Convert Figma logo to code with AI

horsicq logoDetect-It-Easy

Program for determining types of files for Windows, Linux and MacOS.

7,261
711
7,261
23
View on GitHub

Top Related Projects

mentebinaria's avatar

retoolkit

4,792

Reverse Engineer's Toolkit

rizinorg's avatar

cutter

15,603

Free and Open Source Reverse Engineering Platform powered by rizin

NationalSecurityAgency's avatar

ghidra

50,446

Ghidra is a software reverse engineering (SRE) framework

mandiant's avatar

flare-floss

3,160

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

hasherezade's avatar

pe-sieve

3,033

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Quick Overview

Detect It Easy (DIE) is a utility that can detect the type of executable files. It supports a wide range of file formats, including PE, ELF, Mach-O, and more. DIE can be used to quickly identify the file type and architecture of a given binary, which can be useful for reverse engineering, malware analysis, and other security-related tasks.

Pros

  • Extensive File Format Support: DIE can detect a wide range of file formats, including PE, ELF, Mach-O, Java class files, and many others.
  • Cross-Platform: DIE is available for Windows, Linux, and macOS, making it a versatile tool for various operating systems.
  • Actively Maintained: The project is actively maintained, with regular updates and bug fixes.
  • Open-Source: DIE is an open-source project, allowing users to contribute, customize, and extend the tool as needed.

Cons

  • Command-Line Interface: DIE primarily has a command-line interface, which may not be as user-friendly as a graphical user interface (GUI) for some users.
  • Limited Automation: While DIE can be used in scripts, it may lack some advanced automation features compared to other file analysis tools.
  • Steep Learning Curve: The extensive file format support and configuration options in DIE can make it challenging for new users to get started.
  • Potential False Positives: As with any file analysis tool, DIE may occasionally produce false positive results, especially for less common or obfuscated file formats.

Code Examples

Here are a few examples of how to use DIE in your code:

  1. Detecting the file type of a binary:
from die import DIE

file_path = "path/to/your/binary"
die = DIE()
result = die.analyze(file_path)
print(result.get_type())
  1. Extracting file information:
from die import DIE

file_path = "path/to/your/binary"
die = DIE()
result = die.analyze(file_path)
print(result.get_info())
  1. Checking the file architecture:
from die import DIE

file_path = "path/to/your/binary"
die = DIE()
result = die.analyze(file_path)
print(result.get_architecture())
  1. Saving the analysis report:
from die import DIE

file_path = "path/to/your/binary"
die = DIE()
result = die.analyze(file_path)
result.save_report("analysis_report.txt")

Getting Started

To get started with DIE, follow these steps:

  1. Install DIE:

    • On Windows, you can download the latest release from the GitHub repository.
    • On Linux or macOS, you can install DIE using your package manager (e.g., apt-get, brew) or by compiling the source code.

  2. Run DIE from the command line:

    • On Windows, open a command prompt and navigate to the DIE directory, then run die.exe.
    • On Linux or macOS, open a terminal, navigate to the DIE directory, and run ./die.

  3. Analyze a file:

    • To analyze a file, simply pass the file path as an argument to the die command, e.g., die path/to/your/binary.
    • DIE will then display the file type, architecture, and other relevant information.

  4. Customize DIE:

    • DIE has a wide range of configuration options, which you can find in the documentation.
    • You can customize the file detection rules, output format, and other settings to suit your needs.

That's the basic getting started guide for DIE. For more advanced usage and features, please refer to the project's documentation and GitHub repository.

Competitor Comparisons

mentebinaria logo

retoolkit

4,792

Reverse Engineer's Toolkit

Pros of retoolkit

  • Provides a wide range of tools for reverse engineering, including disassemblers, debuggers, and binary analysis utilities.
  • Supports multiple file formats and architectures, making it a versatile tool for analyzing various types of binaries.
  • Offers a user-friendly interface with a modern design, making it easier to navigate and use.

