Skitty Posted August 22, 2011 Share Posted August 22, 2011 (edited) Does any one know where I can acquire a hash database for malicious applications?Similar to how an anti virus works, it would be great to be able to use the definition files antivirus software use in autoit, I'm pretty sure there should be a huge global hash list somewhere out there that can be used for comparing hashes.I was just wondering after reading an old topic I responded to and found this script I made back in April expandcollapse popup#include<Crypt.au3> #include<SQLite.au3> #include<SQLite.dll.au3> ;Global $Exclusions = "Svchost.exe,explorer.exe" ; Exclude files by name... ;Global $ExclusionsByExt = "ini,exe,scr,bat,msi,dll" ; Only scan by these file extensions... Global $DB, $Size = 20 ; file larger than 20mb are not scanned... _Crypt_Startup() _SQLite_Startup() If Not FileExists(@ScriptDir&"\DataBase.db") Then $DB=_SQLite_Open(@ScriptDir&"\DataBase.db") _SQLite_Exec($DB,"CREATE TABLE DataBase (Adress,Val1,Val2,Val3,Val4,Val5);") _Process() Else $DB=_SQLite_Open(@ScriptDir&"\DataBase.db") _Process(True) EndIf _SQLite_Shutdown() _Crypt_Shutdown() Func _Process($State = False) If $State = False Then _Scan(@HomeDrive) ElseIf $State = True Then _Anulyze() Else MsgBox(16,"","Error") EndIf EndFunc Func _Scan($SourceFolder) Local $File Local $Search $Search = FileFindFirstFile($SourceFolder & "\*.*") If $Search = -1 Then Return While 1 $File = FileFindNextFile($Search) If @error = 1 Then ExitLoop If @extended = 1 Then _Scan($SourceFolder & "\" & $File) Else ;ToolTip("PROCESSING: "&$SourceFolder & "\" & $File) _Xzamin($SourceFolder & "\" & $File) EndIf WEnd FileClose($Search) EndFunc ;==>_SCANSYSTEM Func _Xzamin($File) Local $S=StringSplit($File,"\",2) Local $i=UBound($S) - 1 Local $S2=StringSplit($S[$i],".",2) Local $I2=UBound($S2) - 1 ;If StringInStr($Exclusions,$S[$i]) Then Return 1; exclusions ~ ;If Not StringInStr($ExclusionsByExt,$S2[$I2]) Then Return 1; exclusions ~ If Round(FileGetSize($File)/1048576,2) > $Size Then Return 1 Local $FO=FileOpen($File) If @error Then _DataAddEx("DataBase",FileGetShortName($File),"Error opening file") Return 1 EndIf Local $FR=FileRead($FO) _DataAddEx("DataBase", _ FileGetShortName($File), _ _Crypt_HashData($FR,$CALG_MD5), _ FileGetTime($File,0,1), _ FileGetSize($File), _ FileGetAttrib($File), _ @YEAR&"/"&@Mon&"/"&@MDAY) FileClose($FO) Return 1 EndFunc Func _Anulyze() Local $hQuery, $aRow, $sMsg _SQlite_Query (-1, "SELECT * FROM DataBase;", $hQuery) ; the query While _SQLite_FetchData ($hQuery, $aRow) = $SQLITE_OK ToolTip("PROCESSING: "&$aRow[0]) $Ar=_DataQueryEx("DataBase",$aRow[0],True) If IsArray($Ar) Then Local $FO=FileOpen($Ar[0]) Local $FR=FileRead($FO) If _Crypt_HashData($FR,$CALG_MD5) <> $Ar[1] Then MsgBox(0,"Statistics","===File Change Information==="& @CRLF & _ "File.......................... "& FileGetLongName($Ar[0]) & @CRLF & _ "Previouse Hash................ "& _Crypt_HashData($FR,$CALG_MD5) & @CRLF & _ "Current Hash.................. "& $Ar[1] & @CRLF & _ "Previouse Time................ "& $Ar[2] & @CRLF & _ "Current Time.................. "& FileGetTime($ar[0],0,1) & @CRLF & _ "Previouse File size......... "& $Ar[3]& "Kb" & @CRLF & _ "Previouse File size............... "& FileGetSize($Ar[0]) & "Kb" & @CRLF & _ "Current File size........... "& Round(FileGetSize($Ar[0])/1048576,2)& "Mb" & @CRLF & _ "Previouse file Attrib......... "& $Ar[4] & @CRLF & _ "Current File Attrib........... "& FileGetAttrib($Ar[0]) & @CRLF & _ "Scane generated on date....... "& $Ar[5]) EndIf FileClose($FO) EndIf WEnd Return 1 EndFunc Func _DataAddEx($Table,$Adress,$Val1,$Val2 = "",$Val3 = "", $Val4 = "",$Val5 = "") Local $Data _SQLite_QuerySingleRow($DB,"SELECT Adress FROM "&$Table&" WHERE Adress='"&$Adress&"'",$Data) If $Data[0] <> "" Then _SQLite_Exec($DB,"UPDATE "&$Table&" SET Val1='"&$Val1&"', Val2='"&$Val2&"', Val3='"&$Val3&"', Val4='"&$Val4&"', Val5='"&$Val5&"' WHERE Adress='"&$Adress&"'") Else _SQLite_Exec($DB,"INSERT INTO "&$Table&" (Adress,Val1,Val2,Val3,Val4,Val5) VALUES ('"&$Adress&"','"&$Val1&"','"&$Val2&"','"&$Val3&"','"&$Val4&"','"&$Val5&"');") EndIf EndFunc Func _DataQueryEx($Table,$Adress,$Ar = False) Local $Ret If _SQLite_QuerySingleRow($DB,"SELECT * FROM "&$Table&" WHERE Adress='"&$Adress&"'",$Ret) == $SQLITE_OK Then ; =>"*"<= means all... If $Ret[0] == "" Then Return @error Else If $Ar Then Return $Ret Return $Ret[1] EndIf EndIf EndFuncI would imagine that creating a simple and super fast virus scanner would be very easy if I had hashes to even compare against, It would be cool to save all malicious hashes to an sqlite data base and just checking for their presence by submitting a query for the hash address in the database, eliminating the need to compare a hash to a multitude of other hashes.Now I know that some AV's don't use hashes like AVG but a lot of others actually do check for files you don't want by comparing hashes. Edited August 22, 2011 by THAT1ANONYMOUSEDUDE Link to comment Share on other sites More sharing options...
Skitty Posted August 22, 2011 Author Share Posted August 22, 2011 (edited) Take a look at this: http://www.virustotal.com/advanced.html#api-other-languages and their API URL: https://www.virustotal.com/api/get_file_report.jsonI don't exactly wan't to use a web site scanning service.but thanks nun the less.Edit: wow, where'd you go? Edited August 22, 2011 by THAT1ANONYMOUSEDUDE Link to comment Share on other sites More sharing options...
Foxhound Posted August 22, 2011 Share Posted August 22, 2011 (edited) I don't exactly wan't to use a web site scanning service.<br /><br />but thanks nun the less.<br /><br />Edit: wow, where'd you go?That's why I deleted my question. I didn't read their API enough.Anyway, I was poking around their search page where they allow you to look up viruses based on your hash input.Although it's not part of their official API, you could try sending in POST/GET requests and cleaning the HTML tags to check your hash against their database.I'll keep poking around and see what I can find. Edited August 22, 2011 by Foxhound [quote]Quick YouTube To MP3 | Lyrics Finder | Internet Radio Player | GetWeather | TinyURLifier[/quote] Link to comment Share on other sites More sharing options...
Skitty Posted August 22, 2011 Author Share Posted August 22, 2011 That's why I deleted my question. I didn't read their API enough.Anyway, I was poking around their search page where they allow you to look up viruses based on your hash input.Although it's not part of their official API, you could try sending in POST/GET requests and cleaning the HTML tags to check your hash against their database.I'll keep poking around and see what I can find.Where did it say that on their site? I seem to have missed that.I was thinking about looking for a site with just that feature. Link to comment Share on other sites More sharing options...
Foxhound Posted August 22, 2011 Share Posted August 22, 2011 (edited) EDIT:Lol...I already found the answer but ignored it. Oh well it's past midnight, can't blame me.They have an API as I said before here: http://www.virustotal.com/advanced.htmltheir api url is: https://www.virustotal.com/api/get_file_reportYou just supply your API key and the file hash to get a json report of the hash if it's in their database.they even have a python wrapper for it:http://code.google.com/p/virustotalapi/Hope this helps...I'm going to sleep now Edited August 22, 2011 by Foxhound [quote]Quick YouTube To MP3 | Lyrics Finder | Internet Radio Player | GetWeather | TinyURLifier[/quote] Link to comment Share on other sites More sharing options...
Skitty Posted August 22, 2011 Author Share Posted August 22, 2011 EDIT:Lol...I already found the answer but ignored it. Oh well it's past midnight, can't blame me.They have an API as I said before here: http://www.virustotal.com/advanced.htmltheir api url is: https://www.virustotal.com/api/get_file_reportYou just supply your API key and the file hash to get a json report of the hash if it's in their database.they even have a python wrapper for it:http://code.google.com/p/virustotalapi/Hope this helps...I'm going to sleep now I thought I read they needed you to upload the file, even though, it would be nicer if there was some kind of accessible hash list on the matter. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now