예제 #1
0
        public static VirusTotalUrlResponse ConvertUrlResponse(byte[] response_bytes)
        {
            string response_string     = Encoding.ASCII.GetString(response_bytes);
            VirusTotalUrlResponse vtru = JsonConvert.DeserializeObject <VirusTotalUrlResponse>(response_string);

            return(vtru);
        }
예제 #2
0
        // ┌────────────────────────────────────────────────────────────┐
        // │	Main Method												│
        // └────────────────────────────────────────────────────────────┘

        // Upon execution, main function reads/checks the first CLI arg to see if it is a valid action string; if so, it verifies the other CLI args are present for the relevant action then calls the VirusTotal API
        // TO DO: There may be some redundancy in the various switch branches below with checking args; we can probably simplify this.

        static void Main(string[] args)
        {
            if (args.Length == 0)
            {
                Console.WriteLine("LogRhythm VirusTotal Query\r\n\r\nAvailable queries:\r\n\r\nScan File\r\nScan URL\r\n\r\nSyntax:\r\n\r\nlrvt.exe --scan-file [FILE_NAME] [VIRUSTOTAL_API_KEY]\r\nlrvt.exe --scan-url [URL] [VIRUSTOTAL_API_KEY]");
            }
            else
            {
                switch (args[0])
                {
                case "--scan-url":
                    if (args.Length == 1)
                    {
                        Console.WriteLine("No URL specified and no VirusTotal API key specified!\r\n\r\nSyntax:\r\n\r\nlrvt.exe --scan-url [URL] [VIRUSTOTAL_API_KEY]\r\n");
                        break;
                    }
                    else
                    {
                        if (args.Length != 3)
                        {
                            Console.WriteLine("No VirusTotal API key specified!\r\n\r\nSyntax:\r\n\r\nlrvt.exe --scan-url [URL] [VIRUSTOTAL_API_KEY]\r\n");
                            break;
                        }
                        else
                        {
                            try
                            {
                                byte[] url_resp_bytes = VtScanUrl(args[1], "application/x-www-form-urlencoded", vt_scanurl_uri, args[2]);
                                VirusTotalUrlResponse vt_urlsub_resp = ConvertUrlResponse(url_resp_bytes);
                                if (vt_urlsub_resp.response_code != 1)
                                {
                                    Console.WriteLine("Error submitting URL to VirusTotal!\r\n\r\nError Information:\r\n{0}", vt_urlsub_resp.verbose_msg);
                                    break;
                                }
                                else
                                {
                                    bool has_ret_resp = false;
                                    int  retry_count  = 0;
                                    bool resp_check   = false;
                                    System.Threading.Thread.Sleep(15000);
                                    while (has_ret_resp == false && retry_count < 8)
                                    {
                                        byte[] url_report_bytes = VtGetReport(vt_urlsub_resp.resource, vt_reporturl_uri, args[2]);
                                        if (url_report_bytes != null && url_report_bytes.Length != 0)
                                        {
                                            // ***API TROUBLESHOOTING/DEBUG HELPER OPTION*** Output each response check to stdout. (Uncomment the following 2 lines)
                                            //Console.WriteLine(Encoding.ASCII.GetString(url_report_bytes));
                                            //Console.WriteLine();

                                            resp_check = CheckResponseStatus(url_report_bytes);
                                        }
                                        if (resp_check == true)
                                        {
                                            has_ret_resp = true;
                                            OutputUrlReport(url_report_bytes);
                                            return;
                                        }
                                        else
                                        {
                                            System.Threading.Thread.Sleep(30000);
                                            retry_count++;
                                        }
                                    }

                                    Console.WriteLine("Query took longer than 120 seconds to respond! Please check the scan's permalink, available at:\r\n{0}", vt_urlsub_resp.permalink);
                                    break;
                                }
                            }

