Skip to content

Feature: Initial Static Obfuscation & Packing Detection Heuristics #13

@malx-labs

Description

@malx-labs

Summary

Add a first set of lightweight, deterministic static heuristics to detect common signs of packing or obfuscation in PE files. These heuristics should be purely static, offline, and non‑invasive, and must not introduce any dynamic analysis or network access.

The goal is to provide analysts with contextual hints about potentially obfuscated binaries, surfaced as Detection objects with structured metadata.

Scope

  1. Suspicious Section Names

Detect common packer/obfuscator section names, e.g.:

.upx, .upx0, .upx1
.aspack
.mpress
.petite
.themida
.packed

Use a simple signature table.

  1. High‑Entropy Sections

Compute Shannon entropy for each section and flag those above a threshold (default: 7.2).

Metadata should include:

  • section name
  • entropy value
  • threshold used
  1. Abnormal Section Layout

Flag structural anomalies such as:

  • extremely large sections
  • sections with zero raw size but non‑zero virtual size
  • overlapping sections
  • unusual section characteristics flags

These are heuristic hints, not behavioural claims.

  1. Basic String Obfuscation Patterns

Detect lightweight static patterns, such as:

  • long XOR‑like byte sequences
  • ROT‑encoded ASCII ranges
  • high ratio of non‑printable characters in extracted strings

Keep this simple and deterministic.

Output Format

Each heuristic should emit a Detection object with structured metadata.

Example:

{
  "type": "obfuscation_hint",
  "value": "high_entropy_section",
  "metadata": {
    "section": ".upx0",
    "entropy": 7.89,
    "threshold": 7.2
  }
}

For file‑level heuristics, use start=0 and end=0.

Integration Notes (Important)

This feature belongs in the core static analysis pipeline, not in a plugin.

Please implement it as a new module:

iocx/analysis/obfuscation.py

Expose a function:

def analyse_obfuscation(metadata, strings) -> List[Detection]:
[...]

The engine will call this module from the PE pipeline:

  • after PE metadata and strings are extracted
  • before IOC detectors run

The engine will merge your returned Detection objects into the normal detector output.

No changes to existing extractors are required.

Non‑Goals / Out of Scope

To keep IOCX deterministic and aligned with its philosophy, this issue must not include:

  • dynamic analysis
  • unpacking
  • emulation
  • behavioural inference
  • network calls
  • heavy dependencies
  • ML/AI models

This is strictly static analysis.

Testing Requirements

Add tests that verify:

  • entropy calculations are deterministic
  • known packed samples trigger expected hints
  • clean samples do not produce excessive false positives
  • output structure is stable and predictable
  • Use synthetic PE fixtures only.

Acceptance Criteria

[ ] Static heuristics implemented for section names, entropy, layout, and string patterns
[ ] Structured Detection objects returned with metadata
[ ] Integrated cleanly via iocx/analysis/obfuscation.py
[ ] Deterministic tests included
[ ] No new heavy dependencies
[ ] No dynamic analysis or network calls introduced

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions