mlget
_____ _____ _____ _____ _____
/\ \ /\ \ /\ \ /\ \ /\ \
/::\____\ /::\____\ /::\ \ /::\ \ /::\ \
/::::| | /:::/ / /::::\ \ /::::\ \ \:::\ \
/:::::| | /:::/ / /::::::\ \ /::::::\ \ \:::\ \
/::::::| | /:::/ / /:::/\:::\ \ /:::/\:::\ \ \:::\ \
/:::/|::| | /:::/ / /:::/ \:::\ \ /:::/__\:::\ \ \:::\ \
/:::/ |::| | /:::/ / /:::/ \:::\ \ /::::\ \:::\ \ /::::\ \
/:::/ |::|___|______ /:::/ / /:::/ / \:::\ \ /::::::\ \:::\ \ /::::::\ \
/:::/ |::::::::\ \ /:::/ / /:::/ / \:::\ ___\ /:::/\:::\ \:::\ \ /:::/\:::\ \
/:::/ |:::::::::\____\/:::/____/ /:::/____/ ___\:::| |/:::/__\:::\ \:::\____\ /:::/ \:::\____\
\::/ / ~~~~~/:::/ /\:::\ \ \:::\ \ /\ /:::|____|\:::\ \:::\ \::/ / /:::/ \::/ /
\/____/ /:::/ / \:::\ \ \:::\ /::\ \::/ / \:::\ \:::\ \/____/ /:::/ / \/____/
/:::/ / \:::\ \ \:::\ \:::\ \/____/ \:::\ \:::\ \ /:::/ /
/:::/ / \:::\ \ \:::\ \:::\____\ \:::\ \:::\____\ /:::/ /
/:::/ / \:::\ \ \:::\ /:::/ / \:::\ \::/ / \::/ /
/:::/ / \:::\ \ \:::\/:::/ / \:::\ \/____/ \/____/
/:::/ / \:::\ \ \::::::/ / \:::\ \
/:::/ / \:::\____\ \::::/ / \:::\____\
\::/ / \::/ / \::/____/ \::/ /
\/____/ \/____/ \/____/
它是什么?
使用mlget查询多个来源的给定恶意软件哈希值并下载它。 其目的是为了节省单独查询每个来源的时间。
目前查询。
- TG (Triage)
- mb (malwarebazaar)
- ms (malshare)
- ha (HybirdAnalysis)
- vt (VirusTotal)
- cp (Cape Sandbox)
- mw (恶意软件数据库)
- ps (PolySwarm)
- iq (InquestLabs)
只有Malware Bazaar不需要密钥,其余都需要密钥。 配置文件需要放置在用户的主目录中(基本上是os.UserHomeDir() 的解析位置)。
构建
假设已经安装了golang,并且检查了这个 repo;只需运行。
go get -u
go mod tidy
go build
从克隆的目录中编译应用程序,并在./mlget 中运行。
设置配置
在命令行上运行mlget,不加任何标志,让它生成yaml配置模板。
> ./mlget
Config does not exist. Create config? [Y|n]
点击回车,它将在用户的主目录下创建配置,.mlget.yml 。
Created /home/dir/.mlget.yml. Make sure to fill out the API keys for the services you want to use.
No hashes found
mlget - A command line tool to download malware from a variety of sources
Usage: ./mlget [OPTIONS] hash_arguments...
--comment strings Add comment to the sample when uploading to your own instance of MWDB.
--config Parse and print the config file
--from string The service to download the malware from.
Must be one of:
- tg (Triage)
- mb (Malware Bazaar)
- ms (Malshare)
- ha (HybirdAnlysis)
- vt (VirusTotal)
- cp (Cape Sandbox)
- mw (Malware Database)
- ps (PolySwarm)
- iq (InquestLabs)
If omitted, all services will be tried.
--help Print the help message
--noextraction Do not extract malware from archive file.
Currently this only effects MalwareBazaar and HybridAnalysis
--output Write to a file the hashes not found (for later use with the --read flag)
--read string Read in a file of hashes (one per line)
--readupdate string Read hashes from file to download. Replace entries in the file with just the hashes that were not found (for next time).
--tag strings Tag the sample when uploading to your own instance of MWDB.
--upload Upload downloaded files to the MWDB instance specified in the mlget.yml file.
