提取VirusTotal的扫描结果
2017-07-14 00:00
155 查看
下午IDA了一下VirusTotalUploader2.2.exe, 发现有几个函数比较有意思,分项一下吧。
这就是从文件路径计算文件SHA1并向VirusTotal查询SHA1对应的信息的基本代码。
/* author : iopfnx date : 2017-07-14 web : https://my.oschina.net/ejoyc msvc compile cmdline: @cl /c /MT /Ox /D_WIN32 aaa.c @link aaa.obj Wininet.lib advapi32.lib /machine:x86 /subsystem:console /OPT:REF /RELEASE /out:aaa.exe */ #include <windows.h> #include <strsafe.h> #include <Wininet.h> #ifndef PAGE_SIZE #define PAGE_SIZE 0x00001000 #endif void* FwAlloc(int size) { void* p = malloc(size); if (p!= NULL) { memset(p, 0, size); } return p; } void FwFree(void* p) { free(p); } BOOL __cdecl OpenConnection( OUT HINTERNET* hInternetOpen, OUT HINTERNET* hInternetConnect, OUT HINTERNET* hOpenRequest, IN LPCWSTR ObjectName ) { BOOL bRet = FALSE; HINTERNET hOpen; HINTERNET hConnect; HINTERNET hRequest; hOpen = InternetOpenW(L"VirusTotal Uploader 2.2-beta", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); if (hOpen != NULL) { hConnect = InternetConnectW(hOpen, L"www.virustotal.com", INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (hConnect != NULL) { hRequest = HttpOpenRequestW(hConnect, L"GET", ObjectName, NULL, NULL, NULL, INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_NO_AUTO_REDIRECT| INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, 0); if (hRequest != NULL) { *hInternetOpen = hOpen; *hInternetConnect = hConnect; *hOpenRequest = hRequest; bRet = TRUE; } if (bRet == FALSE) { InternetCloseHandle(hConnect); } } if (bRet == FALSE) { InternetCloseHandle(hOpen); } } return bRet; } void __cdecl CloseConnection( HINTERNET hInternetOpen, HINTERNET hInternetConnect, HINTERNET hOpenRequest ) { if (hOpenRequest) { InternetCloseHandle(hOpenRequest); } if (hInternetConnect) { InternetCloseHandle(hInternetConnect); } if (hInternetOpen) { InternetCloseHandle(hInternetOpen); } } BOOL __cdecl GetFileSHA1(IN PCWSTR FilePath, OUT WCHAR SHA1[]) { BOOL bRet = FALSE; PUCHAR Buffer = NULL; ULONG BufLen = 0; HANDLE hFile; hFile = CreateFileW(FilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { LARGE_INTEGER FileSize = {0}; if (GetFileSizeEx(hFile, &FileSize) == TRUE && FileSize.QuadPart <= 0x100 * 0x100000 && FileSize.QuadPart > 0) { Buffer = (PUCHAR)FwAlloc(FileSize.LowPart); if (Buffer != NULL) { ULONG Length = 0; BufLen = FileSize.LowPart; if (ReadFile(hFile, Buffer, BufLen, &Length, NULL) == FALSE || BufLen != Length) { FwFree(Buffer); Buffer = NULL; BufLen = 0; } } } CloseHandle(hFile); } if (Buffer != NULL && BufLen > 0) { HCRYPTHASH phHash; HCRYPTPROV phProv; DWORD dwDataLen = (DWORD)BufLen; PBYTE pbData = (PBYTE)Buffer; BYTE byteSHA1[20] = {0}; UINT Index = 0; ULONG Length = 20; if (CryptAcquireContextW(&phProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == TRUE) { if (CryptCreateHash(phProv, CALG_SHA1, 0, 0, &phHash) == TRUE) { if (CryptHashData(phHash, pbData, dwDataLen, 0) == TRUE) { if (CryptGetHashParam(phHash, HP_HASHVAL, byteSHA1, &Length, 0) == TRUE) { for (Index = 0; Index < 20; Index++) { StringCchPrintfW(SHA1+ Index * 2, 3, L"%02X", byteSHA1[Index]); } bRet = TRUE; } } CryptDestroyHash(phHash); } CryptReleaseContext(phProv, 0); } } return bRet; } BOOL __cdecl NetQueryVirusTotal( IN PCWSTR FilePath, OUT PVOID* Info ) { HINTERNET hInternetOpen; HINTERNET hInternetConnect; HINTERNET hOpenRequest; BOOL bRet = FALSE; PVOID Buffer = NULL; ULONG dwBytesRead = 0; WCHAR szObjectName[0x100] = {0}; WCHAR SHA1[48] = {0}; if (GetFileSHA1(FilePath, SHA1) == TRUE) { StringCchPrintfW(szObjectName, 0x100, L"/vtapi/v2/file/report?apikey=%ws&resource=%ws", L"f25133d9068704c23335fc39a7351828fa80c5dde894d731d5450cf8ab8569e8", SHA1); bRet = OpenConnection(&hInternetOpen, &hInternetConnect, &hOpenRequest, szObjectName); if (bRet == TRUE) { bRet = HttpSendRequestExW(hOpenRequest, NULL, NULL, 0, 0); if (bRet == TRUE) { bRet = HttpEndRequestW(hOpenRequest, NULL, 0, 0); if (bRet == TRUE) { Buffer = FwAlloc(PAGE_SIZE * 4); if (Buffer != NULL) { bRet = InternetReadFile(hOpenRequest, Buffer, PAGE_SIZE * 4 - 1, &dwBytesRead); if (bRet == TRUE) { *Info = Buffer; } else { FwFree(Buffer); } } else { bRet = FALSE; } } } CloseConnection(hInternetOpen, hInternetConnect, hOpenRequest); } } return bRet; } void __cdecl Format(char* data, char** ext) { char* ptr = data; while (*ptr != 0) { if (*(PULONG)ptr == 0x22202c7d) { *(ptr+2) = '\n'; ptr += 3; } else if (*(PULONG)ptr == 0x202c7d7d) { *(ptr+3) = 0; *ext = (ptr + 4); ptr += 3; } ptr++; } } int __cdecl wmain(int argc, WCHAR* argv[]) { CHAR* data = NULL; CHAR* ext = NULL; if (NetQueryVirusTotal(argc == 1 ? argv[0] : argv[1], &data) == TRUE) { if (strstr((char*)data, "\"scans\":")) { Format((char*)data, &ext); } puts(data); if (ext != NULL) { printf("[!] %s\n", ext); } FwFree(data); } return 0; }
这就是从文件路径计算文件SHA1并向VirusTotal查询SHA1对应的信息的基本代码。
相关文章推荐
- 巧用python和libnmapd,提取Nmap扫描结果
- 巧用python和libnmapd,提取Nmap扫描结果
- python实现封装得到virustotal扫描结果
- Virustotal——上传样本保存扫描结果
- 巧用python和libnmapd,一行代码提取Nmap扫描结果
- python-封装得到virustotal扫描结果
- python实现封装得到virustotal扫描结果
- hostapd wpa_supplicant madwifi详细分析(十五)——supplicant扫描结果排序规则
- Python提取cuckoo运行结果到新目录中
- leetcodd之candy的前后扫描得结果
- 【网络安全】Telnet 23端口扫描与信息提取
- python实现上传样本到virustotal并查询扫描信息的方法
- 怎么从扫描的PDF文档/图片里提取文字
- shell提取指定列并判断提取结果中是否包含指定字符串
- 扫描身份证提取信息ocr技术
- IBM Rational Appscan使用之扫描结果分析
- python-上传样本到virustotal,查询扫描信息
- jmeter插件之jsonpath提取响应结果和做断言
- 基于Python正则表达式提取搜索结果中的站点地址
- python web m.sohu.com扫描结果