Detect It Easy

Detect It Easy (DIE) is a comprehensive binary analysis tool that identifies compilers, packers, protectors, and linkers used to build executables. It supports PE (Windows), ELF (Linux), Mach-O (macOS), and other executable formats, making it essential for malware analysis and reverse engineering workflows.

Installation

# Windows - Download binary
# https://github.com/horsicq/Detect-It-Easy/releases

# Linux build from source
git clone --recursive https://github.com/horsicq/Detect-It-Easy.git
cd Detect-It-Easy
mkdir build && cd build
qmake ..
make
sudo make install

# Debian/Ubuntu (if available)
sudo apt-get install detect-it-easy

# macOS
brew install detect-it-easy

Command Line Usage

# Basic syntax
diec [OPTIONS] <file>

# GUI launch
diec-gui [file]

CLI Options

Option	Description
`-h`, `--help`	Show help message
`-v`, `--version`	Display version
`-a`, `--all`	Show all information
`-j`, `--json`	Output results as JSON
`-x`, `--xml`	Output results as XML
`-t`, `--text`	Plain text output
`-c`, `--color`	Colorized output
`-d`, `--deep`	Deep scan mode
`--debug`	Enable debug output
`--engine <file>`	Use custom database

Detecting Compilers

Identify C/C++ Compilers

# Analyze executable for compiler signatures
diec -a malware.exe

# Output shows:
# Microsoft Visual C++ 6.0
# Compiler: MSVC v12.0 (Visual Studio 2013)
# Runtime: MSVC Runtime 120

Compiler	Signatures
MSVC (Microsoft)	Recognizable entry points, heap markers
GCC/MinGW	.gnu_debuglink, exception tables
Clang	Specific exception handling structures
Borland Delphi	VCL signatures, BDE libraries
Visual Basic	VB runtime libraries (MSVBVM*.dll)
Delphi	Borland library signatures
GoLang	Runtime strings, pclntab

Common MSVC Versions

# Visual Studio 2015 (MSVC v19.0)
diec vs2015_app.exe

# Visual Studio 2019 (MSVC v19.28)
diec vs2019_app.exe

# Visual Studio 2022 (MSVC v19.3+)
diec vs2022_app.exe

Detecting Packers and Protectors

Common Packer Detection

# Scan for known packers
diec -a packed.exe

# Output examples:
# UPX v3.96
# PECompact v2.x
# ASPack 2.x
# Themida 2.x
# VMProtect 3.x

Packer Identification Table

Packer	Signature	Category
UPX	UPX header sections	Compression
PECompact	PECompact markers	Compression
ASPack	ASPack stub	Compression
Themida	Themida runtime	Anti-analysis
VMProtect	VM bytecode	Anti-analysis
Code Virtualizer	Virtual machine	Anti-analysis
kkrunchy	kk stub	Game protection
RLPack	RL signature	Compression
PETite	PETite sections	Compression
QuickPack	QK sections	Compression

Detecting Polymorphic Packers

# Analyze suspected polymorphic sample
diec --deep suspicious.exe

# Look for:
# - Encrypted sections
# - Entry point redirection
# - Stub code patterns
# - Unusual section names

Detecting Protectors and Anti-Analysis

Code Obfuscation Detection

# Detect code virtualization and obfuscation
diec --deep malware.exe

# May indicate:
# VMProtect - Virtual machine protection
# Themida - Code obfuscation
# Code Guard - Runtime protection
# SafeEngine - Anti-debugging

Detecting Anti-Debugging

Protection	Indicator
IsDebuggerPresent	API imports section
Hardware breakpoints	Exception handling setup
RDTSC checks	Timestamp instructions
INT 2D/3	Interrupt handlers
NtSetInformationFile	Kernel mode detection

Anti-Reverse Engineering Features

# Scan for anti-RE features
diec --deep protected.exe

# Look for:
# - Custom exception handlers
# - API redirection tables
# - Encrypted IAT (Import Address Table)
# - Self-modifying code markers
# - Integrity check routines

Advanced Analysis Workflows

Malware Classification

# Step 1: Quick packer detection
diec malware.exe | grep -i "packer\|packed"

# Step 2: Compiler identification
diec malware.exe | grep -i "compiler\|runtime"

# Step 3: Protection mechanisms
diec --deep malware.exe | grep -i "protect\|anti"

# Step 4: Library detection
diec malware.exe | grep -i "library\|framework"

Identifying Suspicious Compilation

# Check for unusual compiler combinations
diec sample.exe

# Flag suspicious indicators:
# - Old/vulnerable compiler versions
# - Mismatched runtime libraries
# - Conflicting compiler signatures
# - Non-standard build options

Threat Intelligence Integration

# Export findings for analysis
diec --json malware.exe > findings.json

# Extract compiler version
jq '.compiler.name' findings.json

# Extract all detected software
jq '.detects[] | .name' findings.json

Output Formats

Text Output

diec malware.exe

# Example output:
DIE v3.08
File: malware.exe
Size: 1024000 bytes
Type: PE32 executable

Detects:
  Compiler: Microsoft Visual C++ 2015
  Protector: Themida 2.4
  Library: Standard C Library
  Tool: Resource Editor

JSON Output

diec --json malware.exe

# Example structure:
{
  "file": "malware.exe",
  "detects": [
    {
      "name": "Microsoft Visual C++",
      "version": "2015",
      "category": "Compiler"
    },
    {
      "name": "Themida",
      "version": "2.4",
      "category": "Protector"
    }
  ]
}

