4个版本
| 0.1.3 | 2019年11月13日 |
|---|---|
| 0.1.2 | 2019年11月9日 |
| 0.1.1 | 2019年11月8日 |
| 0.1.0 | 2019年11月8日 |
#1011 in 密码学
75KB
1.5K SLoC
iocutil.rs
为恶意软件研究人员提供的IoC实用工具
用法
将配置追加到您的 [dependencies] Cargo.toml
iocutil="0.1"
并在您的Rust代码中导入
use iocutil::prelude::*;
它能帮您做什么?
哈希
操作
// use SampleHash to manage a hash.
// it validate hash (sha256 / sha1 / md5).
let a1 = SampleHash::new("d41d8cd98f00b204e9800998ecf8427e").unwrap();
// you can use sample! macro for literals (it will panic if you specify invalid input)
let a1 = sample!("d41d8cd98f00b204e9800998ecf8427e");
let a2 = sample!("D41D8CD98F00B204E9800998ECF8427E");
// ignore case
assert_eq!(a1, a2);
// find hashes in text
let text = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, D41D8CD98F00B204E9800998ECF8427E";
let found: HashSet<_> = SampleHash::find(text);
assert_eq!(found.len(), 2);
assert!(found.contains(&sample!(
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
)));
assert!(found.contains(&sample!("d41d8cd98f00b204e9800998ecf8427e")));
// uniquify hashes
let targets = vec![
"d41d8cd98f00b204e9800998ecf8427e",
"D41D8CD98F00B204E9800998ECF8427E",
"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"DA39A3EE5E6B4B0D3255BFEF95601890AFD80709",
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
];
let unique: Vec<_> = SampleHash::uniquify(targets);
assert_eq!(unique.len(), 3);
// SampleHash is compatible with &str (it implements AsRef<str>)
fn test(x: impl AsRef<str>) {
println!("{}", x.as_ref());
}
test(sample!(
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
));
计算哈希
// use ContentHash to bundle of hashes(sha256 / sha1 / md5)
// calculate hashes of file content
let c = ContentHash::of_file(r"C:\Windows\notepad.exe").unwrap();
println!("notepad.exe => {:?}", c);
// calculate hashes of arbitrary content which implements std::io::Read with Hasher
let mut hasher = Hasher::new();
let mut res = reqwest::get("https://example.com/").unwrap();
std::io::copy(&mut res, &mut hasher).unwrap();
let c: ContentHash = hasher.digests();
println!("example.com => {:?}", c);
从URL抓取
// get content from url and extract hashes.
// this targets only text in article elements (or body if not found)
let hashes: Vec<_> = SampleHash::scrape(
"https://www.malware-traffic-analysis.net/2019/05/20/index.html"
).unwrap();
hashes
.into_iter()
.for_each(|x| println!("{}", x));
API客户端
VirusTotal
// read apikey from environment variable `$VTAPIKEY`
let client = VirusTotalClient::default();
// search new samples for recent one week(limit 300 samples)
// this requires private API. It consume a request per 300 hashes.
let samples: Vec<_> = client.search(
fs!(at!(1, days ago) =>),
Some(300)
).unwrap();
samples.into_iter().for_each(|x| println!("{}", x));
// retrieve a file report
let report = client
.query_filereport(sample!("d41d8cd98f00b204e9800998ecf8427e"))
.unwrap();
其他功能
- 下载文件
- 所有信息报告
- 等等。
AlienVault OTX
// read apikey from environment variable `$OTX_APIKEY`
let client = AlienVaultOTXClient::default();
// get pulses modified in recent one week
let pulses: Vec<Pulse> = client.pulses_from(at!(1, weeks ago)).unwrap();
// extract hashes from each pulse
pulses
.into_iter()
.inspect(|x| println!("\n# {}\n", x.name))
.map(|x| x.into())
.flat_map(|x: Vec<SampleHash>| x)
.for_each(|x: SampleHash| println!("* {}", x))
其他功能
- 查询哈希指示器
未来工作
-
添加api客户端以支持反向.it等。
-
支持其他IoC(如IP、URL)
-
文档
作者
- 0x75960 [email protected]
依赖关系
~28MB
~566K SLoC