Virustotal api Python简单使用

programing
,

0x01 准备

首先是注册获得apikey

这是api的使用规则:
Parameter Setting
Privileges public key
Request rate 4 requests/minute
Daily quota 5760 requests/day
Monthly quota 178560 requests/month
Status Key enabled

VirusTotal Public API v2.0
api接口:

1
2
3
4
5
6
7
https://www.virustotal.com/vtapi/v2/file/scan : 上传文件扫描
https://www.virustotal.com/vtapi/v2/file/rescan: 重新扫描文件
https://www.virustotal.com/vtapi/v2/file/report: 获取上传結果
https://www.virustotal.com/vtapi/v2/url/scan: 扫描 url
https://www.virustotal.com/vtapi/v2/url/report:  取得 url结果
http://www.virustotal.com/vtapi/v2/ip-address/report: ip记录
http://www.virustotal.com/vtapi/v2/domain/report: 域名记录

几个简单使用例子

0x02 扫描文件test.txt

file.py

1
2
3
4
5
6
7
8
9
10
##!/usr/bin/env python
## coding=utf-8
import postfile
host = "www.virustotal.com"
selector = "https://www.virustotal.com/vtapi/v2/file/scan"
fields = [("apikey", "-- YOUR API KEY --")]
file_to_send = open("test.txt", "rb").read()
files = [("file", "test.txt", file_to_send)]
json = postfile.post_multipart(host, selector, fields, files)
print json

postfile.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
##!/usr/bin/env python
## coding=utf-8

import httplib, mimetypes

def post_multipart(host, selector, fields, files):
    """
    Post fields and files to an http host as multipart/form-data.
    fields is a sequence of (name, value) elements for regular form fields.
    files is a sequence of (name, filename, value) elements for data to be uploaded as files
    Return the server's response page.
    """
    content_type, body = encode_multipart_formdata(fields, files)
    h = httplib.HTTPS(host)
    h.putrequest('POST', selector)
    h.putheader('content-type', content_type)
    h.putheader('content-length', str(len(body)))
    h.endheaders()
    h.send(body)
    errcode, errmsg, headers = h.getreply()
    return h.file.read()

def encode_multipart_formdata(fields, files):
    """
    fields is a sequence of (name, value) elements for regular form fields.
    files is a sequence of (name, filename, value) elements for data to be uploaded as files
    Return (content_type, body) ready for httplib.HTTPS instance
    """
    BOUNDARY = '----------ThIs_Is_tHe_bouNdaRY_$'
    CRLF = '\r\n'
    L = []
    for (key, value) in fields:
        L.append('--' + BOUNDARY)
        L.append('Content-Disposition: form-data; name="%s"' % key)
        L.append('')
        L.append(value)
    for (key, filename, value) in files:
        L.append('--' + BOUNDARY)
        L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
        L.append('Content-Type: %s' % get_content_type(filename))
        L.append('')
        L.append(value)
    L.append('--' + BOUNDARY + '--')
    L.append('')
    body = CRLF.join(L)
    content_type = 'multipart/form-data; boundary=%s' % BOUNDARY
    return content_type, body

def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'

注意, 原始的 code 是使用 httplib.HTTP,要改成 httplib.HTTPS

不然 json 結果会是 Error 400 (Bad Request)!!
这里已经修改
结果:

1
{"scan_id": "935b6e11c464377ee7a064f53a90593b90233e99fc22dde3efd11056cfb33a64-1460642993", "sha1": "7b1354079b00cf16f2b7405b636c0a6a452e33a5", "resource": "935b6e11c464377ee7a064f53a90593b90233e99fc22dde3efd11056cfb33a64", "response_code": 1, "sha256": "935b6e11c464377ee7a064f53a90593b90233e99fc22dde3efd11056cfb33a64", "permalink": "https://www.virustotal.com/file/935b6e11c464377ee7a064f53a90593b90233e99fc22dde3efd11056cfb33a64/analysis/1460642993/", "md5": "03036c4fd6b2e13c364aa5687827256b", "verbose_msg": "Scan request successfully queued, come back later for the report"}

0x03 通过hash值查询virustotal上已经扫描过的的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
##!/usr/bin/env python
## coding=utf-8
import simplejson
import urllib
import urllib2

url = "https://www.virustotal.com/vtapi/v2/file/report"
parameters = {"resource": "99017f6eebbac24f351415dd410d522d",
              "apikey": "-- YOUR API KEY --"}
data = urllib.urlencode(parameters)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
json = response.read()
print json

扫描结果:

1
{"scans": {"Bkav": {"detected": false, "version": "1.3.0.7744", "result": null, "update": "20160413"}, "TotalDefense": {"detected": true, "version": "37.1.62.1", "result": "Win32/ASuspect.HDBBD", "update": "20160414"}, "MicroWorld-eScan": {"detected": true, "version": "12.0.250.0", "result": "Generic.Malware.V!w.7232B058", "update": "20160414"}, "nProtect": {"detected": true, "version": "2016-04-14.01", "result": "Trojan/W32.Small.28672.BJA", "update": "20160414"}, "CMC": {"detected": true, "version": "1.1.0.977", "result": "Trojan.Win32.VB!O", "update": "20160412"}, "CAT-QuickHeal": {"detected": true, "version": "14.00", "result": "Trojan.Comame.r3", "update": "20160414"}, "ALYac": {"detected": true, "version": "1.0.1.9", "result": "Generic.Malware.V!w.7232B058", "update": "20160414"}, "Malwarebytes": {"detected": true, "version": "2.1.1.1115", "result": "Trojan.Qhost", "update": "20160414"}, "Zillya": {"detected": true, "version": "2.0.0.2783", "result": "Trojan.VB.Win32.33493", "update": "20160414"}, "SUPERAntiSpyware": {"detected": false, "version": "5.6.0.1032", "result": null, "update": "20160414"}, "TheHacker": {"detected": true, "version": "6.8.0.5.892", "result": "Trojan/VB.acgy", "update": "20160412"}, "Alibaba": {"detected": false, "version": "1.0", "result": null, "update": "20160414"},....}

0x04 扫描url

1
2
3
4
5
6
7
8
9
10
11
12
13
 #!/usr/bin/env python
## coding=utf-8
import simplejson
import urllib
import urllib2
url = "https://www.virustotal.com/vtapi/v2/url/report"
parameters = {"resource": "http://www.google.com",
              "apikey": "-- YOUR API KEY --"}
data = urllib.urlencode(parameters)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
json = response.read()
print json
1
{"scan_id": "dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1460643911", "resource": "http://www.google.com", "url": "http://www.google.com/", "response_code": 1, "scan_date": "2016-04-14 14:25:11", "permalink": "https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1460643911/", "verbose_msg": "Scan finished, scan information embedded in this object", "filescan_id": null, "positives": 0, "total": 67, "scans": {"CLEAN MX": {"detected": false, "result": "clean site"}, "Rising": {"detected": false, "result": "clean site"}, "OpenPhish": {"detected": false, "result": "clean site"}, "VX Vault": {"detected": false, "result": "clean site"}, "ZDB Zeus": {"detected": false, "result": "clean site"}, "AutoShun": {"detected": false, "result": "unrated site"}, "ZCloudsec": {"detected": false, "result": "clean site"}, "PhishLabs": {"detected": false, "result": "unrated site"}, "Zerofox": {"detected": false, "result": "clean site"}, "K7AntiVirus": {"detected": false, "result": "clean site"}, "SecureBrain": {"detected": false, "result": "clean site"}, "Quttera": {"detected": false,........}