Batch Analysis with Logging

# Analyze multiple files and log results
for file in *.exe; do
    echo "Analyzing $file..." >> analysis.log
    diec "$file" >> analysis.log
    echo "---" >> analysis.log
done

Malware Analysis Use Cases

Detecting Malware Variants

# Compare known malware with suspect sample
diec known_malware.exe > known.txt
diec suspect_sample.exe > suspect.txt

# Compare detections
diff known.txt suspect.txt

# Same compiler/packer = likely variant

Identifying Malware Families

# Family characteristics by compiler/packer combination
diec sample1.exe  # WinRAR compiler + UPX = Family A
diec sample2.exe  # MSVC 2013 + Themida = Family B

# Build threat intelligence profile

Checking for Crypters/Ransomware

# Crypters often use known protectors
diec ransomware.exe

# Common findings:
# - VMProtect (high protection cost)
# - Code Virtualizer (complex obfuscation)
# - Themida (anti-analysis features)

Library and Framework Detection

Detecting Standard Libraries

# Identify linked libraries
diec executable.exe

# Common findings:
# - MSVC Runtime (CRT)
# - Windows SDK functions
# - OpenSSL (if linked)
# - Crypto++ (if present)
# - Boost libraries (C++)

Database/Framework Detection

Detection	Indicates
.NET Framework	Managed code, CLR runtime
Java Runtime	JVM bytecode
Python	Embedded interpreter
Mono	Cross-platform .NET
Qt Framework	Cross-platform GUI
wxWidgets	Cross-platform UI

Comparison Between File Formats

PE vs ELF Analysis

# Windows executable (PE)
diec malware.exe

# Linux executable (ELF)
diec ./malware

# macOS executable (Mach-O)
diec malware.app/Contents/MacOS/malware

# Each format has different signature patterns

Cross-Platform Detection

# Analysis differences by format:
# PE: MSVC, Borland, direct Win32 APIs
# ELF: GCC, Clang, glibc functions
# Mach-O: Apple Clang, Objective-C, frameworks

Custom Database and Updates

Update Detection Engine

# DIE uses a database of known signatures
# Download latest database updates
# Via GUI or official repository

# Verify database version
diec --version

Using Custom Engine Files

# Load custom detection database
diec --engine custom_sigs.db malware.exe

# Useful for:
# - Custom malware families
# - Proprietary tools
# - Internal threat intelligence
# - Research databases

Integration with Reverse Engineering Tools

Tool	Integration
IDA Pro	Identify compiler for proper analysis
Ghidra	Pre-analysis for correct architecture
x64dbg	Understand packer removal strategy
Radare2	Obtain compilation metadata
Wireshark	Correlate C&C analysis

Batch Processing Scripts

Analyze Directory of Files

#!/bin/bash
# Analyze all .exe files and create report

output_file="malware_analysis.txt"
> "$output_file"

for file in *.exe; do
    echo "=== Analyzing $file ===" >> "$output_file"
    diec -a "$file" >> "$output_file" 2>&1
    echo "" >> "$output_file"
done

echo "Analysis complete: $output_file"

JSON Batch Export

#!/bin/bash
# Export all analyses as JSON for processing

mkdir -p json_results

for file in *.exe; do
    output="json_results/${file%.exe}.json"
    diec --json "$file" > "$output"
    echo "Exported: $output"
done

Filter by Packer

#!/bin/bash
# Find all samples with specific packer

packer_name="VMProtect"

for file in *.exe; do
    if diec "$file" | grep -q "$packer_name"; then
        echo "Found $packer_name in: $file"
    fi
done

Limitations and Considerations

Database Dependent

# Detection quality relies on signature database
# DIE may not detect:
# - New/unknown packers
# - Custom/private protectors
# - Modified known signatures
# - Encrypted/obfuscated markers

False Positives/Negatives

Scenario	Handling
Unknown packer	Manual analysis required
Generic compiler	May match multiple versions
Stripped binaries	Reduced detection accuracy
Mixed toolchains	Displays all detected components

Best Practices

Always use latest DIE version for current threat detection
Cross-reference findings with other analysis tools
Consider context: legitimate software uses packers too
Combine with dynamic analysis for complete picture
Document findings for threat intelligence
Build custom databases for known malware
Use batch processing for large sample sets
Verify compiler/packer combinations manually when critical

Troubleshooting

No Detections Found

# Check if file is actually executable
file suspect.exe

# Try deep scan mode
diec --deep suspect.exe

# May indicate custom/unknown toolchain

Conflicting Detections

# Some files show multiple compiler entries
# Often legitimate (linked libraries)
# Focus on primary compilation indicator

Database Load Failures

# Verify database file integrity
diec --version

# Reinstall or update DIE
# Check file permissions on database files

Resources

Official DIE GitHub repository
Malware analysis frameworks (YARA, SIGMA)
MITRE ATT&CK for protector tactics
VirusTotal for sample analysis
Hybrid Analysis platform integration
Academic papers on packer detection

Tool	Purpose
PEiD	Legacy packer identification
ExeInfo PE	Additional packer detection
Strings	Extract compilation metadata
Objdump	ELF/PE structure analysis
YARA	Custom signature matching
Yomi	Automated malware analysis