diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 242a6bd0..3e46a6f8 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -11,6 +11,7 @@ **バグ修正*:** - Hayabusa 2.8.0以上の結果で`timeline-suspicious-processes`を実行した際のクラッシュを修正した。 (#35) (@fukusuket) +- 無効なAPIキーが指定された場合に、VirusTotalの検索でJSONパースエラーが発生する問題を修正した。(@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ba3a2e1..2a8176bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ **Bug Fixes*:** - `timeline-suspicious-processes` would crash when Hayabusa results from version 2.8.0+ was used. (#35) (@fukusuket) +- Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/) diff --git a/src/takajopkg/vtDomainLookup.nim b/src/takajopkg/vtDomainLookup.nim index acbd6f23..a3dc2652 100644 --- a/src/takajopkg/vtDomainLookup.nim +++ b/src/takajopkg/vtDomainLookup.nim @@ -7,12 +7,13 @@ var vtAPIDomainChannel: Channel[VirusTotalResult] # channel for receiving parall proc queryDomainAPI(domain:string, headers: httpheaders.HttpHeaders) {.thread.} = let response = get("https://www.virustotal.com/api/v3/domains/" & encodeUrl(domain), headers) - let jsonResponse = parseJson(response.body) + var jsonResponse = %* {} var singleResultTable = newTable[string, string]() var malicious = false singleResultTable["Domain"] = domain singleResultTable["Link"] = "https://www.virustotal.com/gui/domain/" & domain if response.code == 200: + jsonResponse = parseJson(response.body) singleResultTable["Response"] = "200" # Parse values that need epoch time to human readable time singleResultTable["CreationDate"] = getJsonDate(jsonResponse, @["data", "attributes", "creation_date"]) diff --git a/src/takajopkg/vtHashLookup.nim b/src/takajopkg/vtHashLookup.nim index b340f6e8..74b3e9fb 100644 --- a/src/takajopkg/vtHashLookup.nim +++ b/src/takajopkg/vtHashLookup.nim @@ -1,18 +1,18 @@ -# Todo: add more info useful for triage, trusted_verdict, signature info, sandbox results etc... +# TODO: add more info useful for triage, trusted_verdict, signature info, sandbox results etc... # https://blog.virustotal.com/2021/08/introducing-known-distributors.html -# TODO: # Add output not found to txt file var vtAPIHashChannel: Channel[VirusTotalResult] # channel for receiving parallel query results proc queryHashAPI(hash:string, headers: httpheaders.HttpHeaders) {.thread.} = let response = get("https://www.virustotal.com/api/v3/files/" & hash, headers) - let jsonResponse = parseJson(response.body) + var jsonResponse = %* {} var singleResultTable = newTable[string, string]() var malicious = false singleResultTable["Hash"] = hash singleResultTable["Link"] = "https://www.virustotal.com/gui/file/" & hash if response.code == 200: + jsonResponse = parseJson(response.body) singleResultTable["Response"] = "200" # Parse values that need epoch time to human readable time diff --git a/src/takajopkg/vtIpLookup.nim b/src/takajopkg/vtIpLookup.nim index 44231df7..e175a5c3 100644 --- a/src/takajopkg/vtIpLookup.nim +++ b/src/takajopkg/vtIpLookup.nim @@ -4,12 +4,13 @@ var vtIpAddressChannel: Channel[VirusTotalResult] # channel for receiving parall proc queryIpAPI(ipAddress:string, headers: httpheaders.HttpHeaders) {.thread.} = let response = get("https://www.virustotal.com/api/v3/ip_addresses/" & ipAddress, headers) - let jsonResponse = parseJson(response.body) + var jsonResponse = %* {} var singleResultTable = newTable[string, string]() var malicious = false singleResultTable["IP-Address"] = ipAddress singleResultTable["Link"] = "https://www.virustotal.com/gui/ip_addresses/" & ipAddress if response.code == 200: + jsonResponse = parseJson(response.body) singleResultTable["Response"] = "200" # Parse values that need epoch time to human readable time