Skip to content

Commit f72f7c9

Browse files
cbshearercbshearer
authored
Update README.md
1 parent c9a42cb commit f72f7c9

File tree

1 file changed

+42
-56
lines changed

1 file changed

+42
-56
lines changed

README.md

+42-56
Original file line numberDiff line numberDiff line change
@@ -1,56 +1,42 @@
1-
## Search VirusTotal for a file hash
2-
## Chris Shearer
3-
## 26-Aug-2020
4-
## VirusTotal Public API: https://developers.virustotal.com/reference#file-report
5-
6-
7-
Function get-VTFileReport
8-
{
9-
## Accept CLI parameters
10-
param ([Parameter(Mandatory=$true)] [array]$h)
11-
12-
## Get your own VT API key here: https://www.virustotal.com/gui/join-us
13-
$VTApiKey = "xxxxxxxxxxx"
14-
15-
## Set TLS 1.2
16-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
17-
18-
## Samples
19-
if ($h) {$samples = $h}
20-
else {write-host -f magenta "No hash found, exiting."}
21-
22-
## Loop through hashes
23-
foreach ($hash in $samples)
24-
{
25-
## Set sleep value to respect API limits (4/min) - https://developers.virustotal.com/v3.0/reference#public-vs-premium-api
26-
if ($samples.count -ge 4) {$sleepTime = 15}
27-
else {$sleepTime = 1 }
28-
29-
## Submit the hash!
30-
$VTbody = @{resource = $hash; apikey = $VTApiKey}
31-
$VTresult = Invoke-RestMethod -Method GET -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body $VTbody
32-
33-
## Calculate percentage if there is a result
34-
if ($VTresult.positives -ge 1) {
35-
$VTpct = (($VTresult.positives) / ($VTresult.total)) * 100
36-
$VTpct = [math]::Round($VTpct,2)
37-
}
38-
else {
39-
$VTpct = 0
40-
}
41-
## Custom Object for data output
42-
[PSCustomObject]@{
43-
resource = $VTresult.resource
44-
scan_date = $VTresult.scan_date
45-
positives = $VTresult.positives
46-
total = $VTresult.total
47-
permalink = $VTresult.permalink
48-
percent = $VTpct
49-
}
50-
51-
Start-Sleep -seconds $sleepTime
52-
53-
}
54-
}
55-
56-
Export-ModuleMember -Function get-VTFileReport
1+
# get-VTFileReport
2+
3+
- Use PowerShell to get VirusTotal report for an array of hashes.
4+
- This API is rate limited to 4 submissions per minute.
5+
- VirusTotal [API documentation](https://developers.virustotal.com/reference#file-report)
6+
7+
## To use the module
8+
9+
- Import the module.
10+
11+
```PowerShell
12+
PS C:\temp> Import-Module .\get-VTFileReport.psm1
13+
```
14+
15+
- If you want to install the module for long-term use
16+
- See [Microsoft documentation](https://docs.microsoft.com/en-us/powershell/scripting/developer/module/installing-a-powershell-module?view=powershell-7).
17+
- Shortcut - just copy to its own folder in this location: $Env:ProgramFiles\WindowsPowerShell\Modules
18+
19+
```PowerShell
20+
PS C:\temp> copy .\get-VTFileReport.psm1 $Env:ProgramFiles\WindowsPowerShell\Modules\get-VTFileReport\get-VTFileReport.psm1
21+
```
22+
23+
- Line 14: Enter your API key
24+
- Sign up for your own [VirusTotal API key](https://www.virustotal.com/gui/join-us).
25+
- Mandatory parameter:
26+
- -h is for hash.
27+
- Comma separated for multiples.
28+
- Examples:
29+
30+
```PowerShell
31+
get-VTFileReport -h ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436
32+
get-VTFileReport -h 100F6AB2737F1AF0746D6650D9DDD0E4B56A9A8583DD087DF64DECA62E77F65B,614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f
33+
```
34+
35+
## The following information is returned on the screen
36+
37+
- Resource: the sha256 of what was submitted.
38+
- Scan date: last date the resource was scanned.
39+
- Positives: Number of positive results.
40+
- Total: Number of engines that have scanned the file.
41+
- Permalink: Link to VT to see more information.
42+
- Percent: Percent of positive results.

0 commit comments

Comments
 (0)