search

VirusTotal / vt-py

The official Python 3 client library for VirusTotal
https://virustotal.github.io/vt-py/
Apache License 2.0
528 stars 121 forks source link

VT APIError when converting response to JSON #136

Closed tlansec closed 1 year ago

tlansec commented 1 year ago

This might lie on the service-side if so, feel free to close as is, but using the same PoC script I outlined in the previous issue here:

https://github.com/VirusTotal/vt-py/issues/135

If I let it run past the exception in that issue, you'll find that you get a second exception like this when parsing the JSON response:

Traceback (most recent call last):
  File "C:\Users\tomla\Desktop\tmp2\poc.py", line 36, in <module>
    hashes += test(s)
  File "C:\Users\tomla\Desktop\tmp2\poc.py", line 24, in test
    for obj in it:
  File "C:\Users\tomla\AppData\Local\Programs\Python\Python310\lib\site-packages\vt\iterator.py", line 124, in __next__
    return make_sync(self.__anext__())
  File "C:\Users\tomla\AppData\Local\Programs\Python\Python310\lib\site-packages\vt\utils.py", line 27, in make_sync
    return event_loop.run_until_complete(future)
  File "C:\Users\tomla\AppData\Local\Programs\Python\Python310\lib\asyncio\base_events.py", line 649, in run_until_complete
    return future.result()
  File "C:\Users\tomla\AppData\Local\Programs\Python\Python310\lib\site-packages\vt\iterator.py", line 132, in __anext__
    self._items, self._meta = await self._get_batch_async()
  File "C:\Users\tomla\AppData\Local\Programs\Python\Python310\lib\site-packages\vt\iterator.py", line 112, in _get_batch_async
    json_resp = await self._client.get_json_async(
  File "C:\Users\tomla\AppData\Local\Programs\Python\Python310\lib\site-packages\vt\client.py", line 518, in get_json_async
    return await self._response_to_json(response)
  File "C:\Users\tomla\AppData\Local\Programs\Python\Python310\lib\site-packages\vt\client.py", line 273, in _response_to_json
    raise error
vt.error.APIError: ('InvalidArgumentError', 'Trying to find \'$\': AND, \'\\(\', NOT, \'androguard:\', \'androguard_package:\', \'attack_technique:\', \'attack_tactic:\', \'authentihash:\', \'behash:\', \'behaviour:|behavior:\', \'behaviour_files:|behavior_files:\', \'behaviour_network:|behavior_network:\', \'behaviour_processes:|behavior_processes:\', \'behaviour_injected_processes:|behavior_injected_processes:\', \'behaviour_created_processes:|behavior_created_processes:\', \'behaviour_registry:|behavior_registry:\', \'behaviour_services:|behavior_services:\', \'behaviour_tag:|behaviour_tags:|behavior_tag:|behavior_tags:\', \'capability_tag:\', \'clue:|clue_rule:\', \'collection:\', \'comment:\', \'comment_author:\', \'contacted_ip:|contacted_ips:\', \'content:|content-experimental:\', \'cp:|children_positives:\', \'creation_date:|gen:|generated:|pets:|petimestamp:\', \'crowdsourced_ids:\', \'crowdsourced_yara_rule:|yara_rule:\', \'detectiteasy:\', \'dns_lookup_count:\', \'have:|has:\', \'email_subject:\', \'embedded_domain:|embedded_domains:\', \'embedded_ip:|embedded_ips:\', \'embedded_url:|embedded_urls:\', \'entity:\', \'ep:|entry_point:\', \'exports:\', \'firstsource:\', \'fs:\', \'goresym:\', \'http_conversation_count:\', \'imphash:\', \'imports:\', \'ip_traffic_count:\', \'itw:|in_the_wild:\', \'la:\', \'lang:|language:\', \'ls:\', \'magic:\', \'main_icon_dhash:\', \'main_icon_md5:\', \'malware_config:\', \'metadata:\', \'name:|filename:\', \'netguid:\', \'packer:\', \'rich_pe_header_hash:\', \'p:|positives:\', \'related_threat_actor:\', \'reputation:\', \'resource:|peresource:\', \'sandbox_name:\', \'scan_timeout:\', \'section:\', \'sectionmd5:\', \'segment:\', \'sha256:\', \'sigcheck:|signature:\', \'sigma_critical:\', \'sigma_high:\', \'sigma_low:\', \'sigma_medium:\', \'sigma_rule:\', \'sigma_ruleset:\', \'similar-to:\', \'winden-similar-to:\', \'size:\', \'source:\', \'ssdeep:\', \'s:|submissions:\', \'first_submitter:\', \'submitter:\', \'subspan:\', \'suggested_threat_label:\', \'tag:\', \'telfhash:\', \'tlsh:\', \'traffic:\', \'trid:\', \'type:\', \'us:|sources:\', \'vhash:\', ENGINE_VERDICT_COUNT, ENGINE_NAME, \'"\', \'\\\'\', NAKED_STRING, OR, \'$\', \'\\)\', got \'\\)\'')

I expect this is a VT API side bug rather than a bug in the client, but the error message doesn't make it clear to me which side is really at fault, so raising here for now.

mgmacias95 commented 1 year ago

Hello @tlansec,

That error is on your script, the latest query you did to the server was:

elastic:Bishopsliver) AND fs:2023-02-19+

which is incorrect.

To fix is, change this line:

            "elastic:Bishopsliver) AND fs:2023-02-19+",

for this:

            "(elastic:Bishopsliver) AND fs:2023-02-19+",

I hope this helps.

Regards, Marta