Sign in to follow this  
Followers 0
Skitty

Virus, Trojan, Spyware and Adware hash definitions?

6 posts in this topic

#1 ·  Posted (edited)

Does any one know where I can acquire a hash database for malicious applications?

Similar to how an anti virus works, it would be great to be able to use the definition files antivirus software use in autoit, I'm pretty sure there should be a huge global hash list somewhere out there that can be used for comparing hashes.

I was just wondering after reading an old topic I responded to and found this script I made back in April

#include<Crypt.au3>
#include<SQLite.au3>
#include<SQLite.dll.au3>

;Global $Exclusions = "Svchost.exe,explorer.exe"    ; Exclude files by name...
;Global $ExclusionsByExt = "ini,exe,scr,bat,msi,dll" ; Only scan by these file extensions...
Global $DB, $Size = 20                              ; file larger than 20mb are not scanned...



_Crypt_Startup()
_SQLite_Startup()
If Not FileExists(@ScriptDir&"\DataBase.db") Then
    $DB=_SQLite_Open(@ScriptDir&"\DataBase.db")
    _SQLite_Exec($DB,"CREATE TABLE DataBase (Adress,Val1,Val2,Val3,Val4,Val5);")
    _Process()
Else
    $DB=_SQLite_Open(@ScriptDir&"\DataBase.db")
    _Process(True)
EndIf
_SQLite_Shutdown()
_Crypt_Shutdown()

Func _Process($State = False)

    If  $State = False  Then
        _Scan(@HomeDrive)
    ElseIf $State = True Then
        _Anulyze()
    Else
        MsgBox(16,"","Error")
    EndIf

EndFunc

Func _Scan($SourceFolder)

    Local $File
    Local $Search

    $Search = FileFindFirstFile($SourceFolder & "\*.*")
    If $Search = -1 Then Return

    While 1
        $File = FileFindNextFile($Search)
        If @error = 1 Then ExitLoop
        If @extended = 1 Then
            _Scan($SourceFolder & "\" & $File)
        Else
            ;ToolTip("PROCESSING: "&$SourceFolder & "\" & $File)
            _Xzamin($SourceFolder & "\" & $File)
        EndIf
    WEnd

    FileClose($Search)

EndFunc   ;==>_SCANSYSTEM

Func _Xzamin($File)

    Local $S=StringSplit($File,"\",2)
    Local $i=UBound($S) - 1
    Local $S2=StringSplit($S[$i],".",2)
    Local $I2=UBound($S2) - 1

    ;If StringInStr($Exclusions,$S[$i]) Then Return 1; exclusions ~
    ;If Not StringInStr($ExclusionsByExt,$S2[$I2]) Then Return 1; exclusions ~
    If Round(FileGetSize($File)/1048576,2) > $Size Then Return 1

    Local $FO=FileOpen($File)
    If @error Then
        _DataAddEx("DataBase",FileGetShortName($File),"Error opening file")
        Return 1
    EndIf

    Local $FR=FileRead($FO)
    _DataAddEx("DataBase", _
        FileGetShortName($File), _
        _Crypt_HashData($FR,$CALG_MD5), _
        FileGetTime($File,0,1), _
        FileGetSize($File), _
        FileGetAttrib($File), _
        @YEAR&"/"&@Mon&"/"&@MDAY)

    FileClose($FO)

    Return 1

EndFunc

Func _Anulyze()
    Local $hQuery, $aRow, $sMsg
    _SQlite_Query (-1, "SELECT * FROM DataBase;", $hQuery) ; the query
    While _SQLite_FetchData ($hQuery, $aRow) = $SQLITE_OK
        ToolTip("PROCESSING: "&$aRow[0])
        $Ar=_DataQueryEx("DataBase",$aRow[0],True)
        If IsArray($Ar) Then
            Local $FO=FileOpen($Ar[0])
            Local $FR=FileRead($FO)
            If _Crypt_HashData($FR,$CALG_MD5) <> $Ar[1] Then
                MsgBox(0,"Statistics","===File Change Information==="& @CRLF & _
                "File..........................  "& FileGetLongName($Ar[0]) & @CRLF & _
                "Previouse Hash................ "& _Crypt_HashData($FR,$CALG_MD5) & @CRLF & _
                "Current Hash..................  "& $Ar[1] & @CRLF & _
                "Previouse Time................ "& $Ar[2] & @CRLF & _
                "Current Time.................. "& FileGetTime($ar[0],0,1) & @CRLF & _
                "Previouse File size......... "& $Ar[3]& "Kb" & @CRLF & _
                "Previouse File size............... "& FileGetSize($Ar[0]) & "Kb" & @CRLF & _
                "Current File size........... "& Round(FileGetSize($Ar[0])/1048576,2)& "Mb" & @CRLF & _
                "Previouse file Attrib......... "& $Ar[4] & @CRLF & _
                "Current File Attrib........... "& FileGetAttrib($Ar[0]) & @CRLF & _
                "Scane generated on date....... "& $Ar[5])
            EndIf
        FileClose($FO)
        EndIf
    WEnd
    Return 1
EndFunc

