Wednesday, July 4, 2012

Perl script to push samples to Virustotal (93% stolen code =))

Just a quick post for a quick fix. I added a few lines to the Perl script originally made by cfrenz to make it more useful for my needs and hopefully for a few others as well. Looping through a JSON file can be tricky and the original script lacked the more verbose output which is now included.
  
/Micke 

# vtupload.pl 
#!/usr/bin/perl

# This script is heavily based (to say the least) on the work done by cfrenz (http://perlgems.blogspot.se/2012/05/using-virustotal-api-v20.html My aim was to add some functionality to the original script. 

# Usage: vtupload.pl <sample> or just do a loop through your sample repository and pipe the result to a file(s) for later 
# analyses. Which makes it easy to push loads of samples to VT.
# /Micke @nsmfoo

# Org comments:
# Copyright 2012- Christopher M. Frenz
# This script is free software - it may be used, copied, redistributed, and/or modified
# under the terms laid forth in the Perl Artistic License

use LWP::UserAgent;
use JSON;

#Code to submit a file to Virus Total
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 1 });
my $url='https://www.virustotal.com/vtapi/v2/file/scan';

my $key='VT-API KEY';

my $response = $ua->post( $url,
    Content_Type => 'multipart/form-data',
    Content => ['apikey' => $key,
    'file' => [$ARGV[0]]]
  );
die "$url error: ", $response->status_line
   unless $response->is_success;
my $results=$response->content;

#pulls the sha256 value out of the JSON response
my $json = JSON->new->allow_nonref;  
my $decjson = $json->decode( $results);
my $sha256=$decjson->{"sha256"};

#Code to retrieve the results that pertain to a submitted file by hash value
$url='https://www.virustotal.com/vtapi/v2/file/report';

$response = $ua->post( $url,
    ['apikey' => $key,
    'resource' => $sha256]
  );
die "$url error: ", $response->status_line
   unless $response->is_success;
$results=$response->content;

$json = JSON->new->allow_nonref;  
$decjson = $json->decode($results);

# print selected values from the json file
print "-----------------------------------------------------------------------\n";
print "Sample name: ". $ARGV[0]."\n";
print "Scan ID:  ".$decjson->{"scan_id"}."\n";
print "Scan Date:  ".$decjson->{"scan_date"}."\n";
print "SHA256: ".$decjson->{"sha256"}."\n";
print "MD5: ".$decjson->{"md5"}."\n";
print "Detection rate: ".$decjson->{"positives"}. "/".$decjson->{"total"}."\n";
print "Verbose Message: ".$decjson->{"verbose_msg"}."\n";

print "-----------------------------------------------------------------------\n";
# print AV engines status per vendor
print "Scan results: \n";
for my $key1 ( sort keys %$decjson ) {
        for my $key2 ( sort keys %{$decjson->{ $key1 }} ) {
            print "\t$key2\n";
    
            for my $key3 ( sort keys %{$decjson->{ $key1 }->{ $key2 }} ) {
                print "\t\t$key3 => $decjson->{ $key1 }->{ $key2 }->{ $key3 }\n";
            }
        }

   }

print "\nURL: ".$decjson->{"permalink"}."\n";

No comments:

Post a Comment