Summary
Add a first set of lightweight, deterministic static heuristics to detect common signs of packing or obfuscation in PE files. These heuristics should be purely static, offline, and non‑invasive, and must not introduce any dynamic analysis or network access.
The goal is to provide analysts with contextual hints about potentially obfuscated binaries, surfaced as Detection objects with structured metadata.
Scope
- Suspicious Section Names
Detect common packer/obfuscator section names, e.g.:
.upx, .upx0, .upx1
.aspack
.mpress
.petite
.themida
.packed
Use a simple signature table.
- High‑Entropy Sections
Compute Shannon entropy for each section and flag those above a threshold (default: 7.2).
Metadata should include:
- section name
- entropy value
- threshold used
- Abnormal Section Layout
Flag structural anomalies such as:
- extremely large sections
- sections with zero raw size but non‑zero virtual size
- overlapping sections
- unusual section characteristics flags
These are heuristic hints, not behavioural claims.
- Basic String Obfuscation Patterns
Detect lightweight static patterns, such as:
- long XOR‑like byte sequences
- ROT‑encoded ASCII ranges
- high ratio of non‑printable characters in extracted strings
Keep this simple and deterministic.
Output Format
Each heuristic should emit a Detection object with structured metadata.
Example:
{
"type": "obfuscation_hint",
"value": "high_entropy_section",
"metadata": {
"section": ".upx0",
"entropy": 7.89,
"threshold": 7.2
}
}For file‑level heuristics, use start=0 and end=0.
Integration Notes (Important)
This feature belongs in the core static analysis pipeline, not in a plugin.
Please implement it as a new module:
iocx/analysis/obfuscation.py
Expose a function:
def analyse_obfuscation(metadata, strings) -> List[Detection]:
[...]
The engine will call this module from the PE pipeline:
- after PE metadata and strings are extracted
- before IOC detectors run
The engine will merge your returned Detection objects into the normal detector output.
No changes to existing extractors are required.
Non‑Goals / Out of Scope
To keep IOCX deterministic and aligned with its philosophy, this issue must not include:
- dynamic analysis
- unpacking
- emulation
- behavioural inference
- network calls
- heavy dependencies
- ML/AI models
This is strictly static analysis.
Testing Requirements
Add tests that verify:
- entropy calculations are deterministic
- known packed samples trigger expected hints
- clean samples do not produce excessive false positives
- output structure is stable and predictable
- Use synthetic PE fixtures only.
Acceptance Criteria
[ ] Static heuristics implemented for section names, entropy, layout, and string patterns
[ ] Structured Detection objects returned with metadata
[ ] Integrated cleanly via iocx/analysis/obfuscation.py
[ ] Deterministic tests included
[ ] No new heavy dependencies
[ ] No dynamic analysis or network calls introduced
Summary
Add a first set of lightweight, deterministic static heuristics to detect common signs of packing or obfuscation in PE files. These heuristics should be purely static, offline, and non‑invasive, and must not introduce any dynamic analysis or network access.
The goal is to provide analysts with contextual hints about potentially obfuscated binaries, surfaced as Detection objects with structured metadata.
Scope
Detect common packer/obfuscator section names, e.g.:
.upx,.upx0,.upx1.aspack.mpress.petite.themida.packedUse a simple signature table.
Compute Shannon entropy for each section and flag those above a threshold (default: 7.2).
Metadata should include:
Flag structural anomalies such as:
These are heuristic hints, not behavioural claims.
Detect lightweight static patterns, such as:
Keep this simple and deterministic.
Output Format
Each heuristic should emit a Detection object with structured metadata.
Example:
{ "type": "obfuscation_hint", "value": "high_entropy_section", "metadata": { "section": ".upx0", "entropy": 7.89, "threshold": 7.2 } }For file‑level heuristics, use start=0 and end=0.
Integration Notes (Important)
This feature belongs in the core static analysis pipeline, not in a plugin.
Please implement it as a new module:
Expose a function:
The engine will call this module from the PE pipeline:
The engine will merge your returned Detection objects into the normal detector output.
No changes to existing extractors are required.
Non‑Goals / Out of Scope
To keep IOCX deterministic and aligned with its philosophy, this issue must not include:
This is strictly static analysis.
Testing Requirements
Add tests that verify:
Acceptance Criteria
[ ] Static heuristics implemented for section names, entropy, layout, and string patterns
[ ] Structured Detection objects returned with metadata
[ ] Integrated cleanly via iocx/analysis/obfuscation.py
[ ] Deterministic tests included
[ ] No new heavy dependencies
[ ] No dynamic analysis or network calls introduced