From 3c8fa15e28f44065b0b4d5b6420a969d8a01e537 Mon Sep 17 00:00:00 2001 From: Eric Conrad Date: Wed, 28 Jun 2023 13:23:02 -0400 Subject: [PATCH] Update DeepBlueHash-checker.ps1 Updated for Virustotal API key v3 --- DeepBlueHash-checker.ps1 | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/DeepBlueHash-checker.ps1 b/DeepBlueHash-checker.ps1 index 090e684..002eef8 100644 --- a/DeepBlueHash-checker.ps1 +++ b/DeepBlueHash-checker.ps1 @@ -1,9 +1,14 @@ -# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal +# Requires VirusTotalAnalyzer: https://github.com/darkoperator/Posh-VirusTotal # # Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/ # +Import-Module VirusTotalAnalyzer -Force + +# API KEY can be found once you register to Virus Total service (it's free) +$VTApi = '' + $hashdirectory = ".\hashes" -$safelistfile=".\file-safelist.csv" +$safelistfile=".\safelists\win10-x64.csv" # Load the safelist into a hash table if (Test-Path $safelistfile){ $safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv @@ -21,32 +26,30 @@ Get-ChildItem $hashdirectory | Foreach-Object{ } Else{ try{ - $VTreport = Get-VTFileReport $SHA256 + $VTreport = Get-VirusReport -ApiKey $VTApi -Hash "$SHA256" } catch { - Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r" + Write-Host "`r`nAttempted to run: Get-Virusreport $SHA256`r`r" Write-Host "Error: " $_.Exception.Message "`n" - Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?" + Write-Host "Have you installed VirusTotalAnalyzer and set the VirusTotal API key?" Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n" - Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n" - Write-Host "Set-VTAPIKey -APIKey `r`n" Write-Host "Exiting...`n" exit } - if ($VTreport.positives -eq 0){ + $positives=$VTreport.Data.attributes.last_analysis_stats.malicious + if ($positives -eq 0){ # File is clean Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean" } - ElseIf ($VTreport.positives -gt 0){ + ElseIf ($positives -gt 0){ # File is flagged by Virustotal - $positives=$VTreport.positives Write-Host " - Hash was detected by $positives Virustotal scanners" if ($positives -eq 1){ Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive." Write-Host " - Check the VirusTotal report for more information." } Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n" - $VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal" + $VTreport.Data.attributes | Set-Content "$hashdirectory\$SHA256.Virustotal" # Rename original hash file, add the Virustotal positive count as a numbered extension # $SHA256.$positives Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"