microsoft-symbol-server-link-gen.py

import requests
import base64
import sys

# Generates a Microsoft Symbol Server link from a filename and a file hash using VirusTotal.
# Example:
# microsoft-symbol-server-link-gen.py srv2.sys pD5a0dKSCg7Kc0g1yDyWEX8n8ogPj/niCIy4yUR7WvQ=
# Details:
# https://m417z.com/Introducing-Winbindex-the-Windows-Binaries-Index/

if len(sys.argv) != 3:
    exit(f'Usage: {sys.argv[0]} file_name file_hash_base64')

file_name, file_hash_base64 = sys.argv[1:3]

file_hash = base64.b64decode(file_hash_base64).hex()
url = 'https://www.virustotal.com/ui/files/' + file_hash
data = requests.get(url, headers={'User-Agent': 'Mozilla/1.0'}).json()

timestamp = data['data']['attributes']['pe_info']['timestamp']
timestamp = format(timestamp, '08X')

last_section = data['data']['attributes']['pe_info']['sections'][-1]
size = last_section['virtual_address'] + last_section['virtual_size']
unaligned = size & 0xFFF
if unaligned:
    size -= unaligned
    size += 0x1000
size = format(size, 'x')

url = f'https://msdl.microsoft.com/download/symbols/{file_name}/{timestamp}{size}/{file_name}'
print(url)

how to get this to work? what version of python do you need?

@m417z

It doesn't work anymore since VirusTotal added anti-automation measures to their website. You can either bypass them, or use the browser and sniff the timestamp manually with e.g. Fiddler.

ok is it possible to remove the part that has the connect to virustotal so i can get only the sha256? @m417z

how do you bypass that?

get only the sha256

Just add a line with print(file_hash) after the line:
file_hash = base64.b64decode(file_hash_base64).hex()

how do you bypass that?

They send specific headers that they check on the server. You can sniff the traffic and then send exactly the same headers as they send.

well how? i tried and python did not work connecting