Sunday, April 18, 2021

Getting hashes to Virus Total from an Isolated Virtual Machine




Sometimes when I am testing in a Virtual Machine (VM) I really lock down the isolation. 

No shared folders. 

No bidirectional clipboards. 

No network. 

I may be paranoid but it is 'mildly discomforting' to see malware (ransomware) under test, encrypt your shared folder and then your host AV or Bitdefender start to lose it with Virus detections. 

This usually doesn't happen but when it does you can have a cold sweat moment that somehow the malware has not only jumped to a shared folder and doing what it does best. It is normally just a detection of the encrypted file or ransom note but once I have transferred the files for testing it is a good idea to check and double check your isolation. 

At a first pass when looking for suspected malware dll or exe files I like to upload the hash or suspicious files to Virus Total or Hybrid Analysis

https://www.virustotal.com/gui/home/search

OR

https://www.hybrid-analysis.com/





However with an isolated system I am also limited by how to check the hash. I can't copy it across from the VM guest to host or check directly in a browser as I have isolated my VM. 

During this last year of Covid-19 I have used more QR codes than I have ever have so I had a thought to create a script that calculates the hash and generates a QR code that embeds the hash in the url so it will redirect to a prefilled Virus Total or Hybrid Analysis. 

I can then get the script to show the QR code on the screen and I can capture it in the host or even use a mobile phone to capture the QR to a browser .

Normally, I code in Python but thought I would punish myself and see if I could do it in Python3 and C#.

Python 3 

The python code uses a QR code generating library pyqrcode  and the hashlib library.

These can be installed using pip  

https://pypi.org/project/PyQRCode/
https://pypi.org/project/hashlib/

>pip install PyQRCode
>pip install hashlib

The general functional flow is 
1. Get filename from argument
2. Calculate SHA256 hash
3. Append SHA256 hash to url string ie 'https://www.virustotal.com/gui/file/'+ sha256_hash
4. Generate and display the QR code of this url

The python script is called from the command line using the suspicious file as an argument  to call the function with the suspect file 
> python3 qrcode_gen.py c:\abc.exe


import pyqrcode
import argparse
import hashlib
import os

BUF_SIZE = 1048576 

def calc_hashes(filename):
    md5 = hashlib.md5()
    sha256 = hashlib.sha256()    
    with open(filename, 'rb') as fp:
        while True:
            data = fp.read(BUF_SIZE)
            if not data:
                break
    return md5.hexdigest().upper(),sha256.hexdigest().upper()

# input file to create sha256 hash
parser = argparse.ArgumentParser()
parser.add_argument('filename')
args = parser.parse_args()
md5_hash,sha265_hash=calc_hashes(args.filename)
vt_url='https://www.virustotal.com/gui/file/'+ sha265_hash
print(vt_url)
    
qr = pyqrcode.create(vt_url)
qr.show()

This QR code image will pop up in the image viewer and we can capture it with a phone camera app or QR code scanner.
 

The linked URL will then open up and we can see this was a Wannacry malware. 







C#

The C# program uses two libraries, System.Security.Cryptography to calculate the hashes and ZXing to create the QR code.

Unlike the Python version this C# requires a location to store the image that we parse to the command line program. A memory only version is underway but it is a little more complicated.

>qr_hash.exe C:\tmp\123.txt C:\tmp\123.jpg

The workflow is much the same as the python version except that it saves the QR image as a JPG then it uses a shell process to open the image in the default image viewer.


using System;
using System.Security.Cryptography;
using System.IO;
using ZXing;
using System.Drawing;
using System.Diagnostics;

namespace QR_Hash
{
    class Program
    {
        static void Main(string[] args)
        {
            if (args.Length == 2)
            {
                string filenpath = args[0];
                string imagepath = args[1];
                string hash_string;

                if (File.Exists(filenpath) == true)
                {
                    using (var sha256 = SHA256.Create())
                      
                    {
                        using (var stream = File.OpenRead(filenpath))
                        {
                            var hash = sha256.ComputeHash(stream);
                            hash_string = BitConverter.ToString(hash).Replace("-", "").ToLowerInvariant();
                        }
                    }
                    var QCwriter = new BarcodeWriter();
                    QCwriter.Format = BarcodeFormat.QR_CODE;
                    QCwriter.Options = new ZXing.Common.EncodingOptions
                    {
                        Width = 400,
                        Height = 400
                    };
                    string vt_url = "https://www.virustotal.com/gui/file/" + hash_string;
                    var result = QCwriter.Write(vt_url);
                    using (var g = Graphics.FromImage(result))
                    using (var font = new Font(FontFamily.GenericMonospace, 8))
                    using (var brush = new SolidBrush(Color.Black))
                    using (var format = new StringFormat() { Alignment = StringAlignment.Center })
                    {
                        int margin = 5, textHeight = 30;
                        var rect = new RectangleF(margin, result.Height - textHeight,
                                                  result.Width - 2 * margin, textHeight);
                        g.DrawString(vt_url, font, brush, rect, format);
                    }
                    result.Save(imagepath);
                    var p = new Process();
                    p.StartInfo = new ProcessStartInfo(@imagepath)
                    {
                        UseShellExecute = true
                    };
                    p.Start();
                    
                }
            }
         }
    }
}

This C# version also add a nice URL link to the bottom of the image 





So there you have it, 2 basic programs to help you get the hash out of a VM via the screen. Noice!

As the hex ninja says.

Finding malware now,
Is easy with QR codes,
Keep safe from malware