Skip to content

Instantly share code, notes, and snippets.

@raspiduino

raspiduino/readme.md

Created July 5, 2024 10:16
Show Gist options
  • Save raspiduino/eb6ab9e4614bad820bcc77f9f02c9f4f to your computer and use it in GitHub Desktop.
Save raspiduino/eb6ab9e4614bad820bcc77f9f02c9f4f to your computer and use it in GitHub Desktop.
Download ZIP
VirusTotal detection API from ProcessExplorer
Raw
readme.md

Disclaimer

  • Me (@raspiduino/gvl610) DID NOT do any Process Explorer reverse engineer. This API had appeared multiple times on the Internet before I wrote this.
  • This API key is not intended for any uses outside of the Process Explorer program itself.
  • I takes absolutely NO responsibilities for any damage and/or problems that may occur when using this API.
  • DON'T ABUSE this API.

The API itself

Basic API is as following. You can use curlconverter to convert to any programming language you would like.

curl -X POST 'https://www.virustotal.com/partners/sysinternals/file-reports?apikey=[api_key]' -H 'User-Agent: VirusTotal' -H 'Content-Type: application/json' -d '[{"autostart_entry": "", "autostart_location": "", "creation_datetime": "[YYYY-MM-DD HH:MM:SS]", "hash": "[any hash type, default SHA-256]", "image_path": "C:\file\path.exe"}]'

All of these fields are needed. If you skip any of them, all of the files will get 0 detections even though they should have got more. TL;DR: If you skip any of these listed fields, even malware gets 0 detections.

Field Meaning
apikey VirusTotal API key
creation_datetime Date of creation of the file. Format is YYYY-MM-DD HH:MM:DD

Example

Working example (as of the writing time):

curl -X POST 'https://www.virustotal.com/partners/sysinternals/file-reports?apikey=[redacted]' -H 'User-Agent: VirusTotal' -H 'Content-Type: application/json' -d '[{"autostart_entry": "", "autostart_location": "", "creation_datetime": "2024-06-13 13:07:46", "hash": "3bdd447101d108dec57da58b8b043019fa422081017a153d49e2a2f2e89d043d", "image_path": "C:\Program Files\Sublime Text\sublime_text.exe"}]'

Output:

{"result": 1, "data": [{"hash": "3bdd447101d108dec57da58b8b043019fa422081017a153d49e2a2f2e89d043d", "found": true, "permalink": "https://www.virustotal.com/gui/file/3bdd447101d108dec57da58b8b043019fa422081017a153d49e2a2f2e89d043d/detection", "positives": 1, "total": 78, "detection_ratio": "1/78"}]}

Where is API key?

Again, DO NOT abuse it

Goto cyberchef and do the REVERSE of these: image

e1 ed f6 d3 67 dd 6d ef 79 dd de b6 f1 fe b9 d3 6d bd 69 fe 5b dd e6 f8 f5 c7 78 e9 bd 9d dd b7 de e7 9e 3a 69 ed dc e5 f6 b8 f1 be 79 e1 ed 1c

You should get the key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment