Virus, Trojan, Spyware and Adware hash definitions?

[Skitty]

Does any one know where I can acquire a hash database for malicious applications?

Similar to how an anti virus works, it would be great to be able to use the definition files antivirus software use in autoit, I'm pretty sure there should be a huge global hash list somewhere out there that can be used for comparing hashes.

I was just wondering after reading an old topic I responded to and found this script I made back in April

expandcollapse popup

#include<Crypt.au3>
#include<SQLite.au3>
#include<SQLite.dll.au3>

;Global $Exclusions = "Svchost.exe,explorer.exe"    ; Exclude files by name...
;Global $ExclusionsByExt = "ini,exe,scr,bat,msi,dll" ; Only scan by these file extensions...
Global $DB, $Size = 20                              ; file larger than 20mb are not scanned...



_Crypt_Startup()
_SQLite_Startup()
If Not FileExists(@ScriptDir&"\DataBase.db") Then
    $DB=_SQLite_Open(@ScriptDir&"\DataBase.db")
    _SQLite_Exec($DB,"CREATE TABLE DataBase (Adress,Val1,Val2,Val3,Val4,Val5);")
    _Process()
Else
    $DB=_SQLite_Open(@ScriptDir&"\DataBase.db")
    _Process(True)
EndIf
_SQLite_Shutdown()
_Crypt_Shutdown()

Func _Process($State = False)

    If  $State = False  Then
        _Scan(@HomeDrive)
    ElseIf $State = True Then
        _Anulyze()
    Else
        MsgBox(16,"","Error")
    EndIf

EndFunc

Func _Scan($SourceFolder)

    Local $File
    Local $Search

    $Search = FileFindFirstFile($SourceFolder & "\*.*")
    If $Search = -1 Then Return

    While 1
        $File = FileFindNextFile($Search)
        If @error = 1 Then ExitLoop
        If @extended = 1 Then
            _Scan($SourceFolder & "\" & $File)
        Else
            ;ToolTip("PROCESSING: "&$SourceFolder & "\" & $File)
            _Xzamin($SourceFolder & "\" & $File)
        EndIf
    WEnd

    FileClose($Search)

EndFunc   ;==>_SCANSYSTEM

Func _Xzamin($File)

    Local $S=StringSplit($File,"\",2)
    Local $i=UBound($S) - 1
    Local $S2=StringSplit($S[$i],".",2)
    Local $I2=UBound($S2) - 1

    ;If StringInStr($Exclusions,$S[$i]) Then Return 1; exclusions ~
    ;If Not StringInStr($ExclusionsByExt,$S2[$I2]) Then Return 1; exclusions ~
    If Round(FileGetSize($File)/1048576,2) > $Size Then Return 1

    Local $FO=FileOpen($File)
    If @error Then
        _DataAddEx("DataBase",FileGetShortName($File),"Error opening file")
        Return 1
    EndIf

    Local $FR=FileRead($FO)
    _DataAddEx("DataBase", _
        FileGetShortName($File), _
        _Crypt_HashData($FR,$CALG_MD5), _
        FileGetTime($File,0,1), _
        FileGetSize($File), _
        FileGetAttrib($File), _
        @YEAR&"/"&@Mon&"/"&@MDAY)

    FileClose($FO)

    Return 1

EndFunc

Func _Anulyze()
    Local $hQuery, $aRow, $sMsg
    _SQlite_Query (-1, "SELECT * FROM DataBase;", $hQuery) ; the query
    While _SQLite_FetchData ($hQuery, $aRow) = $SQLITE_OK
        ToolTip("PROCESSING: "&$aRow[0])
        $Ar=_DataQueryEx("DataBase",$aRow[0],True)
        If IsArray($Ar) Then
            Local $FO=FileOpen($Ar[0])
            Local $FR=FileRead($FO)
            If _Crypt_HashData($FR,$CALG_MD5) <> $Ar[1] Then
                MsgBox(0,"Statistics","===File Change Information==="& @CRLF & _
                "File..........................  "& FileGetLongName($Ar[0]) & @CRLF & _
                "Previouse Hash................ "& _Crypt_HashData($FR,$CALG_MD5) & @CRLF & _
                "Current Hash..................  "& $Ar[1] & @CRLF & _
                "Previouse Time................ "& $Ar[2] & @CRLF & _
                "Current Time.................. "& FileGetTime($ar[0],0,1) & @CRLF & _
                "Previouse File size......... "& $Ar[3]& "Kb" & @CRLF & _
                "Previouse File size............... "& FileGetSize($Ar[0]) & "Kb" & @CRLF & _
                "Current File size........... "& Round(FileGetSize($Ar[0])/1048576,2)& "Mb" & @CRLF & _
                "Previouse file Attrib......... "& $Ar[4] & @CRLF & _
                "Current File Attrib........... "& FileGetAttrib($Ar[0]) & @CRLF & _
                "Scane generated on date....... "& $Ar[5])
            EndIf
        FileClose($FO)
        EndIf
    WEnd
    Return 1
EndFunc

