virustotal 2.0.0

data/LICENSE

@@ -0,0 +1,25 @@
+Copyright (c) 2010-2011 Jacob Hammack, Hammackj LLC
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the Jacob Hammack or Hammackj LLC nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL JACOB HAMMACK or HAMMACKJ LLC BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/NEWS.markdown

@@ -0,0 +1,30 @@
+# News
+
+# 2.0.0 (February 20, 2011)
+- Converted the entire thing into a rubygem
+- Cleaned up the code significantly
+- Added a config file to store the api-key in
+- fixed up the command line options some
+- Optimized execution some
+
+# 1.0.0 (September 27, 2010)
+- Cleaned up some dead code
+- Added URL for the report for easier web viewing.
+
+# 0.0.5 (September 11, 2010)
+- Added a url scan option -w, so that urls can be scanned using the new api
+- Added file upload option -u, so that files can be uploaded and waits for results
+
+# 0.0.4 (September 10, 2010)
+- Modified to use the new virustotal.com API, the code has been simplified.
+
+# 0.0.3 (June 10, 2010)
+- Added a timer between hash lookups from files
+- Added a check for the invalid hash error that seems to happen on some MD5 hashes
+- Added debug output
+
+# 0.0.2 (January  31, 2010)
+- Updated a output bug on the usage statement. Thanks to smithj for finding it.
+
+# 0.0.1 (July 11, 2009)
+- Initial public release (BlackHat)

data/README.markdown

@@ -0,0 +1,42 @@
+# ruby-virustotal
+
+ruby-virustotal is [virustotal](http://www.virustotal.com) automation and convenience tool for hash, file and URL submission.
+
+The current version is 2.0.
+
+## Requirements
+
+* ruby
+* rubygems
+* json
+* rest-client
+
+* public api key from [virustotal.com](http://www.virustotal.com)
+
+## Installation
+
+	% gem install virustotal
+	% virustotal [options]
+
+## Usage
+
+### Searching a file of hashes
+
+	% ./virustotal.rb -f <file_with_hashes_one_per_line>
+
+### Searching a single hash
+
+	% ./virustotal.rb -h FD287794107630FA3116800E617466A9
+ 
+### Searching a file of hashes and outputting to XML
+	% ./virustotal.rb -f <file_with_hashes_one_per_line> -x
+
+### Upload a file to Virustotal and wait for analysis
+	% ./virustotal.rb -u </path/to/file>
+
+### Search for a single URL 
+	% ./virustotal.rb -s "http://www.google.com"
+
+## Contact
+
+You can reach me at Jacob[dot]Hammack[at]hammackj[dot]com or http://www.hammackj.com

data/Rakefile

@@ -0,0 +1,15 @@
+$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
+
+require "virustotal"
+ 
+task :build do
+  system "gem build #{VirusTotal::APP_NAME}.gemspec"
+end
+ 
+task :release => :build do
+  system "gem push #{VirusTotal::APP_NAME}-#{VirusTotal::VERSION}.gem"
+end
+
+task :clean do
+	system "rm *.gem"
+end

data/TODO.markdown

@@ -0,0 +1,8 @@
+# TODO
+
+**Release dates are estimates, and features can be changed at any time.**
+
+## 2.0 (5/4/2011)
+- Turn into a GEM
+- clean up code
+- add the ability to read from file for key

data/bin/virustotal

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+# encoding: utf-8
+
+# virustotal - a command line tool for working with virustotal.com
+# Jacob Hammack <jacob.hammack@hammackj.com>
+# http://www.hammackj.com
+# 
+# hammackj - 01-05-2011 - Version 2.0.0
+#
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '/../lib'))
+
+require 'rubygems'
+require 'virustotal'
+
+app = VirusTotal::Application.new
+app.run(ARGV)

data/lib/virustotal.rb

@@ -0,0 +1,16 @@
+# encoding: utf-8
+
+module VirusTotal
+	APP_NAME = "virustotal"
+	VERSION = "2.0.0"
+	CONFIG_FILE = "~/.virustotal"
+end
+
+require 'json'
+require 'rest_client'
+require 'optparse'
+require 'yaml'
+
+require 'virustotal/application'
+require 'virustotal/virustotal'
+require 'virustotal/virustotalresult'

