Clone wiki

virusbattle-sdk / Downloading Files

ACTION: DOWNLOAD FILE

To download a file from VirusBattle, vbclient.py provides the following command:

  vbclient.py -a download [--norecursive] [-o outdir] [--enable_malware_download] [--downloadall] [--zipbinary] arg ...

The command may be used to download VirusBattle analyses output and/or uploaded binaries. The download command first queries VirusBattle server for file information, and downloads a file only if it is not an executable or an archive containing executable. It saves the downloaded files in the directory outdir (which defaults to Results). A downloaded file is named using it's file identifier (sha1) along with the file extension that may identify the type of analyses that created it.

By default, vbclient.py prevents download of any executable files, including unpacker output and archives that may contain executable files. To enable downloading of unpacker output, use --enable_malware_download to explicitly allow unpacker output to be downloaded.

Though vbclient.py by default supports downloading only analyses results, it also has the capability to download all other files. The option --downloadall instructs vbclient.py to download all the files, including archive files and binary.pe32 files.

Note: executables and archives with executable will still be stopped unless --enable_malware_download is used.

The --norecursive option, as before, disables recursive traversal. When this is NOT specified, --downloadall and --enable_malware_download will download all of files in the entire tree, starting from a parent. That means, it will download the top archive, and then each file in the archive as well. If any of the file is an archive, it will recursively download its content as well. Such recursive downloading, if done without thought, may download tons of data on your machine and exhaust your disk space. So it ought to be used with care.

If you want to download unpacked files and other executable files in compressed archive format, use --zipbinary. This will tell virusbattle server to compress all binary files into respective .zip files before sending them out client side.

In general, the files created from download are given extensions, such as, .zip, .7z, .exe, etc., consistent with their object_class.

COMMON USAGE

  1. Recursively download analyses files of an executable with hash filehash (into default Results directory).

    vbclient.py -a download filehash
    

    Unpacked files are not downloaded.

  2. Recursively download analyses files of an executable with hash filehash including the unpacked files (into default Results directory).

    vbclient.py -a download --enable_malware_download filehash
    

    Unpacked files are also downloaded.

  3. Recursively download all analyses output for all executables in an archive with hash ziphash excluding unpacked files.

    vbclient.py -a download ziphash
    
  4. Recursively download all analyses output for all executables in an archive with hash ziphash excluding unpacked files.

    vbclient.py -a download --enable_malware_download ziphash
    
  5. Download unpacked files in compressed archive format.

    vbclient.py -a download --enable_malware_download --zipbinary <sha1>
    
  6. Download analyses files in the directory myoutdir.

    vbclient.py -a download --enable_malware_download --outdir=myoutdir <sha1>
                or
    vbclient.py -a download -o myoutdir <sha1>
    
  7. Download analyses files along with original files.

    vbclient.py -a download --enable_malware_download --downloadall [--zipbinary] <sha1>
    

Generate Mappings for downloaded files

While one can easily parse the json output of the query results to identify each files' connection to the top level uploaded file, an easier way is to use the map option to generate mappings.

    vbclient.py -a map [-o Output-directory] arg1 arg2 ...

The arguments here are the filehashes for which you need the mappings. If no argument is provided, we take input from the listfile. By default, this will create map files in the Results directory, unless you specify an alternative output-path using the -o (or --outdir) option.

The mappings are csv files named by as service-name.csv where the service name is the name of the service which produced the output file. The csv files are in the format Input-filehash,Output-filehash.

Updated