Detect It Easy (DIE) is a comprehensive binary analysis tool that identifies compilers, packers, protectors, and linkers used to build executables. It supports PE (Windows), ELF (Linux), Mach-O (macOS), and other executable formats, making it essential for malware analysis and reverse engineering workflows.
# Windows - Download binary
# https://github.com/horsicq/Detect-It-Easy/releases
# Linux build from source
git clone --recursive https://github.com/horsicq/Detect-It-Easy.git
cd Detect-It-Easy
mkdir build && cd build
qmake ..
make
sudo make install
# Debian/Ubuntu (if available)
sudo apt-get install detect-it-easy
# macOS
brew install detect-it-easy
# Basic syntax
diec [OPTIONS] <file>
# GUI launch
diec-gui [file]
| Option | Description |
|---|
-h, --help | Show help message |
-v, --version | Display version |
-a, --all | Show all information |
-j, --json | Output results as JSON |
-x, --xml | Output results as XML |
-t, --text | Plain text output |
-c, --color | Colorized output |
-d, --deep | Deep scan mode |
--debug | Enable debug output |
--engine <file> | Use custom database |
# Analyze executable for compiler signatures
diec -a malware.exe
# Output shows:
# Microsoft Visual C++ 6.0
# Compiler: MSVC v12.0 (Visual Studio 2013)
# Runtime: MSVC Runtime 120
| Compiler | Signatures |
|---|
| MSVC (Microsoft) | Recognizable entry points, heap markers |
| GCC/MinGW | .gnu_debuglink, exception tables |
| Clang | Specific exception handling structures |
| Borland Delphi | VCL signatures, BDE libraries |
| Visual Basic | VB runtime libraries (MSVBVM*.dll) |
| Delphi | Borland library signatures |
| GoLang | Runtime strings, pclntab |
# Visual Studio 2015 (MSVC v19.0)
diec vs2015_app.exe
# Visual Studio 2019 (MSVC v19.28)
diec vs2019_app.exe
# Visual Studio 2022 (MSVC v19.3+)
diec vs2022_app.exe
# Scan for known packers
diec -a packed.exe
# Output examples:
# UPX v3.96
# PECompact v2.x
# ASPack 2.x
# Themida 2.x
# VMProtect 3.x
| Packer | Signature | Category |
|---|
| UPX | UPX header sections | Compression |
| PECompact | PECompact markers | Compression |
| ASPack | ASPack stub | Compression |
| Themida | Themida runtime | Anti-analysis |
| VMProtect | VM bytecode | Anti-analysis |
| Code Virtualizer | Virtual machine | Anti-analysis |
| kkrunchy | kk stub | Game protection |
| RLPack | RL signature | Compression |
| PETite | PETite sections | Compression |
| QuickPack | QK sections | Compression |
# Analyze suspected polymorphic sample
diec --deep suspicious.exe
# Look for:
# - Encrypted sections
# - Entry point redirection
# - Stub code patterns
# - Unusual section names
# Detect code virtualization and obfuscation
diec --deep malware.exe
# May indicate:
# VMProtect - Virtual machine protection
# Themida - Code obfuscation
# Code Guard - Runtime protection
# SafeEngine - Anti-debugging
| Protection | Indicator |
|---|
| IsDebuggerPresent | API imports section |
| Hardware breakpoints | Exception handling setup |
| RDTSC checks | Timestamp instructions |
| INT 2D/3 | Interrupt handlers |
| NtSetInformationFile | Kernel mode detection |
# Scan for anti-RE features
diec --deep protected.exe
# Look for:
# - Custom exception handlers
# - API redirection tables
# - Encrypted IAT (Import Address Table)
# - Self-modifying code markers
# - Integrity check routines
# Step 1: Quick packer detection
diec malware.exe | grep -i "packer\|packed"
# Step 2: Compiler identification
diec malware.exe | grep -i "compiler\|runtime"
# Step 3: Protection mechanisms
diec --deep malware.exe | grep -i "protect\|anti"
# Step 4: Library detection
diec malware.exe | grep -i "library\|framework"
# Check for unusual compiler combinations
diec sample.exe
# Flag suspicious indicators:
# - Old/vulnerable compiler versions
# - Mismatched runtime libraries
# - Conflicting compiler signatures
# - Non-standard build options
# Export findings for analysis
diec --json malware.exe > findings.json
# Extract compiler version
jq '.compiler.name' findings.json
# Extract all detected software
jq '.detects[] | .name' findings.json
diec malware.exe
# Example output:
DIE v3.08
File: malware.exe
Size: 1024000 bytes
Type: PE32 executable
Detects:
Compiler: Microsoft Visual C++ 2015
Protector: Themida 2.4
Library: Standard C Library
Tool: Resource Editor
diec --json malware.exe
# Example structure:
{
"file": "malware.exe",
"detects": [
{
"name": "Microsoft Visual C++",
"version": "2015",
"category": "Compiler"
},
{
"name": "Themida",
"version": "2.4",
"category": "Protector"
}
]
}
