Clone wiki

virusbattle-sdk / Querying Information

ACTION: QUERY INFORMATION

To query information about a filehash use the following command:

  vbclient.py -a query [--norecursive]  arg ...

An arg in this command is a filehash. The --norecursive option asks vbclient.py to not to recursively query information about all of the children. The following describes the meaning of the children of a file.

Archive Files: The children of an archive file (such as zip) are obvious. They are the set of all FILES contained in that archive. VirusBattle does not maintain the directory structure of the uncompressed zip file. Though it does maintain the relative path within the archive from which a file is extracted. The relative path may be used to match a file on VirusBattle to a specific file in the archive, in addition to the sha1 filehash identifiers.

Binary files: Though a binary file is are not an archive, in VirusBattle it may also have children. The children of a binary file are other binaries generated from unpacking it. A binary may have multiple children resulting from unpacking it multiple times. In most cases the children may have insignificant differences, yet yielding different hashes and hence considered different.

The result of the query for a hash consists of a variety of information including its list of parents and children.

COMMON USAGE

  1. Query info for filehash only

    vbclient.py -a query --norecursive filehash
    
  2. Recursively query info, use filehashes stored in UploadedHashes.txt

    vbclient.py -a query
    
  3. Check if a file is already on virusbattle.

    filehash=`sha1sum filename | cut -f 1 -d ' '`
    vbclient.py -a query --norecursive $filehash
    
  4. Recursively query all information for a file.

    vbclient.py -a query <sha1>
    

Updated