v0.7.4 — Advanced Directory Parsing & Metadata Expansion

[malx-labs]

v0.7.4 — Advanced Directory Parsing & Metadata Expansion

Summary

v0.7.4 significantly expands IOCX’s static PE engine with full Load Config Directory parsing, extended metadata extraction, and strict directory‑invariant validation.
This release focuses on correctness, determinism, and conservative heuristics — completing a major portion of IOCX’s static PE coverage without introducing any dynamic analysis.

The result is a more robust, spec‑aligned parser capable of handling modern compiler outputs (MSVC, Clang/LLVM, MinGW) and malformed edge cases with stable, JSON‑safe behaviour.

---

Scope

This release includes:

• full Load Config Directory parsing
• compiler‑feature extraction (GuardCF, SEH table, security cookie)
• directory invariant validation
• expanded snapshot coverage
• deterministic, conservative heuristics

Delay‑Load Imports, TLS Directory parsing, and extended Optional Header metadata are deferred to the next release.

---

Goals Delivered in v0.7.4

1. Load Config Directory Parsing — ✔ Completed

Full parsing of IMAGE_LOAD_CONFIG_DIRECTORY for PE32+:

• Guard CF metadata
• Security cookie
• SEH handler table
• size validation
• compiler‑style inference (MSVC, Clang, MinGW)
• structured error handling
• deterministic heuristics

A comprehensive suite of fixtures was added, covering:

• minimal valid cookie
• undersized cookie
• full MSVC
• full Clang
• MinGW minimal
• SEH‑only
• large padded / unknown layout

All behaviours are deterministic and snapshot‑verified.

---

5. Directory Invariant Validation — ✔ Completed

Added strict, deterministic checks for:

• directory RVAs mapping to valid sections
• directory sizes not exceeding section boundaries
• directories not overlapping
• zero‑length directory handling
• cookie RVA mapping + section writability
• SEH table bounds
• GuardCF table bounds

Invalid directories now produce structured, non‑fatal reason codes with no false positives.

---

Deferred to Next Release

2. Delay‑Load Import Parsing — ✘ Deferred

Will include:

• parsing of IMAGE_DELAY_IMPORT_DESCRIPTOR
• INT/IAT validation
• DLL name RVA validation
• malformed descriptor handling

---

3. TLS Directory Parsing — ✘ Deferred

Will include:

• TLS callbacks
• raw data start/end
• callback array validation
• zero‑length TLS regions

---

4. Extended Optional Header Metadata — ✘ Deferred

Will include extraction of:

• subsystem
• DLL characteristics
• loader flags
• Win32 version fields
• stack/heap reserve & commit sizes

---

6. Reason‑Code Expansion — ✔ Partially Completed

Load‑config‑related reason codes added:

• load_config_too_small
• unmapped
• out_of_range
• non_writable_section
• guard_cf_inconsistent (where applicable)

Additional codes for TLS and delay‑load imports will ship with those features.

---

Output Requirements

All new metadata is:

• deterministic
• JSON‑safe
• snapshot‑tested
• non‑fatal on malformed structures

---

Integration & Testing

• new fixtures added under tests/contract/fixtures/layer2_edge/
• adversarial fixtures added under layer3_adversarial/
• snapshot tests updated for all new metadata
• no new extractors or dynamic analysis introduced

---

Acceptance Criteria (v0.7.4)

• Load‑config directory parsing implemented
• Delay‑load import parsing (deferred)
• TLS directory parsing (deferred)
• Extended optional‑header metadata (deferred)
• Directory invariant validation implemented
• Reason‑code expansion (load‑config subset)
• Deterministic snapshot tests added
• Parser remains stable and JSON‑safe
• No dynamic analysis introduced