IOCX v0.7.0 is out. It’s a static IOC extraction and PE‑analysis engine built for DFIR and malware‑analysis workflows focused on deterministic behaviour. This release adds a deterministic heuristic engine, new adversarial PE samples, and a contract‑testing framework to keep output stable across runs.

Key changes in v0.7.0:

Deterministic heuristic engine (new)  

Snapshot‑tested heuristics for:

• anti‑debug API usage
• TLS callback anomalies
• packer‑like section layouts + entropy
• RWX sections
• import‑table anomalies
• signature anomalies

Runs under analysis_level = full and is designed to avoid false‑positive reconstruction.

Adversarial PE samples (new)  

Three intentionally hostile binaries covering:

• rich/atypical imports
• high‑entropy + malformed Rich Headers
• split/reversed/null‑interspersed strings

Useful to validate deterministic heuristics and literal-only IOC extraction.

Rich Header crash fix  

Malformed Rich Headers with non‑UTF8 bytes could break JSON serialization. v0.7.0 adds a deep sanitiser that hex‑encodes nested byte structures for deterministic, JSON‑safe output.

Snapshot‑driven contract testing  

Each sample has a byte‑for‑byte JSON snapshot. Output must match exactly — same file, same output, every time.

Performance

Remains ~28 MB/s on typical PE samples.

Links

GitHub: https://github.com/iocx-dev/iocx  

PyPI: https://pypi.org/project/iocx/

Example

pip install iocx

iocx suspicious.exe -a full

Happy to hear feedback from anyone working with obfuscated or adversarial PE samples.