Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-JSON output included in JSON output #242

Open
MalwareMechanic opened this issue Nov 6, 2024 · 1 comment
Open

Non-JSON output included in JSON output #242

MalwareMechanic opened this issue Nov 6, 2024 · 1 comment

Comments

@MalwareMechanic
Copy link

MalwareMechanic commented Nov 6, 2024
edited
Loading

When running DIE with the JSON flag (-j, --json) against PE files, non-JSON output is included regarding heuristic scan information.

DIE Version

$ diec -v
die 3.10

Basic example

$ diec --json 72fe869aa394ef0a62bb8324857770dd
[!] Heuristic scan is disabled. Use '--heuristicscan' to enable
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "157696",
            "values": [
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.00.24215)",
                    "type": "Linker",
                    "version": "14.00.24215"
                },
                {
                    "info": "LTCG/C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]",
                    "type": "Compiler",
                    "version": "19.00.24215"
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2015)",
                    "type": "Tool",
                    "version": "2015"
                }
            ]
        }
    ]
}

The warning is logged at:

Detect-It-Easy/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg

Line 111 in df025d3

log(logType.warning, "Heuristic scan is disabled. Use '--heuristicscan' to enable");

Additional examples

Below are additional examples of heuristic scan information included in JSON output.

$ diec --json --heuristicscan 72fe869aa394ef0a62bb8324857770dd
[!] To get the full heuristic scan result use '--verbose'
[HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev)
[HEUR] Scanning has begun!
[HEUR] Scan completed.
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "157696",
            "values": [
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.00.24215)",
                    "type": "Linker",
                    "version": "14.00.24215"
                },
                {
                    "info": "LTCG/C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]",
                    "type": "Compiler",
                    "version": "19.00.24215"
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2015)",
                    "type": "Tool",
                    "version": "2015"
                }
            ]
        }
    ]
}

$ diec --json --heuristicscan --verbose 72fe869aa394ef0a62bb8324857770dd
[HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev)
[HEUR] Scanning has begun!
[HEUR] Scanning to programming language has started!
[HEUR] Scan completed.
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "157696",
            "values": [
                {
                    "info": "AMD64, 64-bit, DLL",
                    "name": "Windows",
                    "string": "Operation system: Windows(Vista)[AMD64, 64-bit, DLL]",
                    "type": "Operation system",
                    "version": "Vista"
                },
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.00.24215)",
                    "type": "Linker",
                    "version": "14.00.24215"
                },
                {
                    "info": "LTCG/C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.00.24215)[LTCG/C++]",
                    "type": "Compiler",
                    "version": "19.00.24215"
                },
                {
                    "info": "",
                    "name": "C++",
                    "string": "Language: C++",
                    "type": "Language",
                    "version": ""
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2015)",
                    "type": "Tool",
                    "version": "2015"
                }
            ]
        }
    ]
}
@MalwareMechanic MalwareMechanic mentioned this issue Nov 6, 2024
Closed
@horsicq
Copy link
Owner

horsicq commented Nov 6, 2024

Thanks a lot for the bugreport! It will be fixed. You can just remove/comment the log functions in the *.sg files

josh-feather added a commit to josh-feather/CAPEv2 that referenced this issue Jan 29, 2025
@josh-feather
Ignore non-JSON output in detect-it-easy output
c07a187 
The `diec` binary outputs non-JSON output in JSON mode, causing the parsing to fail. For example:

```text
[!] Heuristic scan is disabled. Use --heuristicscan to enable
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "3488048",
            "values": [
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.22.27905)",
                    "type": "Linker",
                    "version": "14.22.27905"
                },
                {
                    "info": "C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.22.27905)[C++]",
                    "type": "Compiler",
                    "version": "19.22.27905"
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2019, v16.2)",
                    "type": "Tool",
                    "version": "2019, v16.2"
                }
            ]
        }
    ]
}```

There is a related issue noted against the DIE project:
horsicq/Detect-It-Easy#242
@josh-feather josh-feather mentioned this issue Jan 29, 2025
Merged
josh-feather added a commit to josh-feather/CAPEv2 that referenced this issue Jan 29, 2025
@josh-feather
Ignore non-JSON output in detect-it-easy output
6ca1ebc 
The `diec` binary outputs non-JSON output in JSON mode, causing the parsing to fail. For example:

```text
[!] Heuristic scan is disabled. Use --heuristicscan to enable
{
    "detects": [
        {
            "filetype": "PE64",
            "info": "",
            "offset": "0",
            "parentfilepart": "Header",
            "size": "3488048",
            "values": [
                {
                    "info": "",
                    "name": "Microsoft Linker",
                    "string": "Linker: Microsoft Linker(14.22.27905)",
                    "type": "Linker",
                    "version": "14.22.27905"
                },
                {
                    "info": "C++",
                    "name": "Microsoft Visual C/C++",
                    "string": "Compiler: Microsoft Visual C/C++(19.22.27905)[C++]",
                    "type": "Compiler",
                    "version": "19.22.27905"
                },
                {
                    "info": "",
                    "name": "Visual Studio",
                    "string": "Tool: Visual Studio(2019, v16.2)",
                    "type": "Tool",
                    "version": "2019, v16.2"
                }
            ]
        }
    ]
}
```

There is a related issue noted against the DIE project:
horsicq/Detect-It-Easy#242
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@horsicq @MalwareMechanic