Documentation ¶
Overview ¶
Package govt is a VirusTotal API v2 client written for the Go programming language.
Written by Willi Ballenthin while at Mandiant. June, 2013.
File upload capabilities by Florian 'scusi' Walther June, 2014.
File distribution support by Christopher 'tankbusta' Schmitt while at Mandiant October, 2014.
Index ¶
- Constants
- func SetErrorLog(logger *log.Logger) func(*Client) error
- func SetTraceLog(logger *log.Logger) func(*Client) error
- type APICall
- type AdditionnalInfoResult
- type Argument
- type AutoStartEntry
- type Behaviour
- type BehaviourSummary
- type Client
- func (client *Client) GetComments(resource string) (r *CommentReport, err error)
- func (client *Client) GetDetailedFileReport(md5 string) (r *DetailedFileReport, err error)
- func (client *Client) GetDomainReport(domain string) (r *DomainReport, err error)
- func (client *Client) GetFile(hash string) (r *FileDownloadResult, err error)
- func (client *Client) GetFileBehaviour(hash string) (r *FileBehaviourResult, err error)
- func (client *Client) GetFileDistribution(params *Parameters) (r *FileDistributionResults, err error)
- func (client *Client) GetFileFeed(packageRange string) ([]FileFeed, error)
- func (client *Client) GetFileNetworkTraffic(hash string) (r *FileDownloadResult, err error)
- func (client *Client) GetFileReport(md5 string) (r *FileReport, err error)
- func (client *Client) GetFileReports(md5s []string) (r *FileReportResults, err error)
- func (client *Client) GetIpReport(ip string) (r *IpReport, err error)
- func (client *Client) GetUrlReport(url string) (r *UrlReport, err error)
- func (client *Client) GetUrlReports(urls []string) (r *UrlReports, err error)
- func (client *Client) MakeAPIGetRequest(fullurl string, parameters Parameters) (resp *http.Response, err error)
- func (client *Client) MakeComment(resource string, comment string) (r *Status, err error)
- func (client *Client) RescanFile(md5 string) (r *RescanFileResult, err error)
- func (client *Client) RescanFiles(md5s []string) (r *RescanFileResults, err error)
- func (client *Client) ScanFile(file string) (r *ScanFileResult, err error)
- func (client *Client) ScanUrl(url string) (r *ScanUrlResult, err error)
- func (client *Client) ScanUrls(urls []string) (r *ScanUrlResults, err error)
- func (client *Client) SearchFile(query, offset string) (r *FileSearchResult, err error)
- type ClientError
- type Comment
- type CommentReport
- type DNSEvent
- type DetailedFileReport
- type DetectedUrl
- type DomainReport
- type DomainResolution
- type FileBehaviourResult
- type FileDistributionResults
- type FileDownloadResult
- type FileFeed
- type FileReport
- type FileReportDistrib
- type FileReportResults
- type FileScan
- type FileSearchResult
- type HTTPEvent
- type IpReport
- type IpResolution
- type NetworkInfo
- type OptionFunc
- type PEResource
- type Parameters
- type Process
- type ProcessTreeEntry
- type ReportInfo
- type RescanFileResult
- type RescanFileResults
- type ScanFileResult
- type ScanUrlResult
- type ScanUrlResults
- type SigCheck
- type SignerDetail
- type Status
- type Syscall
- type TCPEvent
- type TrustedVerdictResult
- type UDPEvent
- type UrlReport
- type UrlReports
- type UrlScan
Constants ¶
const (
DefaultURL = "https://www.virustotal.com/vtapi/v2/"
)
Variables ¶
This section is empty.
Functions ¶
func SetErrorLog ¶
SetErrorLog sets the logger for critical messages. It is nil by default.
Types ¶
type AdditionnalInfoResult ¶
type AdditionnalInfoResult struct { Magic string `json:"magic"` Signature SigCheck `json:"sigcheck"` PEImpHash string `json:"pe-imphash"` PETimeStamp int `json:"pe-timestamp"` PEResourceList map[string]string `json:"pe-resource-list"` PEResourceLangs map[string]int `json:"pe-resource-langs"` PEResourceTypes map[string]int `json:"pe-resource-types"` PEResourceDetail []PEResource `json:"pe-resource-detail"` PEMachineType int `json:"pe-machine-type"` PEEntryPoint int `json:"pe-entry-point"` AutoStart []AutoStartEntry `json:"autostart"` Imports map[string][]string `json:"imports"` TrustedVerdict TrustedVerdictResult `json:"trusted_verdict"` }
type AutoStartEntry ¶
type Behaviour ¶
type Behaviour struct { Processes []Process `json:"processes"` ProcessTree []ProcessTreeEntry `json:"processtree"` Summary BehaviourSummary `json:"Summary"` }
type BehaviourSummary ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client interacts with the services provided by VirusTotal.
func New ¶
func New(options ...OptionFunc) (*Client, error)
New creates a new virustotal client.
