deeso/gist:c6f8141bff00335f48369da81759ed55

## gistfile1.txt
# Hunting for MD5s on a Disk Image Using pyhashdd and Linux
0) Figure out how to mount the image (YMMV) depending on image type.  Here we mount a raw disk image.
```fdisk msedge_disk.img```
output:
```
Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): p  <----- p to print the partition table
Disk disk.img: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe3546e58

Device     Boot Start      End  Sectors Size Id Type
disk.img1  *     2048 83884031 83881984  40G  7 HPFS/NTFS/exFAT
```

1) Mount the disk.  Note the offset is calculated from 2048 (sector start of partition) * 512 (size of sectors)
```sudo mount -o ro,loop,offset=1048576 disk.img clean_disk```

2) Create a clean set of hashes with pyhashdd:
```/usr/local/bin/hashdd -s -r clean_disk/ -q -a md5 > clean_hashdd_results.txt```

2) Create a clean set of hashes with pyhashdd:
```sudo umount clean_disk```

3) Now create a VM (if you have not already) copy over the binary and run how ever you want.

4) Shutdown the machine, mount the disk, and run pyhashdd again
```sudo mount -o ro,loop,offset=1048576 disk-mod.img tainted_disk
/usr/local/bin/hashdd -s -r tainted_disk/ -q -a md5 > tainted_hashdd_results.txt```


5) Finding unknown hashes with python
```
import json
taint_entrys = [i.strip() for i in open("tainted_hashdd_results.txt").readlines()]
clean_entrys = [json.loads(i.strip()) for i in open("clean_hashdd_results.txt").readlines()]
clean_md5s = set([i.get('hashdd_md5') for i in clean_entrys if 'hashdd_md5' in i])

tainted_json = [json.loads(i) for i in taint_entrys]
unknown_entrys = [i for i in tainted_json if i.get('hashdd_md5', '') not in clean_md5s]
unknown_md5s = [i['hashdd_md5'] for i in unknown_entrys if 'hashdd_md5' in i]
open("unknown_md5s.txt", 'w').write("\n".join(unknown_md5s))
```

6) Now run the hashes through your favorite checker (e.g. cmyru or VirusTotal)
```
# sudo pip install git+https://github.com/z-sean-huang/VirustotalAPI.git
import vtapi
config = open("~/.config/SECRETS").readlines()
_vt_key = [i for i in config if i.find('vt = ') == 0]
vt_key = _vt_key[0].split('vt = ')[1].strip()

hashes = [i.strip() for i in open("unknown_md5s.txt").readlines()]
# make sure the request are throttled according to your accounts allowance
vt = vtapi.VtApi(vt_key)
file_reports = {}

for h in hashes:
    fr = vt.file_report(h)
    if 'positives' not in fr or fr['positives'] == 0:
        continue
    print ("Hash: %s has a hit" % h)
    file_reports[h] = vt.file_report(h)
```
	# Hunting for MD5s on a Disk Image Using pyhashdd and Linux
	0) Figure out how to mount the image (YMMV) depending on image type. Here we mount a raw disk image.
	```fdisk msedge_disk.img```
	output:
	```
	Welcome to fdisk (util-linux 2.27.1).
	Changes will remain in memory only, until you decide to write them.
	Be careful before using the write command.


	Command (m for help): p <----- p to print the partition table
	Disk disk.img: 40 GiB, 42949672960 bytes, 83886080 sectors
	Units: sectors of 1 * 512 = 512 bytes
	Sector size (logical/physical): 512 bytes / 512 bytes
	I/O size (minimum/optimal): 512 bytes / 512 bytes
	Disklabel type: dos
	Disk identifier: 0xe3546e58

	Device Boot Start End Sectors Size Id Type
	disk.img1 * 2048 83884031 83881984 40G 7 HPFS/NTFS/exFAT
	```

	1) Mount the disk. Note the offset is calculated from 2048 (sector start of partition) * 512 (size of sectors)
	```sudo mount -o ro,loop,offset=1048576 disk.img clean_disk```

	2) Create a clean set of hashes with pyhashdd:
	```/usr/local/bin/hashdd -s -r clean_disk/ -q -a md5 > clean_hashdd_results.txt```

	2) Create a clean set of hashes with pyhashdd:
	```sudo umount clean_disk```

	3) Now create a VM (if you have not already) copy over the binary and run how ever you want.

	4) Shutdown the machine, mount the disk, and run pyhashdd again
	```sudo mount -o ro,loop,offset=1048576 disk-mod.img tainted_disk
	/usr/local/bin/hashdd -s -r tainted_disk/ -q -a md5 > tainted_hashdd_results.txt```


	5) Finding unknown hashes with python
	```
	import json
	taint_entrys = [i.strip() for i in open("tainted_hashdd_results.txt").readlines()]
	clean_entrys = [json.loads(i.strip()) for i in open("clean_hashdd_results.txt").readlines()]
	clean_md5s = set([i.get('hashdd_md5') for i in clean_entrys if 'hashdd_md5' in i])

	tainted_json = [json.loads(i) for i in taint_entrys]
	unknown_entrys = [i for i in tainted_json if i.get('hashdd_md5', '') not in clean_md5s]
	unknown_md5s = [i['hashdd_md5'] for i in unknown_entrys if 'hashdd_md5' in i]
	open("unknown_md5s.txt", 'w').write("\n".join(unknown_md5s))
	```

	6) Now run the hashes through your favorite checker (e.g. cmyru or VirusTotal)
	```
	# sudo pip install git+https://github.com/z-sean-huang/VirustotalAPI.git
	import vtapi
	config = open("~/.config/SECRETS").readlines()
	_vt_key = [i for i in config if i.find('vt = ') == 0]
	vt_key = _vt_key[0].split('vt = ')[1].strip()

	hashes = [i.strip() for i in open("unknown_md5s.txt").readlines()]
	# make sure the request are throttled according to your accounts allowance
	vt = vtapi.VtApi(vt_key)
	file_reports = {}

	for h in hashes:
	fr = vt.file_report(h)
	if 'positives' not in fr or fr['positives'] == 0:
	continue
	print ("Hash: %s has a hit" % h)
	file_reports[h] = vt.file_report(h)
	```