malwaredb-virustotal 0.2.3

Logic and datatypes for interacting with VirusTotal
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210

use chrono::serde::ts_seconds_option;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;

/// Fields and information unique to PE32 files
/// [https://virustotal.readme.io/reference/pe_info]
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct PEInfo {
    /// Rich Header, which may reveal compiler information
    #[serde(default)]
    pub rich_pe_header_hash: Option<String>,

    /// When the program was compiled, can be spoofed
    #[serde(default, with = "ts_seconds_option")]
    pub timestamp: Option<DateTime<Utc>>,

    /// Compiler information, if available
    #[serde(default)]
    pub compiler_product_versions: Vec<String>,

    /// Starting point for execution
    pub entry_point: u64,

    /// CPU target for this program
    pub machine_type: u32,

    /// Import hash
    /// [https://www.mandiant.com/resources/blog/tracking-malware-import-hashing]
    pub imphash: String,

    /// Section information
    #[serde(default)]
    pub sections: Vec<PESection>,

    /// Imports by .dll
    #[serde(default)]
    pub import_list: Vec<PEImports>,

    /// Anything else not capture by this struct
    #[serde(flatten)]
    pub extra: HashMap<String, serde_json::Value>,
}

/// PE section information
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct PESection {
    /// Section name
    pub name: String,

    /// Chi-Square metric
    pub chi2: f32,

    /// Address when loaded
    pub virtual_address: u64,

    /// Entropy
    pub entropy: f32,

    /// Size on disk
    pub raw_size: u64,

    /// Flags: executable, readable, writable
    pub flags: String,

    /// Size in memory
    pub virtual_size: u64,

    /// MD5 hash of the section
    pub md5: String,
}

/// Functions imported from a given .dll
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct PEImports {
    /// .dll name
    pub library_name: String,

    /// Function names
    #[serde(default)]
    pub imported_functions: Vec<String>,
}

/// PE data related for .Net (CLR) binaries
/// [https://virustotal.readme.io/reference/dot_net_assembly]
pub mod dotnet {
    use super::*;

    /// .Net specific information for a PE32 file
    #[derive(Clone, Debug, Serialize, Deserialize)]
    pub struct DotNetAssembly {
        /// Entry point relative virtual address
        pub entry_point_rva: u64,

        /// Metadata header relative virtual address
        pub metadata_header_rva: u64,

        /// Assembly name
        pub assembly_name: String,

        /// Assembly flags
        pub assembly_flags: u32,

        /// Relative Virtual Address of the strong name signature hash
        pub strongname_va: u32,

        /// Simplified representation of tables_rows_map
        pub tables_rows_map_log: String,

        /// Other assemblies used by this sample
        pub external_assemblies: HashMap<String, ExternalAssembly>,

        /// Type definition list
        #[serde(default)]
        pub type_definition_list: Vec<TypeDefinition>,

        /// Entry point of the program
        pub entry_point_token: u64,

        /// Hex presentation of the tables_rows_map
        pub tables_rows_map: String,

        /// Human-readable version of assembly flags
        pub assembly_flags_txt: String,

        /// Information about assembly streams
        pub streams: HashMap<String, Stream>,

        /// Number of tables present
        pub tables_present: u32,

        /// Hex value of present tables bitmap
        pub tables_present_map: String,

        /// Version of the Common Language Runtime
        pub clr_version: String,

        /// Version of the Common Language Runtime metadata
        pub clr_meta_version: String,

        /// basic data about the assembly manifest
        pub assembly_data: AssemblyData,

        /// Resources Virtual Address
        pub resources_va: u64,
    }

    /// Assembly version
    #[derive(Clone, Debug, Serialize, Deserialize)]
    pub struct ExternalAssembly {
        /// Assembly version
        pub version: String,
    }

    /// Type definition and namespace
    #[derive(Clone, Debug, Serialize, Deserialize)]
    pub struct TypeDefinition {
        /// type definitions
        #[serde(default)]
        pub type_definitions: Vec<String>,

        /// Type namespace
        pub namespace: String,
    }

    /// Stats about the stream
    #[derive(Clone, Debug, Serialize, Deserialize)]
    pub struct Stream {
        /// Stream chi2
        pub chi2: f32,

        /// Stream size
        pub size: u64,

        /// Stream entropy
        pub entropy: f32,

        /// MD-5 hash of the stream
        pub md5: String,
    }

    /// Assembly information
    #[derive(Clone, Debug, Serialize, Deserialize)]
    pub struct AssemblyData {
        /// Assembly major version
        pub majorversion: u64,

        /// Assembly minor version
        pub minorversion: u64,

        /// Id of hash used when signed
        pub hashalgid: u64,

        /// Specific characteristics of the assembly, such as x86, AMD64; human-readable
        #[serde(default)]
        pub flags_text: Option<String>,

        /// Build number
        pub buildnumber: u64,

        /// Specific characteristics of the assembly, such as x86, AMD64
        pub flags: u64,

        /// Revision number
        pub revisionnumber: u64,

        /// Assembly name
        pub name: String,
    }
}