Wiki
Clone wikivirusbattle-sdk / Downloading Files
ACTION: DOWNLOAD FILE
To download a file from VirusBattle, vbclient.py
provides the
following command:
vbclient.py -a download [--norecursive] [-o outdir] [--enable_malware_download] [--downloadall] [--zipbinary] arg ...
The command may be used to download VirusBattle analyses output and/or uploaded binaries.
The download
command first queries VirusBattle server for file
information, and downloads a file only if it is not an executable or an archive containing executable. It saves the downloaded files in the
directory outdir
(which defaults to Results
). A downloaded file is named using it's
file identifier (sha1) along with the file extension that may identify the type of analyses that created it.
By default, vbclient.py
prevents download of any executable files, including unpacker output and archives that may contain executable files. To enable downloading of unpacker output, use --enable_malware_download
to explicitly allow unpacker output to be downloaded.
Though vbclient.py
by default supports downloading only analyses results, it also has the capability to download all other files. The option
--downloadall
instructs vbclient.py
to download all the files,
including archive
files and binary.pe32
files.
Note: executables and archives with executable will still be stopped unless --enable_malware_download
is used.
The --norecursive
option, as before, disables recursive traversal.
When this is NOT specified, --downloadall
and --enable_malware_download
will download all of files in the entire tree,
starting from a parent. That means, it will download the top archive,
and then each file in the archive as well. If any of the file is an
archive, it will recursively download its content as well. Such
recursive downloading, if done without thought, may download tons of
data on your machine and exhaust your disk space. So it ought to be
used with care.
If you want to download unpacked files and other executable files in compressed archive format, use --zipbinary. This will tell virusbattle server to compress all binary files into respective .zip files before sending them out client side.
In general, the files created from download are given extensions, such
as, .zip
, .7z
, .exe
, etc., consistent with their object_class
.
###COMMON USAGE
-
Recursively download analyses files of an executable with hash
filehash
(into defaultResults
directory).vbclient.py -a download filehash
Unpacked files are not downloaded.
-
Recursively download analyses files of an executable with hash
filehash
including the unpacked files (into defaultResults
directory).vbclient.py -a download --enable_malware_download filehash
Unpacked files are also downloaded.
-
Recursively download all analyses output for all executables in an archive with hash
ziphash
excluding unpacked files.vbclient.py -a download ziphash
-
Recursively download all analyses output for all executables in an archive with hash
ziphash
excluding unpacked files.vbclient.py -a download --enable_malware_download ziphash
-
Download unpacked files in compressed archive format.
vbclient.py -a download --enable_malware_download --zipbinary <sha1>
-
Download analyses files in the directory
myoutdir
.vbclient.py -a download --enable_malware_download --outdir=myoutdir <sha1> or vbclient.py -a download -o myoutdir <sha1>
-
Download analyses files along with original files.
vbclient.py -a download --enable_malware_download --downloadall [--zipbinary] <sha1>
Generate Mappings for downloaded files
While one can easily parse the json output of the query results to identify each files' connection to the top level uploaded file, an easier way is to use the map
option to generate mappings.
vbclient.py -a map [-o Output-directory] arg1 arg2 ...
The arguments here are the filehashes for which you need the mappings. If no argument is provided, we take input from the listfile
. By default, this will create map files in the Results directory, unless you specify an alternative output-path using the -o (or --outdir) option.
The mappings are csv files named by as service-name.csv where the service name is the name of the service which produced the output file. The csv files are in the format Input-filehash,Output-filehash.
Updated