Func _DataAddEx($Table,$Adress,$Val1,$Val2 = "",$Val3 = "", $Val4 = "",$Val5 = "")
    Local $Data
    _SQLite_QuerySingleRow($DB,"SELECT Adress FROM "&$Table&" WHERE Adress='"&$Adress&"'",$Data)
    If $Data[0] <> "" Then
        _SQLite_Exec($DB,"UPDATE "&$Table&" SET Val1='"&$Val1&"', Val2='"&$Val2&"', Val3='"&$Val3&"', Val4='"&$Val4&"', Val5='"&$Val5&"' WHERE Adress='"&$Adress&"'")
    Else
        _SQLite_Exec($DB,"INSERT INTO "&$Table&" (Adress,Val1,Val2,Val3,Val4,Val5) VALUES ('"&$Adress&"','"&$Val1&"','"&$Val2&"','"&$Val3&"','"&$Val4&"','"&$Val5&"');")
    EndIf
EndFunc

Func _DataQueryEx($Table,$Adress,$Ar = False)
    Local $Ret
    If _SQLite_QuerySingleRow($DB,"SELECT * FROM "&$Table&" WHERE Adress='"&$Adress&"'",$Ret) == $SQLITE_OK Then ; =>"*"<= means all...
        If $Ret[0] == "" Then
            Return @error
        Else
            If $Ar Then Return $Ret
            Return $Ret[1]
        EndIf
    EndIf
EndFunc

I would imagine that creating a simple and super fast virus scanner would be very easy if I had hashes to even compare against, It would be cool to save all malicious hashes to an sqlite data base and just checking for their presence by submitting a query for the hash address in the database, eliminating the need to compare a hash to a multitude of other hashes.

Now I know that some AV's don't use hashes like AVG but a lot of others actually do check for files you don't want by comparing hashes.

Edited by THAT1ANONYMOUSEDUDE

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I don't exactly wan't to use a web site scanning service.

but thanks nun the less.

Edit: wow, where'd you go?

Edited by THAT1ANONYMOUSEDUDE

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

I don't exactly wan't to use a web site scanning service.<br /><br />but thanks nun the less.<br /><br />Edit: wow, where'd you go?

That's why I deleted my question. I didn't read their API enough.

Anyway, I was poking around their search page where they allow you to look up viruses based on your hash input.

Although it's not part of their official API, you could try sending in POST/GET requests and cleaning the HTML tags to check your hash against their database.

I'll keep poking around and see what I can find.

Edited by Foxhound

Share this post


Link to post
Share on other sites

That's why I deleted my question. I didn't read their API enough.

Anyway, I was poking around their search page where they allow you to look up viruses based on your hash input.

Although it's not part of their official API, you could try sending in POST/GET requests and cleaning the HTML tags to check your hash against their database.

I'll keep poking around and see what I can find.

Where did it say that on their site? I seem to have missed that.

I was thinking about looking for a site with just that feature.


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

EDIT:

Lol...I already found the answer but ignored it. Oh well it's past midnight, can't blame me.

They have an API as I said before here: http://www.virustotal.com/advanced.html

their api url is: https://www.virustotal.com/api/get_file_report

You just supply your API key and the file hash to get a json report of the hash if it's in their database.

they even have a python wrapper for it:

http://code.google.com/p/virustotalapi/

Hope this helps...I'm going to sleep now :mellow:

Edited by Foxhound

Share this post


Link to post
Share on other sites

EDIT:

Lol...I already found the answer but ignored it. Oh well it's past midnight, can't blame me.

They have an API as I said before here: http://www.virustotal.com/advanced.html

their api url is: https://www.virustotal.com/api/get_file_report

You just supply your API key and the file hash to get a json report of the hash if it's in their database.

they even have a python wrapper for it:

http://code.google.com/p/virustotalapi/

Hope this helps...I'm going to sleep now :mellow:

I thought I read they needed you to upload the file, even though, it would be nicer if there was some kind of accessible hash list on the matter.


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0