data/lib/virustotal/application.rb

@@ -0,0 +1,184 @@
+# encoding: utf-8
+
+module VirusTotal
+	class Application
+		
+		# Creates a new instance of the [Application] class
+		#
+		def initialize
+			@options = {}
+			@config = {}
+			@hashes = Array.new
+			@files_of_hashes = Array.new
+			@sites = Array.new
+			@uploads = Array.new
+		end
+		
+		# Parses the command the line options and returns the parsed options hash
+		#
+		# @return [Hash] of the parsed options
+		def parse_options(args)
+			begin
+				@options['output'] = :stdout
+				@options['debug'] = false
+				
+				opt = OptionParser.new do |opt|
+					opt.banner =	"#{APP_NAME} v#{VERSION}\nJacob Hammack\nhttp://www.hammackj.com\n\n"
+					opt.banner << "Usage: #{APP_NAME} <options>"
+					opt.separator('')
+					opt.separator("Search Options")
+				
+					opt.on('-h HASH', '--search-hash HASH', 'Searches a single hash on virustotal.com') { |hash| 
+						@hashes.push(hash)
+					}
+
+					opt.on('-f FILE', '--search-file FILE', 'Searches a each hash in a file of hashes on virustotal.com') { |file|
+						if File.exists?(file)
+							puts "[+] Adding file #{file}" if @options["debug"]
+							@files_of_hashes.push(file)
+						else
+							puts "[!] #{file} does not exist, please check your input!\n"
+						end
+					}
+					
+					opt.on('-u FILE', '--upload-file FILE', 'Uploads a file to virustotal.com for analysis') do |file|
+						if File.exists?(file)
+							puts "[+] Adding file #{file}" if @options["debug"]
+							@uploads.push(file)
+						else
+							puts "[!] #{file} does not exist, please check your input!\n"
+						end
+					end
+
+					opt.on('-s SITE', '--search-site SITE', 'Searches for a single url on virustotal.com') { |site| 
+						@sites.push(site)
+					}			
+						
+					opt.separator('')
+					opt.separator('Output Options')
+
+					opt.on('-x', '--xml-output', 'Print results as xml to stdout') {	
+						@options["output"] = :xml
+					}
+			
+					opt.on('-y', '--yaml-output', 'Print results as yaml to stdout') {
+						@options['output'] = :yaml
+					}
+					
+					opt.on('--stdout-output', 'Print results as normal text line to stdout, this is default') {
+						@options['output'] = :stdout
+					}
+
+					opt.separator ''
+					opt.separator 'Advanced Options'
+
+					opt.on('-c', '--create-config', 'Creates a skeleton config file to use') do					
+						if File.exists?(File.expand_path(CONFIG_FILE)) == false
+							File.open(File.expand_path(CONFIG_FILE), 'w+') do |f| 
+								f.write("virustotal: \n  api-key: \n  timeout: 10\n\n") 
+							end
+
+							puts "[*] An empty #{File.expand_path(CONFIG_FILE)} has been created. Please edit and fill in the correct values."
+							exit
+						else
+							puts "[!]  #{File.expand_path(CONFIG_FILE)} already exists. Please delete it if you wish to re-create it."
+							exit
+						end
+					end
+
+					opt.on('-d', '--debug', 'Print verbose debug information') do |d|
+						@options["debug"] = d
+					end
+				
+					opt.separator ''
+					opt.separator 'Other Options'
+				
+					opt.on('-v', '--version', "Shows application version information") do
+						puts "#{APP_NAME} - #{VERSION}"
+						exit
+					end
+
+					opt.on_tail("-?", "--help", "Show this message") { |help|
+						puts opt.to_s + "\n"
+						exit
+					} 
+				end
+							
+			  if ARGV.length != 0 
+			    opt.parse!
+			  else
+			    puts opt.to_s + "\n"
+				  exit
+				end		
+			rescue OptionParser::MissingArgument => m
+				puts opt.to_s + "\n"
+				exit
+			end
+		end
+		
+		# Loads the .virustotal config file for the api key
+		#
+		def load_config
+			if File.exists?(File.expand_path(CONFIG_FILE))
+				@config = YAML.load_file File.expand_path(CONFIG_FILE)
+			else
+				puts "[!] #{CONFIG_FILE} does not exist. Please run virustotal --create-config, to create it."
+				exit
+			end
+		end
+		
+		# Processes all of the command line arguments and displays the results
+		#
+		def run(args)
+			parse_options(args)		
+			load_config
+			
+			vt = VirusTotal.new(@config["virustotal"]["api-key"], @config["virustotal"]["timeout"], @options["debug"])
+			
+			if @options['output'] == :stdout
+				output_method = :to_stdout
+			elsif @options['output'] == :yaml
+				output_method = :to_yaml
+			elsif @options['output'] == :xml
+				output_method = :to_xml
+				print "<results>\n"
+			end
+						
+			if @files_of_hashes != nil
+				@files_of_hashes.each do |file|
+					f = File.open(file, 'r')
+
+				  f.each do |hash|
+				  	hash.chomp!
+				    @hashes.push hash
+				  end
+				end
+			end		
+						
+			if @hashes != nil
+				@hashes.each do |hash|
+					result = vt.query_hash hash					
+					print result.send output_method
+				end
+			end
+			
+			if @sites != nil
+				@sites.each do |site|
+					result = vt.query_site site
+					print result.send output_method
+				end
+			end
+			
+			if @uploads != nil
+				@uploads.each do |upload|
+					result = vt.query_upload upload
+					print result.send output_method
+				end
+			end
+			
+			if @options['output'] == :xml
+				print "</results>\n"
+			end
+		end		
+	end
+end

