StoqScan

Overview

Basic scanning functions such as hash calculation and file type detection.

Examples

Calculate the md5 hash of a payload:

import stoq.scan
stoq.scan.get_md5("this is a payload")

Calculate the md5, sha1, sha256, and sha512 of a payload:

stoq.scan.get_hashes("this is a payload")

API

stoq.scan.bytes_frequency(payload, min_length=1, max_length=3, min_count=10)

Determine the frequency of bytes or series of bytes in a payload

Parameters:

• payload (bytes) – Payload to be analyzed
• min_length (int) – Minimum length of continuous bytes
• max_length (int) – Maximum length of continuous bytes
• min_count (int) – Minimum count of instances of a specific byte or series of bytes

Returns:

Bytes, count, percentage of frequency

Return type:

tuple

stoq.scan.compare_ssdeep(payload1, payload2)

Compare binary payloads with ssdeep to determine

Parameters:

• payload1 (bytes) – Binary content to compare
• payload2 (bytes) – Binary content to compare

Returns:

Match score from 0 (no match) to 100

Type:

int or None

stoq.scan.get_hashes(payload)

Calculate the md5, sha1, sha256, and sha512 of a payload

Parameters:payload – The payload to be hashed. Returns:All of the above hashes Return type:dict

stoq.scan.get_magic(payload, mime=True)

Attempt to identify the magic of a payload

Parameters:

• payload (bytes) – Payload to be analyzed
• mime (bool) – Define whether the payload is of mime magic_type

Returns:

Identified magic type, otherwise None

Return type:

bytes

stoq.scan.get_md5(payload)

Generate md5 hash of a payload

Parameters:payload – The payload to be hashed. Returns:md5 hash Return type:str

stoq.scan.get_sha1(payload)

Generate sha1 hash of a payload

Parameters:payload – The payload to be hashed. Returns:sha1 hash Return type:str

stoq.scan.get_sha256(payload)

Generate sha256 hash of a payload

Parameters:payload – The payload to be hashed. Returns:sha256 hash Return type:str

stoq.scan.get_sha512(payload)

Generate sha512 hash of a payload

Parameters:payload – The payload to be hashed. Returns:sha512 hash Return type:str

stoq.scan.get_ssdeep(payload)

Generate ssdeep hash of a payload

Parameters:payload – The payload to be hashed. Returns:ssdeep hash Return type:str or None