search

objective-see / KnockKnock

Enumerate persistently installed software
GNU General Public License v3.0
430 stars 32 forks source link

VirusTotal API calls failing because of user-agent string? #18

Open actualben opened 2 years ago

actualben commented 2 years ago

My VirusTotal API calls are all returning 400. But if I change the User-Agent they work.

Here's an example using httpie. I have a request body in my clipboard...

$ pbpaste; echo
[{"autostart_entry":"at.obdev.littlesnitch.networkextension","autostart_location":"System Extensions","hash":"D162ACA6017331536ECC353E95BECD662C2D4356","image_path":"\/Applications\/Little Snitch.app\/Contents\/Library\/SystemExtensions\/at.obdev.littlesnitch.networkextension.systemextension\/Contents\/MacOS\/at.obdev.littlesnitch.networkextension","creation_datetime":"2022-05-02 1:52:02 PM +0000"}]

now I'll post it with the default user-agent VirusTotal:

$ pbpaste | http post 'https://www.virustotal.com/partners/sysinternals/file-reports?apikey=233f22e200ca5822bd91103043ccac138b910db79f29af5616a9afe8b6f215ad' User-Agent:VirusTotal
HTTP/1.1 400 Bad Request
Content-Length: 223
Content-Type: text/html; charset=UTF-8
Date: Tue, 24 May 2022 11:42:37 GMT
Server: Google Frontend
X-Cloud-Trace-Context: 19a63f180767bfd118745e4f8f6aab0d

<html>
 <head>
  <title>400 Bad Request</title>
 </head>
 <body>
  <h1>400 Bad Request</h1>
  The server could not comply with the request since it is either malformed or otherwise incorrect.<br /><br />

 </body>
</html>

now I'll try it with a different user-agent...

$ pbpaste | http post 'https://www.virustotal.com/partners/sysinternals/file-reports?apikey=233f22e200ca5822bd91103043ccac138b910db79f29af5616a9afe8b6f215ad' User-Agent:KnockKnock
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 275
Date: Tue, 24 May 2022 11:42:42 GMT
Server: Google Frontend
X-Cloud-Trace-Context: 0bca17327a53ef4e5109c3f2f6a28031
content-type: application/json

{
    "data": [
        {
            "detection_ratio": "0/72",
            "found": true,
            "hash": "D162ACA6017331536ECC353E95BECD662C2D4356",
            "permalink": "https://www.virustotal.com/gui/file/8eb9c444d7eb2ed94a5854f8a82c39fb45f6ba541eb74b6b23906a9899f90544/detection",
            "positives": 0,
            "total": 72
        }
    ],
    "result": 1
}

Changing the UserAgent in Consts.h fixes if for me:

diff --git a/Consts.h b/Consts.h
index f0f9971..566c67d 100755
--- a/Consts.h
+++ b/Consts.h
@@ -244,7 +244,7 @@ enum Signer{None, Apple, AppStore, DevID, AdHoc};
 #define VT_API_KEY @"233f22e200ca5822bd91103043ccac138b910db79f29af5616a9afe8b6f215ad"

 //user agent
-#define VT_USER_AGENT @"VirusTotal"
+#define VT_USER_AGENT @"KnockKnock"

 //query count
 #define VT_MAX_QUERY_COUNT 25

If I build and run with the default VT_USER_AGENT I get 400s, if I build and run with a different VT_USER_AGENT it works. At the same time I have another arm mac on the same LAN (behind the same NAT) with the identical version of KnockKnock (according to WhatsYourSign's hashes and signature checking) but that one works unmodified. Any ideas?