The caller can configure the new client by passing configuration options to the func.
Example:
client, err := govt.New( govt.SetUrl("http://some.url.com:port"), govt.SetErrorLog(log.New(os.Stderr, "VT: ", log.Lshortfile))
If no URL is configured, Client uses DefaultURL by default.
If no HttpClient is configured, then http.DefaultClient is used. You can use your own http.Client with some http.Transport for advanced scenarios.
An error is also returned when some configuration option is invalid.
func (*Client) GetComments ¶
func (client *Client) GetComments(resource string) (r *CommentReport, err error)
GetComments gets comments for file/URL/IP/domain.
func (*Client) GetDetailedFileReport ¶
func (client *Client) GetDetailedFileReport(md5 string) (r *DetailedFileReport, err error)
GetDetailedFileReport fetches the AV scan reports tracked by VT given an MD5 hash value. This API is part of the VTI Private API, requiring a licenced API key
func (*Client) GetDomainReport ¶
func (client *Client) GetDomainReport(domain string) (r *DomainReport, err error)
GetDomainReport fetches the passive DNS information about a DNS address.
func (*Client) GetFile ¶
func (client *Client) GetFile(hash string) (r *FileDownloadResult, err error)
GetFile fetches a file from VT that matches a given md5/sha1/sha256 sum
func (*Client) GetFileBehaviour ¶
func (client *Client) GetFileBehaviour(hash string) (r *FileBehaviourResult, err error)
func (*Client) GetFileDistribution ¶
func (client *Client) GetFileDistribution(params *Parameters) (r *FileDistributionResults, err error)
GetFileDistribution fetches files from the VT distribution API
func (*Client) GetFileFeed ¶
GetFileFeed fetches files from the VT feed API
func (*Client) GetFileNetworkTraffic ¶
func (client *Client) GetFileNetworkTraffic(hash string) (r *FileDownloadResult, err error)
func (*Client) GetFileReport ¶
func (client *Client) GetFileReport(md5 string) (r *FileReport, err error)
GetFileReport fetches the AV scan reports tracked by VT given an MD5 hash value.
func (*Client) GetFileReports ¶
func (client *Client) GetFileReports(md5s []string) (r *FileReportResults, err error)
GetFileReports fetches the AV scan reports tracked by VT given set of MD5 hash values.
func (*Client) GetIpReport ¶
GetIpReport fetches the passive DNS information about an IP address.
func (*Client) GetUrlReport ¶
GetUrlReport fetches the AV scan reports tracked by VT given a URL. Does not support the optional `scan` parameter.
func (*Client) GetUrlReports ¶
func (client *Client) GetUrlReports(urls []string) (r *UrlReports, err error)
GetUrlReports fetches AV scan reports tracked by VT given URLs. Does not support the optional `scan` parameter.
func (*Client) MakeAPIGetRequest ¶
func (client *Client) MakeAPIGetRequest(fullurl string, parameters Parameters) (resp *http.Response, err error)
MakeAPIGetRequest fetches a URL with querystring via HTTP GET and
returns the response if the status code is HTTP 200
`parameters` should not include the apikey. The caller must call `resp.Body.Close()`.
func (*Client) MakeComment ¶
MakeComment adds a comment to a file/URL/IP/domain.
func (*Client) RescanFile ¶
func (client *Client) RescanFile(md5 string) (r *RescanFileResult, err error)
RescanFile asks VT to redo analysis on the specified file.
func (*Client) RescanFiles ¶
func (client *Client) RescanFiles(md5s []string) (r *RescanFileResults, err error)
RescanFiles asks VT to redo analysis on the specified files.
func (*Client) ScanFile ¶
func (client *Client) ScanFile(file string) (r *ScanFileResult, err error)
ScanFile asks VT to analysis on the specified file, thats also uploaded.
func (*Client) ScanUrl ¶
func (client *Client) ScanUrl(url string) (r *ScanUrlResult, err error)
ScanUrl asks VT to redo analysis on the specified url.
func (*Client) ScanUrls ¶
func (client *Client) ScanUrls(urls []string) (r *ScanUrlResults, err error)
ScanUrls asks VT to redo analysis on the specified urls. Up to 25 urls.
func (*Client) SearchFile ¶
func (client *Client) SearchFile(query, offset string) (r *FileSearchResult, err error)
SearchFile(query, offset) - searches VT Inteligence for files that meet the given search criteria It returns a list of hashes of files that matched the search criteria. See the following URL for possible search operators: https://www.virustotal.com/intelligence/help/file-search/#search-operators This functionality is part of the VT PrivateAPI.
