Hello,

Is someone here able to help me understand where the source or reason is behind the bytepatten in the .Net Reactor signature?

I am referring specifically to this pattern:

5266686E204D182276B5331112330C6D0A204D18229EA129611C76B505190158

Thanks!

Jeremy Wildsmith

Might be time to revisit the priorities and provide consistent numbers across all formats. These are the types we have so far, with the proposed new order:

0. type
   0a. extender

1. driver converter immunizer installer joiner other patcher player self-displayer sfx

2. packer protector

3. emulator library

4. compiler

5. linker

6. archive

7. Type is currently only used by MSDOS for NE/LE/LX; it could also be used as the general options for ELF/MACH/PE (i.e. a signature of the file format itself), leaving PE/linker open to actual linker version & options (splitting it back into separate files).

0a. Extender is only used by MSDOS; it is an extension of type.

1. What the file does.

2. How the file's been modified.

3. What the file contains.

4. How the file was generated.

5. Second stage of generation.

6. Supplemental data.

When you go in the settings each drop down menu has a blank option, is this normal ?

As far as known packers are considered, DIE seems to identify them clearly. But now a days attackers are targeting with custom packing to evade detections. How far can DIE detect an EXE if it is custom packed? Also, How can use DIE to automate the process of packer detection? Is there a way to save the output of DIE and parse it to know whether the input file is packed or not?
TIA.

I am testing lastest version against a collection of executable tools, only DOS, I've been doing last years, packers, cryptors, scene stuff, etc, around 29.000 files. Mixed files, I simply uncompressed tons of files, but 7.200 executables.

A directory scan works ok. I'll check now the results and report, if you are still interested in DOS :D
But, a directory scan with "show errors" option marked, hangs the program, around the file 10.000, so 50%... Maybe you want to check this.
Thanks you very much, DIE is the best program in its kind!

I have installed DIE in linux using Pip install DIE.
Collecting DIE
Downloading https://files.pythonhosted.org/packages/52/a7/c2ba9bbd846c87ff92585d48359cf66f47e1cbc9367fb46b39a5044553e1/die-0.2.0.tar.gz
Building wheels for collected packages: DIE
Running setup.py bdist_wheel for DIE ... done
Stored in directory: /home/test/.cache/pip/wheels/19/40/12/cc1c603cfe121615305f6e4d52e1924ed5c845182b2f47b3d8
Successfully built DIE
Installing collected packages: DIE
Successfully installed DIE-0.2.0
but now how to use it????:(

QString getFileName() ;
QString getFileExtension();

For example file: "C:/tmp/archive.tar.gz"

getFileName() -> "archive.tar.gz"
getFileExtension() -> "tar.gz"

Maybe this yara rules could be interesting:
https://github.com/polymorf/findcrypt-yara/blob/master/findcrypt3.rules

Hi,

Can you please implement the possibility to detect embedded resources. Let's say there is an executable embedded as part of another one. Compressed bundles, and so on, also could be detected and even extracted.
The same signatures could be used to detect the embedded resources.

Thanks

Hello,

I found there is some part of your translation is missing and it is imcomplete I will fix it and make some improvement.
When I am done, I will upload New Files.

Thanks :)

Please, check this signatures:
https://github.com/sooshie/packerid/blob/master/userdb.txt

I'm trying to parse more specific xml files by reading specific lines or groups of lines (or maybe you have a better solution?) I doubt these filetypes would be useful to anyone other than myself so I doubt I would end up posting them. But I started to get really weird behavior when I did the following.

// DIE's signature file

init("source","XML");

function getLines(string, from, to) {
    var i = 0, j = 0;
    string = '\n' + string;
    --from;
    
    while (from-->0)
    {
        --to;
        i = string.indexOf('\n', i + 1);
    }

    j = i;

    while (to-->0)
    {
        j = string.indexOf('\n', j + 1);
    }

    return string.slice(i + 1, j);
}

function detect(bShowType,bShowVersion,bShowOptions)
{
    var sText=Text.getString(0,Math.min(Text.getSize(),8192));
    // Ignore the UTF-8 BOM.
    if(/^(?:\xef\xbb\xbf)?<\?xml/.test(sText))
    {
        var xmlVersion=sText.match(/version="(.*?)"/g);
        
        if(xmlVersion)
        {
            sVersion=xmlVersion[0].substring(9, xmlVersion[0].length - 1);
        }
        
        switch(getLines(sText, 2, 2))
        {
            case '<database version="2.0">':
                sName="Database XML";
                sVersion=xmlVersion[1].substring(9, xmlVersion[1].length - 1);
                break;
        }

        sOptions=getLines(sText, 2, 2);
        bDetected=1;
    }

    return result(bShowType,bShowVersion,bShowOptions);
}

A carriage return would happen, notice the T from Text getting overwritten with ]

• ]ext: source: XML(1.0)[<database version="2.0">

But also my switch case did not work. I know I could do another match on sText for each different type but i'm dreading the thought of doing 50-ish matches for different XML files. Any advice would be appreciated.

