iocutil 0.1.3

IoC utilities for malware researchers
Documentation

iocutil.rs

IoC utilities for malware researchers

usage

add trailing config into [dependencies] your Cargo.toml

iocutil="0.1"

and import in your Rust code

use iocutil::prelude::*;

how it helps you?

hash

manipulation

// use SampleHash to manage a hash.
// it validate hash (sha256 / sha1 / md5).
let a1 = SampleHash::new("d41d8cd98f00b204e9800998ecf8427e").unwrap();

// you can use sample! macro for literals (it will panic if you specify invalid input)
let a1 = sample!("d41d8cd98f00b204e9800998ecf8427e");

let a2 = sample!("D41D8CD98F00B204E9800998ECF8427E");

// ignore case
assert_eq!(a1, a2);

// find hashes in text
let text = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, D41D8CD98F00B204E9800998ECF8427E";
let found: HashSet<_> = SampleHash::find(text);

assert_eq!(found.len(), 2);
assert!(found.contains(&sample!(
    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
)));
assert!(found.contains(&sample!("d41d8cd98f00b204e9800998ecf8427e")));

// uniquify hashes
let targets = vec![
    "d41d8cd98f00b204e9800998ecf8427e",
    "D41D8CD98F00B204E9800998ECF8427E",
    "da39a3ee5e6b4b0d3255bfef95601890afd80709",
    "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709",
    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
];

let unique: Vec<_> = SampleHash::uniquify(targets);
assert_eq!(unique.len(), 3);

// SampleHash is compatible with &str (it implements AsRef<str>)
fn test(x: impl AsRef<str>) {
    println!("{}", x.as_ref());
}

test(sample!(
    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
));

calculate hash

// use ContentHash to bundle of hashes(sha256 / sha1 / md5)

// calculate hashes of file content
let c = ContentHash::of_file(r"C:\Windows\notepad.exe").unwrap();
println!("notepad.exe => {:?}", c);

// calculate hashes of arbitrary content which implements std::io::Read with Hasher
let mut hasher = Hasher::new();
let mut res = reqwest::get("https://example.com/").unwrap();
std::io::copy(&mut res, &mut hasher).unwrap();

let c: ContentHash = hasher.digests();
println!("example.com => {:?}", c);

scrape from url

// get content from url and extract hashes.
// this targets only text in article elements (or body if not found)
let hashes: Vec<_> = SampleHash::scrape(
    "https://www.malware-traffic-analysis.net/2019/05/20/index.html"
    ).unwrap();

hashes
    .into_iter()
    .for_each(|x| println!("{}", x));

API Clients

VirusTotal

// read apikey from environment variable `$VTAPIKEY`
let client = VirusTotalClient::default();

// search new samples for recent one week(limit 300 samples)
// this requires private API. It consume a request per 300 hashes.
let samples: Vec<_> = client.search(
        fs!(at!(1, days ago) =>),
        Some(300)
    ).unwrap();

samples.into_iter().for_each(|x| println!("{}", x));

// retrieve a file report
let report = client
    .query_filereport(sample!("d41d8cd98f00b204e9800998ecf8427e"))
    .unwrap();

other features:

  • download file
  • allinfo report
  • etc.

AlienVault OTX

// read apikey from environment variable `$OTX_APIKEY`
let client = AlienVaultOTXClient::default();

// get pulses modified in recent one week
let pulses: Vec<Pulse> = client.pulses_from(at!(1, weeks ago)).unwrap();

// extract hashes from each pulse
pulses
    .into_iter()
    .inspect(|x| println!("\n# {}\n", x.name))
    .map(|x| x.into())
    .flat_map(|x: Vec<SampleHash>| x)
    .for_each(|x: SampleHash| println!("* {}", x))

other features:

  • query a hash indicator

future work

  • add api clients for reverse.it and so on

  • support other IoCs (like IPs, URLs)

  • documentation

Author