Windows.Applications.DIEC

Execute DetectItEasy (console version) on specified paths and return rows of results to hunt/filter on binaries based types of files (E.g.: Packed binaries and its packers)

name: Windows.Applications.DIEC
description: |
    Execute DetectItEasy (console version) on specified paths and return rows of results
    to hunt/filter on binaries based types of files (E.g.: Packed binaries and its packers)

author: Eduardo Mattos - @eduardfir

reference:
  - https://github.com/horsicq/Detect-It-Easy

type: CLIENT

tools:
  - name: DIEC
    url: https://github.com/horsicq/DIE-engine/releases/download/3.03b/die_win64_portable_3.03.zip

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: TargetGlob
    default: C:\Users\**\*.{exe,dll}
 
  - name: EntropyScan
    type: bool

sources:
  - query: |
        -- preparation
        LET Toolzip <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="DIEC", IsExecutable=FALSE)
        LET TmpDir <= tempdir(remove_last=TRUE)
        LET UnzipIt <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
        
        LET Targets <= SELECT FullPath FROM glob(globs=TargetGlob)
        
        -- execute DIEC
        LET ExecDIEC <= SELECT * FROM if(condition=EntropyScan,
                        then={ -- execute EntropyScan
                            SELECT * FROM foreach(row=Targets,
                                query={ 
                                    SELECT parse_json(data=Stdout) as DiecOutput, FullPath 
                                    FROM execve(argv=[
                                        TmpDir + "/die_win64_portable/diec.exe", 
                                        "-e",
                                        "-j",
                                        FullPath])
                                })
                        },
                        else={ -- execute DeepScan
                            SELECT * FROM foreach(row=Targets,
                                query={ 
                                    SELECT parse_json(data=Stdout) as DiecOutput, FullPath 
                                    FROM execve(argv=[
                                        TmpDir + "/die_win64_portable/diec.exe", 
                                        "-d",
                                        "-j",
                                        FullPath])
                                })
                        })
                        
        -- format the output according to selected scan type
        SELECT * FROM if(condition=EntropyScan,
            then={
                SELECT 
                    DiecOutput.records as Records, 
                    DiecOutput.status as Status,
                    DiecOutput.total as Entropy,
                    FullPath
                FROM ExecDIEC
            },
            else={
                SELECT 
                    dict(Arch=DiecOutput.arch, 
                    Endianess=DiecOutput.endianess,
                    FileType=DiecOutput.filetype,
                    Mode=DiecOutput.mode,
                    Type=DiecOutput.type) as PEInfo,
                    DiecOutput.detects as Detects,
                    FullPath
                FROM ExecDIEC
            })