-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvt-process.sh
executable file
·78 lines (66 loc) · 2.04 KB
/
vt-process.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/bash
#set -x #DEBUG
if [ $# -ne 1 ]; then
echo "usage: $0 /path/to/suspicious/file"
echo "you provided $# parameters
E: missing input file"
exit 1
elif [ ! -f $1 ]; then
echo "E: $1 is not a file"
exit 1
fi
if [ -z "${VT_API_KEY}" ]; then
echo "no VT_API_KEY variable for accessing VT was defined"
exit 2
fi
#TODO: replace it with some other dependency management
check_deps()
{
local DEP=$1
if ! which ${DEP} > /dev/null; then
echo "E: missing ${DEP}, sudo sh -c 'apt-get update && apt install ${DEP}'"
exit 1
fi
}
check_deps curl
check_deps jq
INPUT_FILE=$1
INPUT_FILE_CHECKSUM=$(sha256sum ${INPUT_FILE}| awk '{print $1}')
search_checksum()
{
local CHECKSUM=$1
set -e
RESULT=$(curl -s --request POST \
--url 'https://www.virustotal.com/vtapi/v2/file/report' \
-d apikey=${VT_API_KEY} \
-d "resource=${CHECKSUM}")
set +e
echo ${RESULT}
}
upload_file()
{
local FILEPATH=$(readlink -f ${INPUT_FILE})
set -e
RESULT=$(curl -s -F "file=@${FILEPATH}" -F \
apikey=${VT_API_KEY} --url 'https://www.virustotal.com/vtapi/v2/file/scan')
set +e
echo ${RESULT}
}
OUTPUT=$(search_checksum ${INPUT_FILE_CHECKSUM} | python -m json.tool)
RETURN_CODE=$(echo ${OUTPUT} | jq '.response_code')
# if return code is 0 it means the checksum was not found on the vt backend
# if the return code is 1 it means it was found and we can check the positive field
#echo $RETURN_CODE #DEBUG
if [ "1" = "${RETURN_CODE}" ]; then
POSITIVE=$(echo ${OUTPUT} | jq -r '.positives, .total, .scan_id' | tr '\n' '/' | cut -d "/" -f1-2)
echo "${INPUT_FILE} (${INPUT_FILE_CHECKSUM})
positive match(s): ${POSITIVE}"
elif [ "0" = "${RETURN_CODE}" ]; then
echo "the file hash (${INPUT_FILE_CHECKSUM}) is unknown to VT database"
OUTPUT=$(upload_file ${INPUT_FILE} | python -m json.tool)
RETURN_CODE=$(echo ${OUTPUT} | jq '.response_code')
SCANID=$(echo ${OUTPUT} | jq -r '.scan_id')
echo "uploaded ${INPUT_FILE} (${INPUT_FILE_CHECKSUM})
scan_id: $SCANID"
fi
exit 0