Last active
August 4, 2016 22:17
-
-
Save operator-DD3/652c3d3f3857cf9aa36702b6ae6c316e to your computer and use it in GitHub Desktop.
A simple antivirus script that generates the md5 hash of a file and sends the hash to the malware hash database at cymru.com This depends on 'openssl'
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function os.capture(cmd, raw) | |
| local f = assert(io.popen(cmd, 'r')) | |
| local s = assert(f:read('*a')) | |
| f:close() | |
| if raw then return s end | |
| s = string.gsub(s, '^%s+', '') | |
| s = string.gsub(s, '%s+$', '') | |
| s = string.gsub(s, '[\n\r]+', ' ') | |
| return s | |
| end | |
| --get hash | |
| file = arg[1] | |
| if file == nil then os.exit() end | |
| hash = os.capture("openssl md5 " .. file) | |
| crap, hash = string.match(hash, "(%S+)%s*(%w+)") | |
| --send hash to hash.cymru.com | |
| result = os.capture("whois -h hash.cymru.com " .. hash) | |
| rhash, rtime, rresult = string.match(result, "(%S+)%s(%d+)%s(%S+)") | |
| print("Last Seen: " .. os.date("%c", tonumber(rtime))) | |
| if rresult == "NO_DATA" then | |
| print("Malware: Negative") | |
| else | |
| print("Malware found in: " .. file) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Need to update the 'scanning' mechanism. Very rarely is malware found by itself, rather it is usually attached to some other legitimate program. So each file needs multiple hashes of different portions of the file.
-----BEGIN PGP SIGNATURE-----
iIUEARMKAC0mHE9wZXJhdG9yLUREMyA8b3BlcmF0b3IuZGQzQGdtYWlsLmNvbT4F
AlejvtsACgkQfjLOjTbRwZpl2wEA+0mUoc8lO0RLMhMU18R0IaKju2vLNC3jgndX
oeWZ1qMA/2rF6V6/DZpfKWmahhZVeK9li20YOwzB5WM77tfqGcFF
=VvpS
-----END PGP SIGNATURE-----