data/lib/virustotal/virustotal.rb

@@ -0,0 +1,104 @@
+# encoding: utf-8
+
+module VirusTotal
+	class VirusTotal
+		
+		# Creates a new instance of the [VirusTotal] class
+		#
+		# @return [VirusTotal] 
+		def initialize(api_key, timeout = 7, debug = false)
+			@api_key = api_key
+			@timeout = timeout.to_i
+			@debug = debug
+		end
+		
+		# Queries a single hash on virustotal.com
+		#
+		# @return [VirusTotalResult] of the results from the query
+		def query_hash hash
+			begin
+				puts "[*] Querying hash #{hash}" if @debug
+				hash.chomp!
+				if hash.include?('-')
+						hash = hash.split('-')[0]
+					end
+
+				response = RestClient.post 'https://www.virustotal.com/api/get_file_report.json', { :resource => hash, :key => @api_key }
+				results = VirusTotalResult.new hash, :hash, JSON.parse(response)
+				
+				return results
+			rescue Exception => e		
+				puts e.message
+				puts e.backtrace.join("\n")
+				STDERR.puts "[!] An error has occured. Retrying #{hash} in #{@timeout} seconds.\n"
+				sleep @timeout #So we do not DOS virustotal.com we wait at least 5 seconds between each query
+				retry
+			end
+		end
+		
+		# Queries a single url on virustotal.com
+		#
+		# @return [VirusTotalResult] of the results from the query
+		def query_site url
+			begin
+				puts "[*] Querying url #{url}" if @debug
+
+				response = RestClient.post 'https://www.virustotal.com/api/get_url_report.json', { :resource => url, :key => @api_key }
+				results = VirusTotalResult.new url, :site, JSON.parse(response)
+				
+				return results
+			rescue Exception => e		
+				puts e.message
+				puts e.backtrace.join("\n")
+				STDERR.puts "[!] An error has occured. Retrying #{url} in #{@timeout} seconds\n"
+				sleep @timeout #So we do not DOS virustotal.com we wait at least 5 seconds between each query
+				retry
+			end
+		end		
+		
+		# Fetch results from virustotal using a specific hash
+		#
+		def query_upload file
+			results = Array.new
+			file = file.chomp
+
+			begin
+				puts "[*] Attempting to upload file #{file}" if @debug
+
+				response = RestClient.post 'https://www.virustotal.com/api/scan_file.json', { :key => @api_key, :file => File.new(file, 'rb') }
+				result = JSON.parse(response)
+
+				puts "[*] File #{file} uploaded, waiting for results this could take several minutes..." if @debug
+
+				if result['result']	== 1
+					results = query_hash result['scan_id']
+					
+					while results.results[0]['result'] == "Hash Not Found"
+						puts "[*] File has not been analyized yet, waiting 60 seconds to try again" if @debug
+						sleep 60				
+						results = query_hash result['scan_id']
+					end
+				elsif result['result'] == -2
+					puts "[!] Virustotal limits exceeded, ***do not edit the time out values.***"
+				else
+					fres = Hash.new
+					fres['hash'] = file
+					fres['scanner'] = '-'
+					fres['version'] = '-'
+					fres['date'] = '-'
+					fres['result'] = "File failed to upload"
+
+					results.push fres
+				end
+			rescue Exception => e		
+				puts e.message
+				puts e.backtrace.join("\n")
+				STDERR.puts "[!] An error has occured. Retrying #{file} in #{@timeout} seconds\n"
+				sleep @timeout #So we do not DOS virustotal.com we wait at least 5 seconds between each query
+				retry
+			end
+
+			return results
+		end	
+	end
+end

