Description
This server provides a lookup mechanism to test an executable file against a list of known software applications.

GET Interface
The GET interface can be used to obtain details on a single MD5 or SHA1 hash:
http://bin-test.shadowserver.org/api?md5=0E53C14A3E48D94FF596A2824307B492
http://bin-test.shadowserver.org/api?sha1=000000206738748EDD92C4E3D2E823896700F849

If the hash provided matches an entry in our database, the details will be displayed after the provided hash on a single line:

0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}

The details are serialized in JavaScript Object Notation (JSON) for quick integration with your application.

If the hash provided does not match an entry in our database, just the hash is returned on a single line:

0E53C14A3E48D94FF596A2824307B49A

Each data source may provide additional details. For example:

7fe2248de77813ce850053ed0ce8a474 {"binary": "1", "mfg_name": "Microsoft Corporation", "signer": "Microsoft Windows", "crc32": "23897C4C", "application_type": "exe", "dirname": "c:\Windows\winsxs\x86_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_362ce835fe42421b", "reference": "os", "filesize": "36864", "os_version": "6.1", "sig_trustfile": "C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.cat", "strongname_signed": "0", "bit": "32", "source_version": "1.3", "os_mfg": "Microsoft Corporation", "os_name": "Microsoft Windows 7 Ultimate Service Pack 1 (build 7601), 64-bit", "source": "AppInfo", "sha512": "F61BEA0DC281B56B563ED32331938EFC9BF6D7A3C9CAB3273103D2FD95A73C2492E31F2C64119651E5ABFE8F3A881317C3D3B81BAA2229B3CF01E4991EBFE8FC", "fileversion": "6.1.7600.16385", "language": "English", "filename": "ddodiag.exe", "description": "DDODiag is a tool that collects Device Display Object (DDO) information from the system and logs it", "trusted_signature": "1", "sig_timestamp": "07/14/2009 03:17:39", "filetimestamp": "07/14/2009 01:14:16", "product_name": "Microsoft Windows Operating System", "product_version": "6.1.7600.16385"}

In the event of an error, a message beginning with an exclamation (!) will follow the provided hash:

foo ! not an MD5 or SHA1 hash
POST Interface
The post interface can be used to perform bulk queries. A multipart MIME encoded file is expected as input. The file must contain one MD5 or SHA1 hash per line. Lines that begin with a hash (#) will be treated as comments and ignored. The output will include one line for each hash provided in the same format as the GET interface.

Here is an example of a bulk query using the curl utility:

# cat /tmp/test
000000206738748EDD92C4E3D2E823896700F849
0E53C14A3E48D94FF596A2824307B492
000000A9E47BD385A0A3685AA12C2DB6FD727A20
# curl http://bin-test.shadowserver.org/api -F filename.1=@/tmp/test
000000206738748EDD92C4E3D2E823896700F849 {"source": "NIST", "filename": "I05002T2.PFB", "crc32": "EBD105A0", "product_name": "Canvas", "mfg_name": "Deneba Software", "os_name": "Windows XP", "language": "English", "product_version": "8", "os_version": "Pro", "application_type": "Graphic/Drawing", "filesize": "98865", "os_mfg": "Microsoft"}
0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}
000000A9E47BD385A0A3685AA12C2DB6FD727A20 {"source": "NIST", "filename": "femvo523.wav", "crc32": "D749B562", "product_name": "Decimals Made Easy", "mfg_name": "Dorling Kindersley Ltd.", "os_name": "Macintosh 8.1", "language": "English", "product_version": "Ages 8-11", "os_version": "8.1", "application_type": "Mathematics", "filesize": "42748", "os_mfg": "Apple Computer Inc."}
Sources
Information in this database has been collected from the following sources:
NSRL : National Software Reference Library. Field descriptions can be found in the Data Formats of the NSRL Reference Data Set (RDS) Distribution paper.

AppInfo : Shadowserver has developed a tool named AppInfo that collects information regarding executable files. Additonal fields include "sha512", "fileversion", "dirname", signature fields "trusted_signature", "signer", "sig_timestamp", "sig_trustfile", "strongnamed_signed" and "bit" to indicate if the binary is 32 or 64 bit. The "reference" field indicates the origin of the scanned file.
Code Samples
Python:
#!/usr/bin/env python
#  Written by:  Jose Nazario (jose@arbor.net)
import os
import simplejson
import sys

def whitelisted(hashfile):
    p = os.popen('curl -s http://bin-test.shadowserver.org/api -F filename.1=@%s' % hashfile)
    data = p.read()
    p.close()
    res = {}
    for line in data.split('\n'):
        l = line.split(' ', 1)
        if len(l) == 2:
            try: res[l[0]] = simplejson.loads(l[1])
            except: pass
    return res

res = whitelisted(sys.argv[1])
print res.keys()

Perl:

#!/usr/bin/perl
use JSON;
use strict;

=item whitelisted ($hashfile)

Returns a nested hash reference of whitelisted hashes and their decoded
JSON attributes. 

=cut
sub whitelisted
{
	my ($hashfile) = @_;
	my %res;

	my $fh;
	open($fh, "curl -s http://bin-test.shadowserver.org/api -F"
		. " 'filename.1=\@$hashfile'|") || die("curl failed: $!");
	while (my $line = <$fh>)
	{
		if ($line =~ /^([^\s]+)\s(.+)$/)
		{
			$res{$1} = decode_json($2);
		}
	}
	close($fh);

	return \%res;	
}

my $res = whitelisted($ARGV[0]);
print join("\n", keys %{$res});

home | terms of service