Cons of retoolkit

  • May have a steeper learning curve compared to Detect-It-Easy, as it offers a more comprehensive set of features.
  • Some users may find the interface less intuitive or overwhelming, especially for those new to reverse engineering.
  • Requires more system resources than Detect-It-Easy, which may be a concern for users with limited hardware.

Code Comparison

Detect-It-Easy:

def detect_file(filename):
    try:
        with open(filename, 'rb') as f:
            data = f.read()
            for rule in rules:
                if rule.match(data):
                    return rule.name
    except:
        pass
    return 'Unknown'

retoolkit:

def analyze_file(filename):
    try:
        with open(filename, 'rb') as f:
            data = f.read()
            for analyzer in analyzers:
                if analyzer.is_compatible(data):
                    return analyzer.analyze(data)
    except:
        pass
    return 'Unknown'

The code snippets show that both Detect-It-Easy and retoolkit have similar approaches to file analysis, where they iterate through a set of rules or analyzers to determine the file type. The main difference is that retoolkit uses a more modular approach with separate analyzer classes, while Detect-It-Easy has a more straightforward implementation.

rizinorg logo

cutter

15,603

Free and Open Source Reverse Engineering Platform powered by rizin

Pros of Cutter

  • Cutter provides a graphical user interface (GUI) for the Rizin reverse engineering framework, making it more user-friendly for beginners and those who prefer a visual approach.
  • Cutter offers a wide range of features, including disassembly, debugging, and code analysis, which can be useful for various reverse engineering tasks.
  • Cutter is actively maintained and has a growing community of contributors, ensuring regular updates and improvements.

Cons of Cutter

  • Cutter is primarily focused on the Rizin framework, which may not be as widely used as other reverse engineering tools like IDA Pro or Ghidra.
  • The learning curve for Cutter may be steeper than that of Detect-It-Easy, as it requires understanding the Rizin framework and its capabilities.
  • Cutter may have a larger resource footprint compared to Detect-It-Easy, as it is a full-fledged GUI application.

Code Comparison

Detect-It-Easy (horsicq/Detect-It-Easy):

def detect_file(file_path):
    try:
        with open(file_path, 'rb') as f:
            data = f.read()
            for plugin in plugins:
                if plugin.check(data):
                    return plugin.get_name()
    except:
        pass
    return 'Unknown'

Cutter (rizinorg/cutter):

void CutterCore::loadFile(const QString &path, uint64_t loadaddr, uint64_t mapaddr, int perms, int va, int bits, bool loadbin) {
    QList<QString> warnings = this->loadList(path, loadaddr, mapaddr, perms, va, bits, loadbin);
    for (const QString &warning : qAsConst(warnings)) {
        this->addWarning(warning);
    }
    this->triggerRefreshAll();
}
NationalSecurityAgency logo

ghidra

50,446

Ghidra is a software reverse engineering (SRE) framework

Pros of Ghidra

  • Ghidra is a powerful and feature-rich reverse engineering tool, with a wide range of capabilities including disassembly, debugging, and analysis.
  • Ghidra has a large and active community, with extensive documentation and support available.
  • Ghidra is open-source and free to use, making it accessible to a wide range of users.

Cons of Ghidra

  • Ghidra has a steep learning curve, and can be challenging for beginners to use effectively.
  • Ghidra is a large and complex application, which can make it resource-intensive and slow to load on some systems.

Code Comparison

Detect-It-Easy:

def detect_file(file_path):
    try:
        with open(file_path, 'rb') as f:
            data = f.read()
            for rule in rules:
                if rule.match(data):
                    return rule.name
    except:
        pass
    return 'Unknown'

Ghidra:

public void analyzeFile(File file) {
    try {
        FileSystem fileSystem = FileSystemService.getInstance().getFileSystem(file);
        Program program = ProgramBuilder.build(file, fileSystem, TaskMonitor.DUMMY, new MessageLog());
        // Perform analysis on the program
    } catch (Exception e) {
        // Handle exceptions
    }
}
mandiant logo

flare-floss

3,160

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Pros of Flare-FLOSS

  • Flare-FLOSS is a powerful tool for extracting obfuscated strings from malware samples, which can be useful for reverse engineering and analysis.
  • The project has a large and active community, with regular updates and contributions from security researchers.
  • Flare-FLOSS supports a wide range of file formats, including PE, ELF, and Mach-O files.