# Analyze multiple files and log results
for file in *.exe; do
echo "Analyzing $file..." >> analysis.log
diec "$file" >> analysis.log
echo "---" >> analysis.log
done
# Compare known malware with suspect sample
diec known_malware.exe > known.txt
diec suspect_sample.exe > suspect.txt
# Compare detections
diff known.txt suspect.txt
# Same compiler/packer = likely variant
# Family characteristics by compiler/packer combination
diec sample1.exe # WinRAR compiler + UPX = Family A
diec sample2.exe # MSVC 2013 + Themida = Family B
# Build threat intelligence profile
# Crypters often use known protectors
diec ransomware.exe
# Common findings:
# - VMProtect (high protection cost)
# - Code Virtualizer (complex obfuscation)
# - Themida (anti-analysis features)
# Identify linked libraries
diec executable.exe
# Common findings:
# - MSVC Runtime (CRT)
# - Windows SDK functions
# - OpenSSL (if linked)
# - Crypto++ (if present)
# - Boost libraries (C++)
| Detection | Indicates |
|---|
| .NET Framework | Managed code, CLR runtime |
| Java Runtime | JVM bytecode |
| Python | Embedded interpreter |
| Mono | Cross-platform .NET |
| Qt Framework | Cross-platform GUI |
| wxWidgets | Cross-platform UI |
# Windows executable (PE)
diec malware.exe
# Linux executable (ELF)
diec ./malware
# macOS executable (Mach-O)
diec malware.app/Contents/MacOS/malware
# Each format has different signature patterns
# Analysis differences by format:
# PE: MSVC, Borland, direct Win32 APIs
# ELF: GCC, Clang, glibc functions
# Mach-O: Apple Clang, Objective-C, frameworks
# DIE uses a database of known signatures
# Download latest database updates
# Via GUI or official repository
# Verify database version
diec --version
# Load custom detection database
diec --engine custom_sigs.db malware.exe
# Useful for:
# - Custom malware families
# - Proprietary tools
# - Internal threat intelligence
# - Research databases
| Tool | Integration |
|---|
| IDA Pro | Identify compiler for proper analysis |
| Ghidra | Pre-analysis for correct architecture |
| x64dbg | Understand packer removal strategy |
| Radare2 | Obtain compilation metadata |
| Wireshark | Correlate C&C analysis |
#!/bin/bash
# Analyze all .exe files and create report
output_file="malware_analysis.txt"
> "$output_file"
for file in *.exe; do
echo "=== Analyzing $file ===" >> "$output_file"
diec -a "$file" >> "$output_file" 2>&1
echo "" >> "$output_file"
done
echo "Analysis complete: $output_file"
#!/bin/bash
# Export all analyses as JSON for processing
mkdir -p json_results
for file in *.exe; do
output="json_results/${file%.exe}.json"
diec --json "$file" > "$output"
echo "Exported: $output"
done
#!/bin/bash
# Find all samples with specific packer
packer_name="VMProtect"
for file in *.exe; do
if diec "$file" | grep -q "$packer_name"; then
echo "Found $packer_name in: $file"
fi
done
# Detection quality relies on signature database
# DIE may not detect:
# - New/unknown packers
# - Custom/private protectors
# - Modified known signatures
# - Encrypted/obfuscated markers
| Scenario | Handling |
|---|
| Unknown packer | Manual analysis required |
| Generic compiler | May match multiple versions |
| Stripped binaries | Reduced detection accuracy |
| Mixed toolchains | Displays all detected components |
- Always use latest DIE version for current threat detection
- Cross-reference findings with other analysis tools
- Consider context: legitimate software uses packers too
- Combine with dynamic analysis for complete picture
- Document findings for threat intelligence
- Build custom databases for known malware
- Use batch processing for large sample sets
- Verify compiler/packer combinations manually when critical
# Check if file is actually executable
file suspect.exe
# Try deep scan mode
diec --deep suspect.exe
# May indicate custom/unknown toolchain
# Some files show multiple compiler entries
# Often legitimate (linked libraries)
# Focus on primary compilation indicator
# Verify database file integrity
diec --version
# Reinstall or update DIE
# Check file permissions on database files
- Official DIE GitHub repository
- Malware analysis frameworks (YARA, SIGMA)
- MITRE ATT&CK for protector tactics
- VirusTotal for sample analysis
- Hybrid Analysis platform integration
- Academic papers on packer detection
| Tool | Purpose |
|---|
| PEiD | Legacy packer identification |
| ExeInfo PE | Additional packer detection |
| Strings | Extract compilation metadata |
| Objdump | ELF/PE structure analysis |
| YARA | Custom signature matching |
| Yomi | Automated malware analysis |