data/lib/virustotal/virustotalresult.rb

@@ -0,0 +1,110 @@
+# encoding: utf-8
+
+module VirusTotal
+	
+	# A Wrapper class for the results from a virustotal.com
+	# 
+	# @author Jacob Hammack <jacob.hammack@hammackj.com>
+	class VirusTotalResult		
+		attr_accessor :results
+		
+		# Creates a new instance of the [VirusTotalResult] class
+		#
+		def initialize hash, type, result
+			@type = type
+			@results = Array.new
+			fres = Hash.new		
+			
+			if result["result"] == 0
+					
+				fres = Hash.new
+				fres['hash'] = hash
+				fres['scanner'] = '-'
+				fres['date'] = '-'
+				fres['permalink'] = '-'
+				
+				if @type == :hash
+					fres['result'] = "Hash Not Found"
+				elsif @type == :site
+					fres['result'] = "Site Not Found"
+				end
+
+				@results.push fres
+			elsif result["result"] == -1
+				puts "[!] Invalid API KEY! Please correct this!"
+				exit
+			else				
+				permalink = result["permalink"]
+				date = result["report"][0]
+				result["report"][1].each do |scanner, res|
+					if res != ''
+						fres = Hash.new
+						fres['hash'] = hash
+						fres['scanner'] = scanner
+						fres['date'] = date
+						fres['permalink'] = permalink unless permalink == nil
+						fres['result'] = res
+
+						@results.push fres
+					end
+				end
+			end
+			
+			#if we didn't have any results let create a fake not found
+			if @results.size == 0
+				fres = Hash.new
+				fres['hash'] = hash
+				fres['scanner'] = '-'
+				fres['date'] = '-'
+				fres['permalink'] = '-'
+				if @type == :hash
+					fres['result'] = "No Results for Hash"
+				elsif @type == :site
+					fres['result'] = "No Results for Site"
+				end
+				@results.push fres				
+			end			
+		end
+		
+		# Prints the [VirusTotalResult] object to screen
+		#
+		def to_stdout
+			result_string = String.new
+			@results.each do |result|
+				result_string << "#{result['hash']}: Scanner: #{result['scanner']} Result: #{result['result']}\n"
+			end
+			print result_string
+		end
+				
+		# Prints the [VirusTotalResult] object as a xml string to the screen
+		#
+		def to_xml
+			result_string = String.new
+			@results.each do |result|
+				result_string << "\t<vtresult>\n"
+				result_string << "\t\t<hash>#{result['hash']}</hash>\n"
+				result_string << "\t\t<scanner>#{result['scanner']}</scanner>\n"
+				result_string << "\t\t<date>#{result['date']}</date>\n"
+				result_string << "\t\t<permalink>#{result['permalink']}</permalink>\n" unless result['permalink'] == nil
+				result_string << "\t\t<result>#{result['result']}</result>\n"
+				result_string << "\t</vtresult>\n"
+			end
+			print result_string			
+		end
+		
+		# Prints the [VirusTotalResult] object as a yaml string to the screen
+		#
+		def to_yaml
+			result_string = String.new
+			@results.each do |result|
+				result_string << "vt-result:\n"
+				result_string << "  hash: #{result['hash']}\n"
+				result_string << "  scanner: #{result['scanner']}\n"
+				result_string << "  date: #{result['date']}\n"
+				result_string << "  permalink: #{result['permalink']}\n" unless result['permalink'] == nil
+				result_string << "  result: #{result['result']}\n\n"
+			end
+			print result_string
+		end
+	end
+end