--uploaddelete Upload downloaded files to the MWDB instance specified in the mlget.yml file.
Delete the files after successful upload
Example Usage: mlget <sha256>
Example Usage: mlget --from mb <sha256>
Example Usage: mlget --tag tag_one --tag tag_two --uploaddelete <sha256> <sha1> <md5>
在需要的地方填上API密钥。 如果该服务没有API密钥,那么它将被跳过。
malshare:
api: ""
host: https://malshare.com
malwarebazar:
host: https://mb-api.abuse.ch/api/v1
mwdb:
api: ""
host: https://mwdb.cert.pl/api
virustotal:
api: ""
host: https://www.virustotal.com/api/v3
triage:
api: ""
host: https://api.tria.ge/v0
hybridanalysis:
api: ""
host: https://www.hybrid-analysis.com/api/v2
polyswarm:
api: ""
host: https://api.polyswarm.network/v2
capesandbox:
api: ""
host: https://www.capesandbox.com/apiv2
inquestlabs:
api: ""
host: https://labs.inquest.net/api
uploadtomwdb:
api: ""
host: ""
如果你想利用一个私有的MWDB实例来上传文件,请填写最后一个uploadtomwdb 。 其他所有的都只用于下载。
建议的设置
当uploadtomwdb被配置的时候
添加一个别名,将mlget 映射到mlget --uploaddelete --readupdate /path/to/malware_download_tracker.txt
当uploadtomwdb未被配置时
添加一个别名,将mlget 对应到mlget --readupdate /path/to/malware_download_tracker.txt
使用实例
从所有来源下载
mlget e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b 1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600
可以传递多个哈希值。
从特定来源下载
mlget --from tg e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b 1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600
从文件中的哈希值
哈希值可以同时从命令行和文件中读取(每行一个哈希值)。
mlget --read hashes.txt e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b 1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600
记录未找到的哈希值以备下次使用
这将把未找到的哈希值输出到一个新的文件。
mlget --read hashes.txt --output e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b 1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600
这将更新当前文件,使其只包含未找到的哈希值。
mlget --readupdate download.txt e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b 1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600
其他命令
mlget --help
mlget - A command line tool to download malware from a variety of sources
Usage: ./mlget [OPTIONS] hash_arguments...
--comment strings Add comment to the sample when uploading to your own instance of MWDB.
--config Parse and print the config file
--from string The service to download the malware from.
Must be one of:
- tg (Triage)
- mb (Malware Bazaar)
- ms (Malshare)
- ha (HybirdAnlysis)
- vt (VirusTotal)
- cp (Cape Sandbox)
- mw (Malware Database)
- ps (PolySwarm)
- iq (InquestLabs)
If omitted, all services will be tried.
--help Print the help message
--noextraction Do not extract malware from archive file.
Currently this only effects MalwareBazaar and HybridAnalysis
--output Write to a file the hashes not found (for later use with the --read flag)
--read string Read in a file of hashes (one per line)
--readupdate string Read hashes from file to download. Replace entries in the file with just the hashes that were not found (for next time).
--tag strings Tag the sample when uploading to your own instance of MWDB.
--upload Upload downloaded files to the MWDB instance specified in the mlget.yml file.
--uploaddelete Upload downloaded files to the MWDB instance specified in the mlget.yml file.
Delete the files after successful upload
Example Usage: mlget <sha256>
Example Usage: mlget --from mb <sha256>
Example Usage: mlget --tag tag_one --tag tag_two --uploaddelete <sha256> <sha1> <md5>
许可
MIT许可
Copyright (c) 2021 @xorhex
特此允许获得本软件和相关文档文件("软件")副本的任何人 不受限制地处理本软件,包括但不限于使用、复制、修改、合并、出版、分发、分许可和/或销售本软件副本的权利,并允许接受本软件的人这样做,但须遵守以下条件 上述版权声明和本许可声明应包括在本软件的所有副本或实质部分中。
本软件 "按原样 "提供,没有任何明示或暗示的保证,包括但不限于对适销性、特定用途的适用性和非侵权性的保证。在任何情况下,作者或版权持有人都不对任何索赔、损害或其他责任负责,无论是在合同、侵权行为或其他诉讼中,由本软件或本软件的使用或其他交易引起,或与之相关。
