Created
July 11, 2020 15:42
-
-
Save m417z/446bf0532c201cfda53ccbac16bc9f66 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import base64 | |
import sys | |
# Generates a Microsoft Symbol Server link from a filename and a file hash using VirusTotal. | |
# Example: | |
# microsoft-symbol-server-link-gen.py srv2.sys pD5a0dKSCg7Kc0g1yDyWEX8n8ogPj/niCIy4yUR7WvQ= | |
# Details: | |
# https://m417z.com/Introducing-Winbindex-the-Windows-Binaries-Index/ | |
if len(sys.argv) != 3: | |
exit(f'Usage: {sys.argv[0]} file_name file_hash_base64') | |
file_name, file_hash_base64 = sys.argv[1:3] | |
file_hash = base64.b64decode(file_hash_base64).hex() | |
url = 'https://www.virustotal.com/ui/files/' + file_hash | |
data = requests.get(url, headers={'User-Agent': 'Mozilla/1.0'}).json() | |
timestamp = data['data']['attributes']['pe_info']['timestamp'] | |
timestamp = format(timestamp, '08X') | |
last_section = data['data']['attributes']['pe_info']['sections'][-1] | |
size = last_section['virtual_address'] + last_section['virtual_size'] | |
unaligned = size & 0xFFF | |
if unaligned: | |
size -= unaligned | |
size += 0x1000 | |
size = format(size, 'x') | |
url = f'https://msdl.microsoft.com/download/symbols/{file_name}/{timestamp}{size}/{file_name}' | |
print(url) |
It doesn't work anymore since VirusTotal added anti-automation measures to their website. You can either bypass them, or use the browser and sniff the timestamp manually with e.g. Fiddler.
ok is it possible to remove the part that has the connect to virustotal so i can get only the sha256? @m417z
how do you bypass that?
get only the sha256
Just add a line with print(file_hash)
after the line:
file_hash = base64.b64decode(file_hash_base64).hex()
how do you bypass that?
They send specific headers that they check on the server. You can sniff the traffic and then send exactly the same headers as they send.
well how? i tried and python did not work connecting
using API is a good choice
https://developers.virustotal.com/v3.0/reference
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
how to get this to work? what version of python do you need?
@m417z