From 3df44c0c1ffa106bc0b1b87d36c87c611ec07246 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 17 Sep 2023 21:50:28 +0900 Subject: [PATCH 1/2] fix: json parse error when vt look up failed --- src/takajopkg/vtDomainLookup.nim | 3 ++- src/takajopkg/vtHashLookup.nim | 6 +++--- src/takajopkg/vtIpLookup.nim | 3 ++- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/takajopkg/vtDomainLookup.nim b/src/takajopkg/vtDomainLookup.nim index acbd6f23..a3dc2652 100644 --- a/src/takajopkg/vtDomainLookup.nim +++ b/src/takajopkg/vtDomainLookup.nim @@ -7,12 +7,13 @@ var vtAPIDomainChannel: Channel[VirusTotalResult] # channel for receiving parall proc queryDomainAPI(domain:string, headers: httpheaders.HttpHeaders) {.thread.} = let response = get("https://www.virustotal.com/api/v3/domains/" & encodeUrl(domain), headers) - let jsonResponse = parseJson(response.body) + var jsonResponse = %* {} var singleResultTable = newTable[string, string]() var malicious = false singleResultTable["Domain"] = domain singleResultTable["Link"] = "https://www.virustotal.com/gui/domain/" & domain if response.code == 200: + jsonResponse = parseJson(response.body) singleResultTable["Response"] = "200" # Parse values that need epoch time to human readable time singleResultTable["CreationDate"] = getJsonDate(jsonResponse, @["data", "attributes", "creation_date"]) diff --git a/src/takajopkg/vtHashLookup.nim b/src/takajopkg/vtHashLookup.nim index b340f6e8..74b3e9fb 100644 --- a/src/takajopkg/vtHashLookup.nim +++ b/src/takajopkg/vtHashLookup.nim @@ -1,18 +1,18 @@ -# Todo: add more info useful for triage, trusted_verdict, signature info, sandbox results etc... +# TODO: add more info useful for triage, trusted_verdict, signature info, sandbox results etc... # https://blog.virustotal.com/2021/08/introducing-known-distributors.html -# TODO: # Add output not found to txt file var vtAPIHashChannel: Channel[VirusTotalResult] # channel for receiving parallel query results proc queryHashAPI(hash:string, headers: httpheaders.HttpHeaders) {.thread.} = let response = get("https://www.virustotal.com/api/v3/files/" & hash, headers) - let jsonResponse = parseJson(response.body) + var jsonResponse = %* {} var singleResultTable = newTable[string, string]() var malicious = false singleResultTable["Hash"] = hash singleResultTable["Link"] = "https://www.virustotal.com/gui/file/" & hash if response.code == 200: + jsonResponse = parseJson(response.body) singleResultTable["Response"] = "200" # Parse values that need epoch time to human readable time diff --git a/src/takajopkg/vtIpLookup.nim b/src/takajopkg/vtIpLookup.nim index 44231df7..e175a5c3 100644 --- a/src/takajopkg/vtIpLookup.nim +++ b/src/takajopkg/vtIpLookup.nim @@ -4,12 +4,13 @@ var vtIpAddressChannel: Channel[VirusTotalResult] # channel for receiving parall proc queryIpAPI(ipAddress:string, headers: httpheaders.HttpHeaders) {.thread.} = let response = get("https://www.virustotal.com/api/v3/ip_addresses/" & ipAddress, headers) - let jsonResponse = parseJson(response.body) + var jsonResponse = %* {} var singleResultTable = newTable[string, string]() var malicious = false singleResultTable["IP-Address"] = ipAddress singleResultTable["Link"] = "https://www.virustotal.com/gui/ip_addresses/" & ipAddress if response.code == 200: + jsonResponse = parseJson(response.body) singleResultTable["Response"] = "200" # Parse values that need epoch time to human readable time From c312d90f6d85d860920ac4d7c322a794f7112fb2 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 19 Sep 2023 08:09:50 +0900 Subject: [PATCH 2/2] update changelog --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 242a6bd0..3e46a6f8 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -11,6 +11,7 @@ **バグ修正*:** - Hayabusa 2.8.0以上の結果で`timeline-suspicious-processes`を実行した際のクラッシュを修正した。 (#35) (@fukusuket) +- 無効なAPIキーが指定された場合に、VirusTotalの検索でJSONパースエラーが発生する問題を修正した。(@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ba3a2e1..2a8176bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ **Bug Fixes*:** - `timeline-suspicious-processes` would crash when Hayabusa results from version 2.8.0+ was used. (#35) (@fukusuket) +- Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/)