-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilehash.py
88 lines (72 loc) · 2.33 KB
/
filehash.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import re
import requests
import dns.resolver
import dns.name
from errbot import BotPlugin, botcmd, cmdfilter
_MHR_API = 'malware.hash.cymru.com'
_VTAPI = 'https://www.virustotal.com/vtapi/v2/'
def mhr(ahash):
'''Lookup a file in the malware hash registry.'''
try:
answers = dns.resolver.query('%s.%s' % (ahash, _MHR_API), 'TXT')
except dns.resolver.NXDOMAIN:
return 'File not found in MHR.'
except dns.name.LabelTooLong:
return 'Cannot process SHA256 hashes for the MHR at this time.'
answer = answers[0].to_text().strip('"')
answer = MHRReply(*[field for field in answer.split(' ')])
ts = datetime.datetime.fromtimestamp(int(answer.ts))
return 'Malicious file %s last seen %s with a detection rate of %s' % (
args,
ts,
answer.detection_rate
)
def file_report(ahash, api_key):
'''
'''
parameters = {
'resource' : ahash,
'apikey': api_key
}
r = requests.post('%sfile/report' % (_VTAPI),
data=parameters)
return r.json()
class HashMatch(BotPlugin):
'''Plugin that finds file hashes inside of messages and then performs
lookups and actions based on the presence of a file hash.
'''
def __init__(self, bot):
super().__init__(bot)
# Compile the pattern on the bot load and reuse it over and over again
# for better performance.
self.pattern = re.compile('([a-fA-F0-9]{64}|[a-fA-F0-9]{40}|[a-fA-F0-9]{32})')
def get_configuration_template(self):
return {
'vt_apikey' : 'virustotal api key'
}
def callback_message(self, msg):
'''Check the messages if they contain a hash.'''
# Prevent a message loop by ignoring all messages sent by the bot
user = "@%s" % (msg.frm.username)
if user == str(self.bot_identifier):
return
if msg.body.startswith("!"):
return
# Match for hash patterns inside of the message to determine if
# lookups should be performed.
for match in self.pattern.finditer(msg.body):
self.send(msg.to, 'Found a file hash: %s' % (match.group(0)))
self.send(msg.to, mhr(match.group(0)))
vtresult = file_report(match.group(0), self.config['vt_apikey'])
if vtresult['response_code'] == 1:
self.send(msg.to, '''
```
VirusTotal
%s
%s/%s
```
For more information see: %s
''' % (vtresult['scan_date'], vtresult['positives'], vtresult['total'], vtresult['permalink']))
else:
self.send(msg.to, "File not found in VirusTotal.")
return