type ClientError ¶
type ClientError struct {
// contains filtered or unexported fields
}
ClientError is a generic error specific to the `govt` package.
func (ClientError) Error ¶
func (client ClientError) Error() string
Error returns a string representation of the error condition.
type CommentReport ¶
type CommentReport struct { Status Resource string `json:"resource"` Comments []Comment `json:"comments"` }
CommentReport is defined by VT.
type DetailedFileReport ¶
type DetailedFileReport struct { FileReportDistrib Tags []string `json:"tags"` UniqueSources uint16 `json:"unique_sources"` TimesSubmitted uint16 `json:"times_submitted"` HarmlessVotes uint16 `json:"harmless_votes"` MaliciousVotes uint16 `json:"malicious_votes"` CommunityReputation int `json:"community_reputation"` AdditionnalInfo AdditionnalInfoResult `json:"additional_info"` IntoTheWildURLs []string `json:"ITW_urls"` SubmissionNames []string `json:"submission_names"` Ssdeep string `json:"ssdeep"` }
type DetectedUrl ¶
type DetectedUrl struct { Url string `json:"url"` Total uint16 `json:"total"` Positives uint16 `json:"positives"` ScanDate string `json:"scan_date"` }
DetectedUrl is defined by VT.
type DomainReport ¶
type DomainReport struct { Status Resolutions []DomainResolution DetectedUrls []DetectedUrl `json:"detected_urls"` }
DomainReport is defined by VT.
type DomainResolution ¶
type DomainResolution struct { LastResolved string `json:"last_resolved"` IpAddress string `json:"ip_address"` }
DomainResolution is defined by VT.
type FileBehaviourResult ¶
type FileBehaviourResult struct { Status Info ReportInfo `json:"info"` Behaviour Behaviour `json:"behavior"` NetworkInfo NetworkInfo `json:"network"` Syscalls []Syscall `json:"syscalls"` }
type FileDistributionResults ¶
type FileDistributionResults []FileReportDistrib
type FileFeed ¶
type FileFeed struct { Vhash string `json:"vhash"` SubmissionNames []string `json:"submission_names"` ScanDate string `json:"scan_date"` FirstSeen string `json:"first_seen"` TimesSubmitted int `json:"times_submitted"` Size int `json:"size"` ScanID string `json:"scan_id"` Total int `json:"total"` HarmlessVotes int `json:"harmless_votes"` VerboseMsg string `json:"verbose_msg"` Sha256 string `json:"sha256"` Type string `json:"type"` Link string `json:"link"` Positives int `json:"positives"` Ssdeep string `json:"ssdeep"` Md5 string `json:"md5"` Permalink string `json:"permalink"` Sha1 string `json:"sha1"` ResponseCode int `json:"response_code"` CommunityReputation int `json:"community_reputation"` MaliciousVotes int `json:"malicious_votes"` ITWUrls []interface{} `json:"ITW_urls"` LastSeen string `json:"last_seen"` }
FileFeed high level elements of the file feed API As much more data but kept simple for brevity
type FileReport ¶
type FileReport struct { Status Resource string `json:"resource"` ScanId string `json:"scan_id"` Md5 string `json:"md5"` Sha1 string `json:"sha1"` Sha256 string `json:"sha256"` ScanDate string `json:"scan_date"` Positives uint16 `json:"positives"` Total uint16 `json:"total"` Scans map[string]FileScan `json:"scans"` Permalink string `json:"permalink"` }
FileReport is defined by VT.
type FileReportDistrib ¶
type FileReportDistrib struct { Status Md5 string `json:"md5"` Sha1 string `json:"sha1"` Sha256 string `json:"sha256"` Type string `json:"type"` FirstSeen string `json:"first_seen"` LastSeen string `json:"last_seen"` Link string `json:"link"` Name string `json:"name"` Size int `json:"size"` SourceCountry string `json:"source_country"` SourceId string `json:"source_id"` Timestamp int `json:"timestamp"` VHash string `json:"vhash"` // Ugh. VT inconsistency. Data is an array rather than k/v like other APIs Scans map[string][]string `json:"report"` }
type FileScan ¶
type FileScan struct { Detected bool `json:"detected"` Version string `json:"version"` Result string `json:"result"` Update string `json:"update"` }
FileScan is defined by VT.
type FileSearchResult ¶
type FileSearchResult struct { ResponseCode int `json:"response_code"` Offset string `json:"offset"` Hashes []string `json:"hashes"` }
File Search Result
type IpReport ¶
type IpReport struct { Status Resolutions []IpResolution DetectedUrls []DetectedUrl `json:"detected_urls"` }
IpReport is defined by VT.
type IpResolution ¶
type IpResolution struct { LastResolved string `json:"last_resolved"` Hostname string `json:"hostname"` }
IpResolution is defined by VT.
