Tools‎ > ‎

Virus Total Hash Submitter

Sometimes you just need to check if certain files are known to AV vendors. Sometimes you don't want to submit the suspect file(s) to an Anti Virus vendor. VirusTotal will submit your sample to AV Vendors.. To skirt this, VT allows you to indirectly check a file you have locally against their database by submitting a hash of the file.

This Python script will get the MD5 hashes of files with the configured extension from a directory and its subdirectories and fetch the AV Alert names from VirusTotal if they have a report. 

############################################
#
# Script will recurse 'searchPath' for files matching 'extensions',
#  calculate MD5, and check if VirusTotal has a report matching the MD5.
#  If VT has a report, a list of AV alert names will be written to
#  'outFile' in the same directory as the suspect file.
#
# 'VTApiKey' should be the path to the file containing your API Key from
#  VirusTotal. http://www.virustotal.com/advanced.html#publicapi
#
# Use at your own risk.
#
# Submit bugs to msmith --at-- blackfortressindustries.com
#
############################################

import os
import sys
import hashlib
import urllib
import urllib2
import simplejson
import time

searchPath='/your/path/here/'
outFile='VTData'
VTApiKey = 'VTApiKey'
extensions = ("exe", "EXE", "_exe_", "_EXE_", "dll", "DLL", "_dll_", "_DLL_", "sys", "SYS", "_sys_", "_SYS_", "zip", "ZIP")

def main():
  getDirs(searchPath)

def getDirs(path):
  for dirname, dirnames, filenames in os.walk(searchPath):
    #for subdirname in dirnames:
      # print os.path.join(dirname, subdirname)
    for filename in filenames:
      targetFh = open(os.path.join(dirname, filename), 'rb')
      md5 = hashlib.md5()
      while True:
        block = targetFh.read(8192)
        if not block:
          break
        md5.update(block)
      targetFh.close()
      if filename.endswith(extensions):
        while (doVT(md5.hexdigest(), dirname, filename) == 0):
          pass

def doVT(hash,targetDir, targetFile):
  returnVal = 1
  print hash + ':' + targetDir + ':' + targetFile
 
  apiF = open(VTApiKey, 'r')
  vtApiKeyVal = apiF.readline().strip()
  # print vtApiKeyVal
  apiF.close()
  url = "https://www.virustotal.com/api/get_file_report.json"
  params = {}
  params["resource"] = hash
  params["key"] = vtApiKeyVal
  data = urllib.urlencode(params)
  # Could use some error handling here for HTTP errors.
  req = urllib2.Request(url, data)
  # Could use more error handling dealing with unexpected responses.
  response = urllib2.urlopen(req)
  json = response.read()
  response_dict = simplejson.loads(json)
  of = open(os.path.join(targetDir,outFile), 'a')
  if (response_dict.get("result") == -2):
    #20 reqs in 5 mins reached, sleeping for 5 mins + 10 secs..
    print 'VT API Limit Reached, sleeping for 5m10s...'
    time.sleep((60*5) + 10)
    returnVal = 0
  elif (response_dict.get("result") == 0):
    #deal with null result
    of.write(targetFile + '::' + hash + '::')
    nmf = 'No Match Found: ' + time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime())
    print nmf
    of.write(nmf + "\n")
  elif (response_dict.get("result") == 1):
    of.write(targetFile + '::' + hash + '::')
    of.write(time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime()) + '::')
    of.write(response_dict.get("report")[0] + '::') #date from VT data
    avHits_dict = response_dict.get("report")[1]
    avHits = ''
    for (vend, alert) in avHits_dict.iteritems():
      if (len(alert) != 0):
        avHits += alert +','
    of.write(avHits.rstrip(',').strip() + "\n") #AVAlerts according to VT
  of.close()
  return returnVal

main()


Comments