                            catch (Exception u)
                            {
                                Console.WriteLine("Error submitting URL to VirusTotal!\r\n\r\nError Information:\r\n{0}", u.Message);
                                break;
                            }
                        }
                    }

                case "--scan-file":
                    if (args.Length == 1)
                    {
                        Console.WriteLine("No file name specified and no VirusTotal API key specified!\r\n\r\nSyntax:\r\n\r\nlrvt.exe --scan-file [FILE_NAME] [VIRUSTOTAL_API_KEY]\r\n");
                        break;
                    }
                    else
                    {
                        if (args.Length != 3)
                        {
                            Console.WriteLine("No VirusTotal API key specified!\r\n\r\nSyntax:\r\n\r\nlrvt.exe --scan-file [FILE_NAME] [VIRUSTOTAL_API_KEY]\r\n");
                            break;
                        }
                        else
                        {
                            if (File.Exists(args[1]) == false)
                            {
                                Console.WriteLine("File \"{0}\" not found!\r\nPlease verify file name is valid; if file name contains spaces, try wrapping the name in double-quotes.", args[1]);
                                break;
                            }
                            else
                            {
                                try
                                {
                                    byte[]             file_bytes      = File.ReadAllBytes(args[1]);
                                    byte[]             file_resp_bytes = VtUploadFile(file_bytes, Path.GetFileName(args[1]), "application/octet-stream", vt_filescan_uri, args[2]);
                                    VirusTotalResponse vt_filesub_resp = ConvertResponse(file_resp_bytes);
                                    if (vt_filesub_resp.response_code != 1)
                                    {
                                        Console.WriteLine("Error submitting file to VirusTotal!\r\n\r\nError Information:\r\n{0}", vt_filesub_resp.verbose_msg);
                                        break;
                                    }
                                    else
                                    {
                                        bool has_ret_resp = false;
                                        int  retry_count  = 0;
                                        System.Threading.Thread.Sleep(20000);
                                        while (has_ret_resp == false && retry_count < 8)
                                        {
                                            //System.Threading.Thread.Sleep(30000);
                                            bool   resp_check     = false;
                                            byte[] file_chk_bytes = VtGetReport(vt_filesub_resp.resource, vt_report_uri, args[2]);
                                            if (file_chk_bytes != null && file_chk_bytes.Length != 0)
                                            {
                                                // ***API TROUBLESHOOTING/DEBUG HELPER OPTION*** Output each response check to stdout. (Uncomment the following 2 lines)
                                                //Console.WriteLine(Encoding.ASCII.GetString(file_chk_bytes));
                                                //Console.WriteLine();

                                                resp_check = CheckResponseStatus(file_chk_bytes);
                                            }
                                            if (resp_check == true)
                                            {
                                                has_ret_resp = true;
                                                OutputFileReport(file_chk_bytes, Path.GetFileName(args[1]));
                                                return;
                                            }
                                            else
                                            {
                                                System.Threading.Thread.Sleep(30000);
                                                retry_count++;
                                            }
                                        }

                                        Console.WriteLine("Query took longer than 240 seconds to respond! Please check the scan's permalink, available at:\r\n{0}", vt_filesub_resp.permalink);
                                        break;
                                    }
                                }
                                catch (Exception f)
                                {
                                    Console.WriteLine("Error submitting file to VirusTotal!\r\n\r\nError Information:\r\n{0}", f.Message);
                                    break;
                                }
                            }
                        }
                    }

                default:
                    if (args[0] == "--scan-file" || args[0] == "--scan-url")
                    {
                        Console.WriteLine("Missing argument(s) in command! Available actions: Scan File or Scan URL\r\n\r\nSyntax:\r\n\r\nlrvt.exe --scan-file [FILE_NAME] [VIRUSTOTAL_API_KEY]\r\nlrvt.exe --scan-url [URL] [VIRUSTOTAL_API_KEY]");
                    }
                    else
                    {
                        Console.WriteLine("Invalid (or no) action specified! Available actions: Scan File or Scan URL\r\n\r\nSyntax:\r\n\r\nlrvt.exe --scan-file [FILE_NAME] [VIRUSTOTAL_API_KEY]\r\nlrvt.exe --scan-url [URL] [VIRUSTOTAL_API_KEY]");
                    }
                    break;
                }

                return;
            }
        }