_content = open(filename, "rb").read()
sha = hashlib.sha256(file_content).hexdigest()
return sha
# Upload on VirusTotal
def upload(filename):
host = "www.virustotal.com"
selector = "https://www.virustotal.com/vtapi/v2/file/scan"
fields = [("apikey", apikey)]
file_to_send = open(filename, "rb").read()
files = [("file", filename, file_to_send)]
json = post_multipart(host, selector, fields, files)
result = simplejson.loads(json)
return result
# Get report from a hash (md5, sha1, sha256, sha256+timestamp)
def report(resource):
url = "https://www.virustotal.com/vtapi/v2/file/report"
parameters = {"resource": resource,
"apikey": apikey}
data = urllib.urlencode(parameters)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
json = response.read()
#print json
result = simplejson.loads(json)
return result
# Print a VirusTotal report
def format_report(result):
scans = result.get("scans")
for k, v in scans.items():
if v['detected'] == True:
print ("%s: %s%s%s") % (k, bcolors.RED, v['result'], bcolors.ENDC)
else:
print ("%s: %s-%s") % (k, bcolors.GREEN, bcolors.ENDC )
print "-"*72
print "SHA256: %s" % result['sha256']
print "MD5: %s" % result['md5']
print ("Detection ratio: %s%s/%s%s") % \
(bcolors.RED, result['positives'], result['total'], bcolors.ENDC)
print ("Analysis date: %s%s%s") % (bcolors.GREEN, result['scan_date'],
bcolors.ENDC)
print "-"*72
print "URL: %s" % result['permalink']
def usage():
print "%s <file>" % sys.argv[0]
print "%s --no-upload <file>" % sys.argv[0]
print "%s -n <file>" % sys.argv[0]
print "%s --hash <hash>" % sys.argv[0]
print "%s -h <hash>" % sys.argv[0]
print "%s --force <file>" % sys.argv[0]
print "%s -f <file>" % sys.argv[0]
print " -n don't upload the file if report not available"
print " -h check if report exist for a hash"
print " -f force a new scan for the file"
def main():
if len(apikey) != 64:
print "Please set your VirusTotal API key"
sys.exit(2)
try:
opts, args = getopt.getopt(sys.argv[1:],
"fhn", ["force", "hash", "no-upload"])
except getopt.GetoptError, err:
print str(err)
usage()
sys.exit(2)
if len(args) == 0:
usage()
sys.exit(2)
file_hash = None
file_upload = True
force = False
check_hash = False
for o, a in opts:
if o in ("-n", "--no-upload"):
file_upload = False
elif o in ("-h", "--hash"):
check_hash = True
elif o in ("-f", "--force"):
force = True
else:
assert False, "unhandled option"
if check_hash == False:
file_hash = filetohash(args[0])
else:
file_hash = args[0]
if force == False:
r = report(file_hash)
if r['response_code'] == 1:
format_report(r)
sys.exit(0)
else:
print "File %s not in VirusTotal or in queue" % file_hash
if file_upload == False or check_hash == True:
sys.exit(0)
print "Upload in progress..."
ru = upload(args[0])
print ru['permalink']
print ru['verbose_msg']
print "Wait for report..."
r = report(ru['resource'])
while r['response_code'] == 0:
time.sleep(15)
r = report(ru['resource'])
format_report(r)
if __name__ == '__main__':
main()