Open MalwareMechanic opened 2 weeks ago
When running DIE with the JSON flag (-j, --json) against PE files, non-JSON output is included regarding heuristic scan information.
-j, --json
DIE Version
$ diec -v die 3.10
Basic example
$ diec --json 72fe869aa394ef0a62bb8324857770dd [!] Heuristic scan is disabled. Use '--heuristicscan' to enable { "detects": [ { "filetype": "PE64", "info": "", "offset": "0", "parentfilepart": "Header", "size": "157696", "values": [ { "info": "", "name": "Microsoft Linker", "string": "Linker: Microsoft Linker(14.00.24215)", "type": "Linker", "version": "14.00.24215" }, { "info": "LTCG/C++", "name": "Microsoft Visual C/C++", "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]", "type": "Compiler", "version": "19.00.24215" }, { "info": "", "name": "Visual Studio", "string": "Tool: Visual Studio(2015)", "type": "Tool", "version": "2015" } ] } ] }
The warning is logged at:
https://github.com/horsicq/Detect-It-Easy/blob/df025d3d24cd3712e6adc108ea1948ab39046916/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg#L111
Additional examples
Below are additional examples of heuristic scan information included in JSON output.
$ diec --json --heuristicscan 72fe869aa394ef0a62bb8324857770dd [!] To get the full heuristic scan result use '--verbose' [HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev) [HEUR] Scanning has begun! [HEUR] Scan completed. { "detects": [ { "filetype": "PE64", "info": "", "offset": "0", "parentfilepart": "Header", "size": "157696", "values": [ { "info": "", "name": "Microsoft Linker", "string": "Linker: Microsoft Linker(14.00.24215)", "type": "Linker", "version": "14.00.24215" }, { "info": "LTCG/C++", "name": "Microsoft Visual C/C++", "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]", "type": "Compiler", "version": "19.00.24215" }, { "info": "", "name": "Visual Studio", "string": "Tool: Visual Studio(2015)", "type": "Tool", "version": "2015" } ] } ] }
$ diec --json --heuristicscan --verbose 72fe869aa394ef0a62bb8324857770dd [HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev) [HEUR] Scanning has begun! [HEUR] Scanning to programming language has started! [HEUR] Scan completed. { "detects": [ { "filetype": "PE64", "info": "", "offset": "0", "parentfilepart": "Header", "size": "157696", "values": [ { "info": "AMD64, 64-bit, DLL", "name": "Windows", "string": "Operation system: Windows(Vista)[AMD64, 64-bit, DLL]", "type": "Operation system", "version": "Vista" }, { "info": "", "name": "Microsoft Linker", "string": "Linker: Microsoft Linker(14.00.24215)", "type": "Linker", "version": "14.00.24215" }, { "info": "LTCG/C++", "name": "Microsoft Visual C/C++", "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]", "type": "Compiler", "version": "19.00.24215" }, { "info": "", "name": "C++", "string": "Language: C++", "type": "Language", "version": "" }, { "info": "", "name": "Visual Studio", "string": "Tool: Visual Studio(2015)", "type": "Tool", "version": "2015" } ] } ] }
Thanks a lot for the bugreport! It will be fixed. You can just remove/comment the log functions in the *.sg files
When running DIE with the JSON flag (
-j, --json
) against PE files, non-JSON output is included regarding heuristic scan information.DIE Version
Basic example
The warning is logged at:
https://github.com/horsicq/Detect-It-Easy/blob/df025d3d24cd3712e6adc108ea1948ab39046916/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg#L111
Additional examples
Below are additional examples of heuristic scan information included in JSON output.