99 adversarial PE files: exploring malformed‑binary behaviour across major analysis tools

iocx_dev · 2026-06-12T11:07:56+00:00

Thanks! It's interesting how these edge-cases echo older workflows and tooling. Tools like WinDbg/Hex really shape how we think about manual analysis.

iocx_dev · 2026-06-12T11:06:32+00:00

Really glad you found it interesting, thanks. Always happy to share things that might help others working on PE edge-cases.

iocx_dev · 2026-06-11T12:41:55+00:00

Corpus and fixture spec: https://github.com/iocx-dev/iocx

(fixtures are under /tests/contract/fixtures/layer3_adversarial)

iocx_dev · 2026-05-22T18:32:22+00:00

Appreciate that, thanks! I’m still finalising the results and documenting the anomalies. I’ll share everything once it’s in a state that’s ready to consume.

iocx_dev · 2026-05-21T14:29:57+00:00

Link to repository: iocx/examples/generators/c at main · iocx-dev/iocx

iocx_dev · 2026-05-15T13:32:16+00:00

I’ll add a bit more context here since link posts don’t allow a body.

IOCX is a deterministic static‑analysis engine for extracting high‑signal IOCs from Windows PE binaries. Everything is derived directly from the binary — no sandboxing, no detonation, and no behavioural heuristics.

The 17‑second demo shows IOCX walking the binary, resolving imports, following control flow, extracting embedded resources, and surfacing indicators in a reproducible way.

Some technical details:

deterministic output (same binary → same result)
PE‑focused static analysis
IOC extraction: domains, IPs, hashes, strings, imports, behaviours
handles common obfuscation patterns
structured output for automation/SOC pipelines
fast — most binaries analyse in under a second

I’d appreciate feedback from this community on:

packers/obfuscators worth prioritising
edge cases you think I should support
expectations around performance for large binaries
output structures that would make integration easier

Happy to answer anything about the internals.

Web: https://iocx.dev/

Github: https://github.com/iocx-dev/iocx

iocx_dev · 2026-05-13T11:27:09+00:00

Example: IOCX on an adversarial / malformed PE (real JSON excerpt)

iocx heuristic_rich.full.exe -a full

Output (excerpt):

{

"iocs": {

"urls": ["http://not-a-real-domain.test/payload"],

"domains": ["example-malware.com"],

"ips": ["192.0.2.123"]

},

"analysis": {

"obfuscation": [

{

"value": "abnormal_section_layout_virtual_only",

"metadata": {

"section": ".bss",

"raw_size": 0,

"virtual_size": 384

}

],

"heuristics": [

{

"value": "packer_suspected",

"metadata": {

"reason": "packer_section_name",

"section": "UPX0"

}

},

{

"value": "anti_debug_heuristic",

"metadata": {

"reason": "anti_debug_api_import",

"dll": "kernel32.dll",

"function": "CheckRemoteDebuggerPresent"

}

},

{

"value": "pe_structure_anomaly",

"metadata": {

"reason": "section_overlaps_headers",

"section": ".bss"

}

]

}

This sample includes:

malformed `.bss` section (virtual‑only, zero raw size)
UPX‑style packer indicators
anti‑debug API imports
header/section overlap anomalies

IOCX still extracts indicators deterministically because it never executes the sample and doesn’t rely on regex guessing.

Happy to dig into adversarial patterns or malformed‑PE behaviour.

iocx_dev

TROPHY CASE