type NetworkInfo ¶
type OptionFunc ¶
OptionFunc is a function that configures a Client. It is used in New
func SetBasicAuth ¶
func SetBasicAuth(username, password string) OptionFunc
SetBasicAuth allows to set proxy credentials
func SetHttpClient ¶
func SetHttpClient(httpClient *http.Client) OptionFunc
SetHttpClient can be used to specify the http.Client to use when making HTTP requests to VT.
type PEResource ¶
type ProcessTreeEntry ¶
type ProcessTreeEntry struct { ID int `json:"pid"` Name string `json:"name"` Children []ProcessTreeEntry `json:"children"` }
type ReportInfo ¶
type RescanFileResult ¶
type RescanFileResult struct { Status Resource string `json:"resource"` ScanId string `json:"scan_id"` Permalink string `json:"permalink"` Sha256 string `json:"sha256"` }
RescanFileResult is defined by VT.
type RescanFileResults ¶
type RescanFileResults []RescanFileResult
RescanFileResults is defined by VT.
type ScanFileResult ¶
type ScanFileResult struct { Status Resource string `json:"resource"` ScanId string `json:"scan_id"` Permalink string `json:"permalink"` Sha256 string `json:"sha256"` Sha1 string `json:"sha1"` Md5 string `json:"md5"` }
ScanFileResult is defined by VT.
type ScanUrlResult ¶
type ScanUrlResult struct { Status ScanId string `json:"scan_id"` ScanDate string `json:"scan_date"` Permalink string `json:"permalink"` Url string `json:"url"` }
ScanUrlResult is defined by VT.
type SignerDetail ¶
type Status ¶
type Status struct { ResponseCode int `json:"response_code"` VerboseMsg string `json:"verbose_msg"` }
Status is the set of fields shared among all VT responses.
type TrustedVerdictResult ¶
type UrlReport ¶
type UrlReport struct { Status Url string `json:"url"` Resource string `json:"resource"` ScanId string `json:"scan_id"` ScanDate string `json:"scan_date"` Permalink string `json:"permalink"` Positives uint16 `json:"positives"` Total uint16 `json:"total"` Scans map[string]UrlScan `json:"scans"` FileScanId string `json:"filescan_id"` }
UrlReport is defined by VT.
Directories ¶
Path | Synopsis |
---|---|
SampleClients
|
|
domainreport
vtDomainReport.go - fetches and shows a VirusTotal Domain Report.
|
vtDomainReport.go - fetches and shows a VirusTotal Domain Report. |
filebehaviour
vtFileBehaviour - fetches a Cuckoo behaviour report from VirusTotal for the given resource.
|
vtFileBehaviour - fetches a Cuckoo behaviour report from VirusTotal for the given resource. |
filecheck
vtFileCheck.go - checks if VirusTotal knows a given file.
|
vtFileCheck.go - checks if VirusTotal knows a given file. |
filedownload
vtFileDownload - fetches a sample from VirusTotal for the given resource.
|
vtFileDownload - fetches a sample from VirusTotal for the given resource. |
fileknownbysymantec
vtFileKnownBySymantec.go - checks via VirusTotal if a given file is detected by Symantec AV.
|
vtFileKnownBySymantec.go - checks via VirusTotal if a given file is detected by Symantec AV. |
filenetworktraffic
vtFileNetworkTraffic - fetches a pcap file from VirusTotal for the given resource.
|
vtFileNetworkTraffic - fetches a pcap file from VirusTotal for the given resource. |
filereport
vtFileReport - fetches a report from VirusTotal for the given resource.
|
vtFileReport - fetches a report from VirusTotal for the given resource. |
filerescan
vtFileRescan - asks VirusTotal to rescan a given resource.
|
vtFileRescan - asks VirusTotal to rescan a given resource. |
filescan
vtFileScan - request VirusTotal to scan a given file.
|
vtFileScan - request VirusTotal to scan a given file. |
filesearch
vtFileSearch - shows how to use VT Intelligence to search for files that match certain criteria.
|
vtFileSearch - shows how to use VT Intelligence to search for files that match certain criteria. |
ipreport
vtIpReport - fetches information about a given IP from VirusTotal.
|
vtIpReport - fetches information about a given IP from VirusTotal. |
urlreport
vtUrlReport - fetches a report for a given URL from VirusTotal vtUrlReport -url=http://www.heise.de/
|
vtUrlReport - fetches a report for a given URL from VirusTotal vtUrlReport -url=http://www.heise.de/ |
urlscan
vtUrlScan - Requests VirusTotal to scan a given URL vtUrlScan -url=http://www.virustotal.com/
|
vtUrlScan - Requests VirusTotal to scan a given URL vtUrlScan -url=http://www.virustotal.com/ |