v0.7.5 — Metadata Enrichment & Export/Resource Refinement

[malx-labs]

v0.7.5 — Metadata Enrichment & Export/Resource Refinement

v0.7.5 expands IOCX’s static PE metadata surface, refining export and resource parsing while enriching Optional Header fields.
This release focuses on completeness, correctness, and determinism, building on the structural foundations established in v0.7.4.

The engine remains strictly static‑only, with conservative heuristics and JSON‑safe output.

---

Scope

v0.7.5 delivers:

• enriched Optional Header metadata
• refined export table parsing
• improved resource directory traversal
• deterministic version‑info extraction
• structured resource metadata
• stable, reproducible reason codes for malformed exports/resources

No dynamic analysis, unpacking, or new directory types are introduced.

---

Goals

1. Optional Header Metadata Enrichment

Extract additional fields:

• Subsystem
• DLL characteristics
• Win32 version values
• Loader flags
• stack/heap reserve & commit sizes

Expected behaviour:
Stable, JSON‑safe metadata; conservative handling of invalid fields.

---

2. Export Table Refinement

Improve export parsing and validation:

• name pointer RVA validation
• ordinal range validation
• forwarder string extraction
• truncated table handling

Expected behaviour:
Malformed exports produce structured, non‑fatal reason codes; snapshot‑stable output.

---

3. Resource Directory Refinement

Strengthen resource traversal:

• validate Type → Name → Language tree
• detect invalid or looping nodes
• validate resource data RVAs
• extract version‑info structures

Expected behaviour:
Malformed trees never crash parsing; version‑info extraction is deterministic.

---

4. Resource Metadata Enrichment

Expose structured metadata:

• resource types
• sizes
• language and codepage
• entropy

Expected behaviour:
Stable, JSON‑safe metadata; structured errors for invalid entries.

---

5. Reason‑Code Expansion

Add deterministic reason codes for:

• malformed export name pointers
• invalid ordinals
• malformed forwarders
• invalid resource RVAs
• resource recursion/looping
• truncated version‑info structures

Expected behaviour:
Lowercase, snake_case, non‑overlapping codes; snapshot‑verified.

---

Output Requirements

All new metadata must produce:

• deterministic JSON
• structured Detection objects where applicable
• stable snapshot results

Parser errors must remain:

• structured
• non‑fatal
• deterministic
• JSON‑safe

---

Integration Requirements

• metadata‑heavy fixtures under layer2_edge/
• malformed export/resource fixtures under layer3_adversarial/
• snapshot tests for all new metadata
• no new extractors
• no dynamic analysis

---

Non‑Goals

v0.7.5 does not introduce:

• dynamic execution
• unpacking/emulation
• behavioural tracing
• ML/AI models
• sandboxing
• network access
• new PE directory types
• disassembly or CFG reconstruction

---

Acceptance Criteria

• Optional‑header metadata enrichment
• Export table refinement
• Resource directory refinement
• Version‑info extraction
• Resource metadata enrichment
• Reason‑code expansion
• Deterministic snapshot tests
• Parser remains stable and JSON‑safe
• No dynamic analysis introduced