Cons of Flare-FLOSS

  • Flare-FLOSS is primarily focused on string extraction, and may not provide the same level of functionality as Detect-It-Easy for file identification and classification.
  • The installation and setup process for Flare-FLOSS can be more complex than Detect-It-Easy, which may be a barrier for some users.

Code Comparison

Detect-It-Easy:

def get_file_info(filename):
    try:
        with open(filename, 'rb') as f:
            data = f.read()
            return {
                'filename': filename,
                'size': len(data),
                'type': get_file_type(data)
            }
    except Exception as e:
        return {
            'filename': filename,
            'size': 0,
            'type': 'Unknown'
        }

Flare-FLOSS:

def extract_strings(data, min_length=4):
    """
    Extract strings from the given data.
    """
    strings = []
    for match in re.finditer(b'[\x20-\x7E]{%d,}' % min_length, data):
        start = match.start()
        end = match.end()
        strings.append(data[start:end].decode('ascii', errors='ignore'))
    return strings
hasherezade logo

pe-sieve

3,033

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Pros of PE-Sieve

  • PE-Sieve is designed specifically for analyzing and detecting malicious modifications in Windows PE (Portable Executable) files, making it a more specialized tool compared to Detect-It-Easy.
  • PE-Sieve provides detailed information about the detected modifications, including the type of modification and the affected module.
  • PE-Sieve supports a wide range of Windows versions, from Windows XP to the latest versions.

Cons of PE-Sieve

  • Detect-It-Easy has a more user-friendly interface and is easier to use for non-technical users, while PE-Sieve requires more technical expertise.
  • Detect-It-Easy supports a broader range of file formats, including ELF, Mach-O, and others, while PE-Sieve is focused solely on Windows PE files.

Code Comparison

Here's a brief code comparison between the two projects:

Detect-It-Easy (horsicq/Detect-It-Easy):

bool CDetectItEasy::isFileSupported(const QString& fileName)
{
    QFile file(fileName);

    if(file.open(QIODevice::ReadOnly))
    {
        QByteArray data=file.read(4);

        file.close();

        if(data.size()==4)
        {
            return isFileSupported(data);
        }
    }

    return false;
}

PE-Sieve (hasherezade/pe-sieve):

bool PESieve::checkPEFile(const std::wstring& file_path)
{
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, GetCurrentProcessId());
    if (hProcess == NULL) {
        return false;
    }

    PeParser pe_parser(file_path, hProcess);
    if (!pe_parser.loadPe()) {
        CloseHandle(hProcess);
        return false;
    }

    CloseHandle(hProcess);
    return true;
}

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Donate GitHub tag (latest SemVer) GitHub All Releases gitlocalized

OS Linux OS Windows OS MacOS

Detect It Easy

You can help with translation: https://github.com/horsicq/XTranslation

alt text alt text alt text alt text alt text

Detect It Easy, or abbreviated "DIE" is a program for determining types of files.

DIE is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn't cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version ("die"), Lite version ("diel") and console version ("diec"). All the three use the same signatures, which are located in the folder "db". If you open this folder, nested sub-folders will be found ("Binary", "PE" and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

  • MSDOS executable files MS-DOS
  • PE executable files Windows
  • ELF executable files Linux
  • MACH executable files Mac OS
  • Binary all other files

Installing

Using installation packages

Build from source

Build instructions can be found in BUILD.md.

Docker install

You can also run DIE with Docker! Of course, this requires that you have git and Docker installed.

git clone --recursive https://github.com/horsicq/Detect-It-Easy
cd Detect-It-Easy/
docker build . -t horsicq:diec

Usage

detect-it-easy has 3 variants

  • die GUI version
  • diec console version
  • diel GUI lite version

Detailed usage instructions can be found in RUN.md.

Telegram Bot

Thanks to all the people who already contributed!

Special Thanks

alt text