Adds Koodous plugin

devildog13 · Dec 4, 2020 · 3c9be32 · 3c9be32
1 parent 054fe51
commit 3c9be32
Show file tree

Hide file tree

Showing 4 changed files with 126 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ hybrid              Requests Hybrid Analysis platform
 intel               Gather information on a domain
 ip                  Gather information on an IP address
 ipinfo              Request ipinfo.io information
+koodous             Request Koodous API
 malshare            Requests MalShare database
 misp                Get information from a MISP server through the API
 numverify           Query phone number information from NumVerify
@@ -117,6 +118,7 @@ You can get information on each command with `harpoon help COMMAND`
 * [Hybrid Analysis](https://www.hybrid-analysis.com/apikeys/info)
 * [IBM Xforce Exchange](https://exchange.xforce.ibmcloud.com/settings/api)
 * [ipinfo.io](https://ipinfo.io/)
+* [Koodous](https://koodous.com/)
 * [MalShare](https://malshare.com/register.php)
 * [NumVerify](https://numverify.com/)
 * [OpenCage](https://opencagedata.com/)

diff --git a/harpoon/commands/koodousc.py b/harpoon/commands/koodousc.py
@@ -0,0 +1,77 @@
+#! /usr/bin/env python
+import sys
+import json
+from datetime import datetime
+from harpoon.commands.base import Command
+from harpoon.lib.utils import bracket, unbracket
+from harpoon.lib.koodous import Koodous, KoodousError, KoodousNotFound
+
+
+class CommandKoodous(Command):
+    """
+    # Koodous plugin
+
+    Queries the Koodous API https://koodous.com/
+
+    * get info on a hash : `harpoon koodous hash SHA256`
+    * Download a file : `harpoon koodous dl SHA256`
+    """
+    name = "koodous"
+    description = "Request Koodous API"
+    config = {'Koodous': ['token']}
+
+    def add_arguments(self, parser):
+        subparsers = parser.add_subparsers(help='Subcommand')
+        parser_a = subparsers.add_parser('hash', help='Get info on a SHA256 hash')
+        parser_a.add_argument('HASH', help='SHA256 hash')
+        parser_a.set_defaults(subcommand='hash')
+        parser_b = subparsers.add_parser('search', help='Search in Koodous')
+        parser_b.add_argument('QUERY', help='Query')
+        parser_b.set_defaults(subcommand='search')
+        parser_c = subparsers.add_parser('dl', help='Download a sample from Koodous')
+        parser_c.add_argument('HASH', help='Sha256')
+        parser_c.set_defaults(subcommand='dl')
+        parser_d = subparsers.add_parser('analysis', help='Get a full analysis from Koodous')
+        parser_d.add_argument('HASH', help='Sha256')
+        parser_d.set_defaults(subcommand='analysis')
+        self.parser = parser
+
+    def run(self, conf, args, plugins):
+        kd = Koodous(token=conf['Koodous']['token'])
+        if 'subcommand' in args:
+            try:
+                if args.subcommand == "hash":
+                    res = kd.sha256(args.HASH)
+                    print(json.dumps(res, sort_keys=True, indent=4))
+                elif args.subcommand == "search":
+                    res = kd.search(args.QUERY)
+                    print(json.dumps(res, sort_keys=True, indent=4))
+                elif args.subcommand == "dl":
+                    data = kd.download(args.HASH)
+                    with open(args.HASH, "wb+") as f:
+                        f.write(data)
+                    print("File downlaoded as {}".format(args.HASH))
+                elif args.subcommand == "analysis":
+                    res = kd.analysis(args.HASH)
+                    print(json.dumps(res, sort_keys=True, indent=4))
+                else:
+                    self.parser.print_help()
+            except KoodousNotFound:
+                print("Not found")
+        else:
+            self.parser.print_help()
+
+    def intel(self, type, query, data, conf):
+        if type == "hash":
+            if len(query) == 64:
+                try:
+                    kd = Koodous(token=conf['Koodous']['token'])
+                    res = kd.sha256(query)
+                except KoodousError:
+                    pass
+                else:
+                    data["samples"].append({
+                        "source": "Koodous",
+                        "date": datetime.fromtimestamp(res["created_on"]),
+                        "url": "https://koodous.com/apks/" + query
+                    })
diff --git a/harpoon/data/example.conf b/harpoon/data/example.conf
@@ -140,3 +140,7 @@ intel: true
 [PulseDive]
 key:
 intel: true
+
+[Koodous]
+token:
+intel: true
diff --git a/harpoon/lib/koodous.py b/harpoon/lib/koodous.py
@@ -0,0 +1,43 @@
+import requests
+
+class KoodousError(Exception):
+    def __init__(self, message):
+        Exception.__init__(self, message)
+        self.message = message
+
+class KoodousNotFound(KoodousError):
+    pass
+
+
+class Koodous(object):
+    def __init__(self, token=None):
+        self.token = token
+        self.base_url = "https://api.koodous.com/apks"
+
+    def _query(self, url, params={}):
+        headers = {
+            "Authorization":"Token " + self.token,
+            'User-Agent': 'Harpoon (https://github.com/Te-k/harpoon)'
+        }
+        r = requests.get(self.base_url + url, params=params, headers=headers)
+        if r.status_code == 404:
+            raise KoodousNotFound()
+        elif r.status_code != 200:
+            raise KoodousError("Invalid HTTP code {} - {}".format(r.status_code, r.text))
+        return r.json()
+
+    def sha256(self, hash):
+        return self._query("/" + hash)
+
+    def search(self, query):
+        return self._query("", {'search': query})
+
+    def download(self, hash):
+        res = self._query("/" + hash + "/download")
+        r = requests.get(res["download_url"])
+        if r.status_code != 200:
+            raise KoodousError("Bad HTTP code {}".format(r.status_code))
+        return r.content
+
+    def analysis(self, hash):
+        return self._query("/" + hash + "/analysis")