data/virustotal.gemspec

@@ -0,0 +1,36 @@
+# encoding: utf-8
+
+base = __FILE__
+$:.unshift(File.join(File.dirname(base), 'lib'))
+
+require 'virustotal'
+
+Gem::Specification.new do |s|
+	s.name 									= 'virustotal'
+	s.version 							= VirusTotal::VERSION
+	s.homepage 							= "http://github.com/hammackj/ruby-virustotal/"
+	s.summary 							= "virustotal"
+	s.description 					= "virustotal is a script for automating virustotal.com queries"
+	s.license								= "BSD"
+	
+	s.author 								= "Jacob Hammack"
+	s.email 								= "jacob.hammack@hammackj.com"
+	
+	s.files 								= Dir['[A-Z]*'] + Dir['lib/**/*'] + ['virustotal.gemspec']
+	s.default_executable 		= 'virustotal'
+	s.executables 					= ['virustotal']
+	s.require_paths 				= ["lib"]
+	
+	s.required_rubygems_version = ">= 1.3.6"
+	s.rubyforge_project         = "virustotal"
+	
+	s.add_development_dependency("rspec", ">= 2.4.0")
+	s.add_development_dependency("yard", ">= 0.6.4")
+	
+	s.has_rdoc 							= 'yard'
+	s.extra_rdoc_files 			= ["README.markdown", "LICENSE", "NEWS.markdown", "TODO.markdown"]
+	
+	s.add_dependency('json', '>= 1.5.1')
+	s.add_dependency('rest-client', '>= 1.6.1')
+	
+end

metadata

@@ -0,0 +1,112 @@
+--- !ruby/object:Gem::Specification 
+name: virustotal
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 2.0.0
+platform: ruby
+authors: 
+- Jacob Hammack
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-02-18 00:00:00 -06:00
+default_executable: virustotal
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 2.4.0
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: yard
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.6.4
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: json
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.5.1
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rest-client
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.6.1
+  type: :runtime
+  version_requirements: *id004
+description: virustotal is a script for automating virustotal.com queries
+email: jacob.hammack@hammackj.com
+executables: 
+- virustotal
+extensions: []
+
+extra_rdoc_files: 
+- README.markdown
+- LICENSE
+- NEWS.markdown
+- TODO.markdown
+files: 
+- LICENSE
+- NEWS.markdown
+- Rakefile
+- README.markdown
+- TODO.markdown
+- lib/virustotal/application.rb
+- lib/virustotal/virustotal.rb
+- lib/virustotal/virustotalresult.rb
+- lib/virustotal.rb
+- virustotal.gemspec
+- bin/virustotal
+has_rdoc: yard
+homepage: http://github.com/hammackj/ruby-virustotal/
+licenses: 
+- BSD
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: 1.3.6
+requirements: []
+
+rubyforge_project: virustotal
+rubygems_version: 1.5.2
+signing_key: 
+specification_version: 3
+summary: virustotal
+test_files: []
+