Hi,

It would be nice to have a possibility to check for encoded strings, data or code.

Just a quick look gives me:
https://github.com/hwhw/base64finder
https://digital-forensics.sans.org/blog/2013/05/14/tools-for-examining-xor-obfuscation-for-malware-analysis

This one is really cool:
http://www.kahusecurity.com/2014/exploring-xor-decryption-methods/

Just need to look in this direction.

Greetings

I am a fresh here, I want to know how could I compile this project under windows platform . Is there any README about this part ?

i remember old version diec (0.9?) can search a folder in once , but when i use 3.0 , cant find some paramater or input mode to search mutl file.....thanks for this tool , should i use old version for this function?

Hi @horsicq and team,

Did I overlook a digital signatures check for the analyzed program?

Can you please add this feature and make it possible to put your tags to the signatures.

Ideally, the signatures DB would be synchronized with central repository and an anonymous priority feedback from users will be shown :-). Maybe something like +10 👍, -100 👎 and comments if any.

Thanks for the great tool.

I've been going through the .sig files and I've noticed that they use a number of functions that I can't find definitions/ source code for in the repository, just auto-complete and help files.

Specifically, when I search for pe.isPEPlus or pe.isNET I see many usages, but no source code.

Where can I find the source code that defines the PE class?

Would be nice to decode the CFG section (named as .gfids)
added by modern compilers into executables

some intro info might be found here
https://docs.microsoft.com/en-us/windows/win32/secbp/pe-metadata

example dll with such a section attached
CFG_dll.zip

Hi,

Great tool.

Please check this signatures: https://github.com/devttys0/binwalk/tree/master/src/binwalk/magic

Greetings,
Tolik

I can't open your website to download DIE-- Can you provide orther way to download binary file? Thanks!

With the new version of Themida, the executable that is packed with Themida 3 is not being detected.
https://easyupload.io/gxidic

Going through the signature files, I've come across byte matching regex with the normal '.' symbol, but also '$' symbols.

Normally the $ denotes EOS, but in this case there are just a bunch of them strung together, making it look like they might be optional wildcards, and the '.' symbols non-optional wildcards.

Clarification would be appreciated.

Link illustrates the issue:
https://github.com/horsicq/Detect-It-Easy/blob/master/db/PE/AutoPlay%20Media%20Studio.1.sg

Hi,

https://www.virustotal.com raised several alerts when scanning "die_win32_portable_2.04.zip".
What is your opinion?

I am trying to add a new signature to DIE, but I didn't found any documentation about the syntax of the script and the list of functions I can use. Are there any instructions?

https://github.com/fireeye/flare-floss

Would be very cool.

Hi @horsicq and team,

Please add a live (start time) signatures DB update with users feedback.

Ideally, the signatures DB would be synchronized with central repository and an anonymous priority feedback from users will be shown :-). Maybe something like +10 👍, -100 👎 and comments if any.

Thanks.

When diec.sh is called from a directory other than the location where it resides, it fails to run with message ./base/diec: not found. the same happens with die.sh

Example:

• DIE installed in /lab/tools/die

1. cd into /lab/sandbox
2. execute /lab/tools/die/diec.sh <FILE_NAME>

Results:
./base/diec: not found.

OS: Ubuntu 20.04, bash 5.0.17

FIX (bold):

#!/bin/sh
CWD=$(dirname $0)
export LD_LIBRARY_PATH="$CWD/base:"
$CWD/base/diec $*

I noticed that diec.exe has a few dlls it depends on. Is there a way to merge those files into diec.exe so that they are not necessary?

Other than that, I am blown away at how awesome and fast this is.

Windows should use UTF-8 to read/display the info.

You can't install linux binaries from this link http://ntinfo.biz/index.html

I checked Microsoft Visual Studio.4.sg script, specifically getVersionFromRichSignature and it retrieves the highest possible build number from the list of compid structs.

Since this list contains _compid_s of dependent modules too (e.g. staticly link libraries) it causes the function to return compiler version of dependent module if it was build with compiler higher then the processed executable.

Example: i have a library that was build using VC2013. My main project depends on this static library. If i build this project with VS2010 - the tool will display compiler version as VS2013.

Here is my suggestion to improve detection:
This acrticle states that last compid value is the version of compiler/linker used to produce the actual executable, so i did a test if it's actually true.
I used cl.exe from VS2013 and link.exe from VS2010 Express to buld a first version of executable and vice versa (cl10, link13) to build a second version.
Here is a result:

CL13, LINK10

CL10, LINK13

As you can see the linker version is the last compid while the compiler version is penultimate.
I don't know how reliable this information is, however.

• Edit - fixed links

Hi,

What do you thing about the possibility to categorize found strings from the executable based on dictionaries.
I thing of having different dictionaries, like America English, English English, different languages, as well as, the dictionaries for specific programming languages, like C, C++, Python, Perl, JS, VB, ...
At the end the scores are shown for different languages, maybe event with a mini map for distribution over the executable.

