-
Notifications
You must be signed in to change notification settings - Fork 355
/
DeepBlueHash-checker.ps1
61 lines (58 loc) · 2.66 KB
/
DeepBlueHash-checker.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Requires VirusTotalAnalyzer: https://github.com/EvotecIT/VirusTotalAnalyzer
#
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
#
Import-Module VirusTotalAnalyzer -Force
# API KEY can be found once you register to Virus Total service (it's free)
$VTApi = '<Your API Key>'
$hashdirectory = ".\hashes"
$safelistfile=".\safelists\win10-x64.csv"
# Load the safelist into a hash table
if (Test-Path $safelistfile){
$safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
$hashes=@{}
foreach($entry in $safelist){
$hashes[$entry.sha256]=$entry.path
}
}
Get-ChildItem $hashdirectory | Foreach-Object{
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$SHA256=$_.Name
if ($hashes.containsKey($SHA256)){
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.safelisted"
}
Else{
try{
$VTreport = Get-VirusReport -ApiKey $VTApi -Hash "$SHA256"
}
catch {
Write-Host "`r`nAttempted to run: Get-Virusreport $SHA256`r`r"
Write-Host "Error: " $_.Exception.Message "`n"
Write-Host "Have you installed VirusTotalAnalyzer and set the VirusTotal API key?"
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
Write-Host "Exiting...`n"
exit
}
$positives=$VTreport.Data.attributes.last_analysis_stats.malicious
if ($positives -eq 0){
# File is clean
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
}
ElseIf ($positives -gt 0){
# File is flagged by Virustotal
Write-Host " - Hash was detected by $positives Virustotal scanners"
if ($positives -eq 1){
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
Write-Host " - Check the VirusTotal report for more information."
}
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
$VTreport.Data.attributes | Set-Content "$hashdirectory\$SHA256.Virustotal"
# Rename original hash file, add the Virustotal positive count as a numbered extension
# $SHA256.$positives
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
}
# Wait 15 seconds between submissions, for public Virustotal API keys
Start-Sleep -s 15
}
}
}