iocutil.rs
IoC utilities for malware researchers
usage
add trailing config into [dependencies]
your Cargo.toml
="0.1"
and import in your Rust code
use *;
how it helps you?
hash
manipulation
// use SampleHash to manage a hash.
// it validate hash (sha256 / sha1 / md5).
let a1 = new.unwrap;
// you can use sample! macro for literals (it will panic if you specify invalid input)
let a1 = sample!;
let a2 = sample!;
// ignore case
assert_eq!;
// find hashes in text
let text = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, D41D8CD98F00B204E9800998ECF8427E";
let found: = find;
assert_eq!;
assert!;
assert!;
// uniquify hashes
let targets = vec!;
let unique: = uniquify;
assert_eq!;
// SampleHash is compatible with &str (it implements AsRef<str>)
test;
calculate hash
// use ContentHash to bundle of hashes(sha256 / sha1 / md5)
// calculate hashes of file content
let c = of_file.unwrap;
println!;
// calculate hashes of arbitrary content which implements std::io::Read with Hasher
let mut hasher = new;
let mut res = get.unwrap;
copy.unwrap;
let c: ContentHash = hasher.digests;
println!;
scrape from url
// get content from url and extract hashes.
// this targets only text in article elements (or body if not found)
let hashes: = scrape.unwrap;
hashes
.into_iter
.for_each;
API Clients
VirusTotal
// read apikey from environment variable `$VTAPIKEY`
let client = default;
// search new samples for recent one week(limit 300 samples)
// this requires private API. It consume a request per 300 hashes.
let samples: = client.search.unwrap;
samples.into_iter.for_each;
// retrieve a file report
let report = client
.query_filereport
.unwrap;
other features:
- download file
- allinfo report
- etc.
AlienVault OTX
// read apikey from environment variable `$OTX_APIKEY`
let client = default;
// get pulses modified in recent one week
let pulses: = client.pulses_from.unwrap;
// extract hashes from each pulse
pulses
.into_iter
.inspect
.map
.flat_map
.for_each
other features:
- query a hash indicator
future work
-
add api clients for reverse.it and so on
-
support other IoCs (like IPs, URLs)
-
documentation
Author
- 0x75960 0x75960@strelka.cc