Greetings

Can I build die by myself? What can i do for this work?

Provide adaptive program scaling based on user's DPI.

Screenshot from 4k monitor with 175% scaling:

Please check what can be taken over from:
https://github.com/katjahahn/PortEx
I like this one:

and the anomalies:
https://github.com/katjahahn/PortEx/blob/master/src/main/java/com/github/katjahahn/tools/anomalies/AnomalySubType.java

getNumberOfExports()
getExportFunctionName()

With both the console version and the DLL, only the ENTROPY of the whole file can be detected.
How can I detect the entropy of EACH SECTION using the DLL or the console version?

rshipp/awesome-malware-analysis#58

C:\>diec.exe "C:\Temp\FileZilla_3.14.1_win64-setup.exe" -singlelineoutput:yes -showoptions:no -showversion:no -database:"C:\test\db"
Invalid database name: c

A guess would be the c: in the path is causing the issue. It doesn't seem to affect the full die.exe app, only the console.

I also tried a few different methods of quoting and no quoting. I even moved the option to be first. None of the methods worked.

• -database:"C:\test\db"
• -database:"C:/test/db"
• -database:C:\test\db
• -database:""C:\test\db""
• -database:"C:\\test\\db"
• -database:""C:\\test\\db""
• -database:'C:\test\db'
• -database:''C:\test\db''

I'm going to dig in a bit, but it appears that the colon in the database path is throwing for a loop. Any known workarounds?

Have a nice day.

@horsicq
File fr.qph

если запустить без окружения
./die
Ошибка сегментирования

если добавить
export LD_LIBRARY_PATH=/opt/DIE-engine/lin64/stuff:$LD_LIBRARY_PATH
./die
Cannot mix incompatible Qt library (version 0x40807) with this library (version 0x40806)
Аварийный останов

из командной строки все работает, что ваша сборка, что сборка из исходников

./diec

./DIEC_lin64
Detect It Easy 1.01 console

Copyright(C) 2006-2008 Hellsp@wn 2012-2016 Hors
Website: http://ntinfo.biz
Bugreports: [email protected]

Number of Binary signatures: 217
Number of com signatures: 175
Number of Text signatures: 12
Number of com signatures: 3
Number of MSDOS signatures: 275
Number of PE/PE+ signatures: 471
Number of ELF/ELF64 signatures: 16
Number of MACH/MACH64 signatures: 8
Total signatures: 999

Usage: DIEC file/directory [options]

Options:
-showerrors [default: -showerrors:no] Show all errors
-showoptions [default: -showoptions:yes] Show compiler/protector/packer/etc options
-showversion [default: -showversion:yes] Show compiler/protector/packer/etc version
-subfolders [default: -subfolders:yes] Scan subfolders. Only for directory scan
-showentropy [default: -showentropy:no] Show entropy
-singlelineoutput [default: -singlelineoutput:no] Output as single line
-showfileformatonce [default: -showfileformatonce:no] Show file format once
-fullscan [default: -fullscan:no] Full scan for all valid types
-database [default: -database:"$app/db"] Set scan database

./DIEC_lin64 die
ELF64: packer: UPX(3.91)[LZMA,brute]

Good day, @horsicq! Could I ask you to make hints non-transparent, it's hard to read what's there written.

What is the entropy threshold above which an executable is considered packed?
Where did you get that number?

FYI
Manalyze consider high entropy above 7.0

The info files are a mixture of long and short lines. I see three options:

1. Hard wrap everything to 60 columns.
2. Hard wrap nothing, joining lines to make single-line paragraphs (and blank line between).
3. Make use of rich text and use <p>.

All is in the title, your download links was dead can you upload an other thanks !

Firstly thank you for this great update.

My DIE version: die_win32_portable_3.00.zip
My OS: Windows 10 Build 18362

Question
Is Yara scanning still available in this release ? (I don't see it)

Improvement 1
Please can you specify in README what is the difference between release with and without loader(what is loader good for) ? Especially when many AV engines detect build with loader as malware.

Improvement 2
The new(white) default theme doesn't look as good as the Orange one. Wouldn't be better to set that one as a default ?

BUG 1
DIE doesn't detect .NET GUIDs properly.
.NET GUID is project identifier which has format \w{8}-\w{4}-\w{4}-\w{4}-\w{12}

• in VisualStudio you can find it in Project->Project Properties->Application->Assembly information http://prntscr.com/tz4xkp
• in DIE HEX: http://prntscr.com/tz50qu
• what DIE thinks is a GUID http://prntscr.com/tz529s

BUG 2
in DIE->HEX shortcut CTRL+F doesn't work for me(only rightClick->find).
but in DIE->PE->HEX it works without any problem

I am not sure if there are any other ways to output data from diec, but it would be awesome if it could dump it in other formats like JSON.

Would or is possible to get rid of maximal 10k string limit in string-search ?

I checked DIE for coverage of .daa (direct access archive) files, and it came up blank the only hint as to the contents was the entropy section.

On a related note, are file format requests taken care of by the author of the tool, or the community?