Func _DataAddEx($Table,$Adress,$Val1,$Val2 = "",$Val3 = "", $Val4 = "",$Val5 = "")
    Local $Data
    _SQLite_QuerySingleRow($DB,"SELECT Adress FROM "&$Table&" WHERE Adress='"&$Adress&"'",$Data)
    If $Data[0] <> "" Then
        _SQLite_Exec($DB,"UPDATE "&$Table&" SET Val1='"&$Val1&"', Val2='"&$Val2&"', Val3='"&$Val3&"', Val4='"&$Val4&"', Val5='"&$Val5&"' WHERE Adress='"&$Adress&"'")
    Else
        _SQLite_Exec($DB,"INSERT INTO "&$Table&" (Adress,Val1,Val2,Val3,Val4,Val5) VALUES ('"&$Adress&"','"&$Val1&"','"&$Val2&"','"&$Val3&"','"&$Val4&"','"&$Val5&"');")
    EndIf
EndFunc

Func _DataQueryEx($Table,$Adress,$Ar = False)
    Local $Ret
    If _SQLite_QuerySingleRow($DB,"SELECT * FROM "&$Table&" WHERE Adress='"&$Adress&"'",$Ret) == $SQLITE_OK Then ; =>"*"<= means all...
        If $Ret[0] == "" Then
            Return @error
        Else
            If $Ar Then Return $Ret
            Return $Ret[1]
        EndIf
    EndIf
EndFunc

I would imagine that creating a simple and super fast virus scanner would be very easy if I had hashes to even compare against, It would be cool to save all malicious hashes to an sqlite data base and just checking for their presence by submitting a query for the hash address in the database, eliminating the need to compare a hash to a multitude of other hashes.

Now I know that some AV's don't use hashes like AVG but a lot of others actually do check for files you don't want by comparing hashes.

Edited August 22, 2011 by THAT1ANONYMOUSEDUDE

[Skitty]

Take a look at this: http://www.virustotal.com/advanced.html#api-other-languages and their API URL: https://www.virustotal.com/api/get_file_report.json

I don't exactly wan't to use a web site scanning service.

but thanks nun the less.

Edit: wow, where'd you go?

Edited August 22, 2011 by THAT1ANONYMOUSEDUDE

[Foxhound]

I don't exactly wan't to use a web site scanning service.<br /><br />but thanks nun the less.<br /><br />Edit: wow, where'd you go?

That's why I deleted my question. I didn't read their API enough.

Anyway, I was poking around their search page where they allow you to look up viruses based on your hash input.

Although it's not part of their official API, you could try sending in POST/GET requests and cleaning the HTML tags to check your hash against their database.

I'll keep poking around and see what I can find.

Edited August 22, 2011 by Foxhound

[Skitty]

That's why I deleted my question. I didn't read their API enough.

Anyway, I was poking around their search page where they allow you to look up viruses based on your hash input.

Although it's not part of their official API, you could try sending in POST/GET requests and cleaning the HTML tags to check your hash against their database.

I'll keep poking around and see what I can find.

Where did it say that on their site? I seem to have missed that.

I was thinking about looking for a site with just that feature.

[Foxhound]

EDIT:

Lol...I already found the answer but ignored it. Oh well it's past midnight, can't blame me.

They have an API as I said before here: http://www.virustotal.com/advanced.html

their api url is: https://www.virustotal.com/api/get_file_report

You just supply your API key and the file hash to get a json report of the hash if it's in their database.

they even have a python wrapper for it:

http://code.google.com/p/virustotalapi/

Hope this helps...I'm going to sleep now

Edited August 22, 2011 by Foxhound

[Skitty]

EDIT:

Lol...I already found the answer but ignored it. Oh well it's past midnight, can't blame me.

They have an API as I said before here: http://www.virustotal.com/advanced.html

their api url is: https://www.virustotal.com/api/get_file_report

You just supply your API key and the file hash to get a json report of the hash if it's in their database.

they even have a python wrapper for it:

http://code.google.com/p/virustotalapi/

Hope this helps...I'm going to sleep now

I thought I read they needed you to upload the file, even though, it would be nicer if there was some kind of accessible hash list on the matter.