Skip to content

v0.7.3

Choose a tag to compare

View all tags
@malx-labs malx-labs released this 11 May 10:32
· 2 commits to main since this release
v0.7.3
1cb5b75
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

IOCX v0.7.3 — Structural Correctness & Deterministic Heuristics

v0.7.3 is a major hardening release focused on structural correctness, deterministic behaviour, and precision in heuristic interpretation.
This version completes a full audit of the PE engine’s heuristics, introducing a robust structural‑validation layer for IOCX.

The result is a release that is:

  • more predictable
  • more adversarial‑robust
  • more structurally complete
  • more transparent
  • more deterministic

…and fully aligned with IOCX’s philosophy:
structural truth first, heuristic interpretation second.

Highlights

✔ Comprehensive structural validators

New validators — entrypoint, sections, optional header, RVA graph, TLS, signatures, entropy — separated from the heuristics layer, expanded, corrected, and aligned.

✔ Deterministic, snapshot‑stable behaviour

All validators now produce reproducible, JSON‑safe output across malformed, truncated, or borderline‑valid binaries.

✔ Clear, consistent ReasonCodes

All structural issues now use stable, snake_case reason codes with no ambiguity or overlap.

✔ Stronger heuristics built on structural truth

Heuristics now consume structural issues cleanly and deterministically, with entropy‑related issues intentionally excluded from structural anomaly reporting.

✔ Expanded test suite

New structural, heuristic, and snapshot tests ensure correctness, determinism, and stability.

Structural Validator Improvements

Entrypoint Validator

  • Corrected RVA → file offset mapping for overlay detection
  • Added EP‑in‑headers detection
  • Added EP‑in‑non‑code‑section detection
  • Added EP‑in‑discardable‑section detection
  • Added EP‑in‑truncated‑region refinement
  • Added EP zero/negative detection
  • Added explicit “within SizeOfImage but unmapped” handling
  • Ensured deterministic early‑exit behaviour

Sections Validator

  • Added raw overlap detection
  • Added virtual_size < raw_size detection
  • Added header overlap detection
  • Added raw + virtual ordering checks
  • Added zero‑length section detection
  • Added discardable + executable detection
  • Added contradictory flag detection
  • Clarified naming and reason‑code semantics

Optional Header Validator

  • Added SizeOfHeaders alignment + minimum checks
  • Added SectionAlignment + FileAlignment validation
  • Added size‑field consistency checks
  • Added ImageBase alignment
  • Added NumberOfRvaAndSizes validation
  • Added SizeOfImage alignment
  • Added subsystem + characteristics sanity (where metadata allows)

RVA Graph Validator

  • Added negative RVA/size detection
  • Added zero‑size directory checks
  • Added header‑range checks
  • Added overlay mapping checks
  • Added section‑mapping validation
  • Added multi‑section spanning detection
  • Added directory overlap detection
  • Added zero‑length section handling

TLS Validator

  • Added multiple‑directory detection
  • Added range sanity checks
  • Added zero‑length directory detection
  • Added callback‑presence checks
  • Added callback‑mapping checks
  • Added executable‑section enforcement
  • Added header + overlay checks

Signature Validator

  • Added flag/metadata symmetry
  • Added multiplicity detection
  • Added revision/type validation
  • Added length sanity
  • Added file‑bounds checks
  • Added section/overlay overlap detection

Entropy Validator

  • Added low‑entropy detection
  • Added region‑specific entropy checks
  • Added uniform‑entropy refinement
  • Added conservative thresholds
  • Ensured entropy issues remain structurally separate from heuristics

Heuristics Layer Improvements

  • Structural anomalies now surfaced as pe_structure_anomaly
  • Entropy issues intentionally skipped via _SKIP_ENTROPY
  • Packer heuristics refined (UPX‑like names, high entropy)
  • Anti‑debug heuristics expanded (API imports, RWX sections)
  • Import anomaly heuristics improved (ordinal ratio, subsystem mismatches)
  • Deterministic behaviour validated across malformed and borderline‑valid PEs

Test Suite Enhancements

  • Added structural correctness tests
  • Added heuristic precision tests
  • Added snapshot tests for determinism
  • Added malformed‑PE edge‑case tests
  • Ensured JSON‑safe, reproducible output
  • Added synthetic “full coverage” tests for validator orchestration
Assets 2
Loading