horsicq / DIE-engine

DIE engine
MIT License
2.4k stars 331 forks source link

Non-JSON output included in JSON output #114

Closed MalwareMechanic closed 3 weeks ago

MalwareMechanic commented 3 weeks ago

When running DIE with the JSON flag (-j, --json), non-JSON output is included regarding heuristic scan information.

DIE Version

$ diec -v
die 3.10

Basic example

$ diec --json 72fe869aa394ef0a62bb8324857770dd
[!] Heuristic scan is disabled. Use '--heuristicscan' to enable
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "157696",
            "values": [
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.00.24215)",
                    "type": "Linker",
                    "version": "14.00.24215"
                },
                {
                    "info": "LTCG/C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]",
                    "type": "Compiler",
                    "version": "19.00.24215"
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2015)",
                    "type": "Tool",
                    "version": "2015"
                }
            ]
        }
    ]
}

The warning is logged at https://github.com/horsicq/Detect-It-Easy/blob/df025d3d24cd3712e6adc108ea1948ab39046916/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg#L111

log(logType.warning, "Heuristic scan is disabled. Use '--heuristicscan' to enable");

Additional examples

Below are additional examples of heuristic scan information included in JSON output.

$ diec --json --heuristicscan 72fe869aa394ef0a62bb8324857770dd
[!] To get the full heuristic scan result use '--verbose'
[HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev)
[HEUR] Scanning has begun!
[HEUR] Scan completed.
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "157696",
            "values": [
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.00.24215)",
                    "type": "Linker",
                    "version": "14.00.24215"
                },
                {
                    "info": "LTCG/C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]",
                    "type": "Compiler",
                    "version": "19.00.24215"
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2015)",
                    "type": "Tool",
                    "version": "2015"
                }
            ]
        }
    ]
}
$ diec --json --heuristicscan --verbose 72fe869aa394ef0a62bb8324857770dd
[HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev)
[HEUR] Scanning has begun!
[HEUR] Scanning to programming language has started!
[HEUR] Scan completed.
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "157696",
            "values": [
                {
                    "info": "AMD64, 64-bit, DLL",
                    "name": "Windows",
                    "string": "Operation system: Windows(Vista)[AMD64, 64-bit, DLL]",
                    "type": "Operation system",
                    "version": "Vista"
                },
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.00.24215)",
                    "type": "Linker",
                    "version": "14.00.24215"
                },
                {
                    "info": "LTCG/C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]",
                    "type": "Compiler",
                    "version": "19.00.24215"
                },
                {
                    "info": "",
                    "name": "C++",
                    "string": "Language: C++",
                    "type": "Language",
                    "version": ""
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2015)",
                    "type": "Tool",
                    "version": "2015"
                }
            ]
        }
    ]
}
MalwareMechanic commented 3 weeks ago

Closing, refiled at https://github.com/horsicq/Detect-It-Easy/issues/242