Skip to content

invalid_section_alignment.full.exe.md

Latest commit

 

History

History
60 lines (45 loc) · 3.03 KB

invalid_section_alignment.full.exe.md

File metadata and controls

60 lines (45 loc) · 3.03 KB

Appendix 3.7 – Invalid Section Alignment Specification

  • File: invalid_section_alignment.full.exe
  • Layer: 3 Adversarial

Purpose

A synthetically constructed PE file designed to validate IOCX’s resilience when confronted with misaligned, contradictory, or internally inconsistent section‑table metadata. This sample focuses specifically on raw‑offset misalignment and virtual/raw size contradictions, ensuring that IOCX’s section‑analysis logic behaves deterministically even when the PE violates fundamental alignment rules.

Unlike naturally malformed binaries, this file is generated byte‑for‑byte to create a minimal but structurally invalid section table while keeping the rest of the PE layout valid. This isolates section‑alignment behaviour and prevents interference from unrelated anomalies.

Heuristic behaviours exercised

This sample is engineered to trigger section‑specific structural heuristics, including:

  • Section alignment anomalies
    • section_raw_misaligned
      • PointerToRawData (0x123) violates FileAlignment (0x200).
    • Raw size (0x1000) far exceeds virtual size (0x10), creating a deliberate inconsistency.
  • Import‑directory fallback behaviour
    • import_rva_invalid
      • Import directory is declared but empty (RVA = 0, Size = 0), ensuring IOCX gracefully suppresses import parsing.
  • Graceful degradation
    • Section parsing must continue without:
      • false section boundaries
      • synthetic imports
      • misinterpreted RVA mappings
      • accidental IOC extraction

Why this sample is generated (not compiled)

No compiler or linker will emit a PE file with:

  • a section whose raw offset is not aligned to FileAlignment
  • a section whose raw size is dramatically larger than its virtual size
  • a section whose raw pointer does not fall on a valid boundary
  • a declared import directory with zero RVA and zero size

These conditions violate the PE/COFF specification and cannot be produced through normal toolchains. This sample must therefore be manually constructed to guarantee deterministic misalignment behaviour.

Contract enforced

This sample must produce stable, deterministic output under analysis_level = full, specifically:

  • analysis.sections
    • Must reflect the contradictory raw/virtual sizes exactly as encoded.
    • Entropy must be computed from the misaligned raw region without correction.
  • analysis.heuristics
    • Must include:
      • section_raw_misaligned
      • import_rva_invalid
    • Metadata must include the exact misaligned raw offset and alignment boundary.
  • metadata
    • Section list must contain exactly one section (.text).
    • No imports, exports, resources, TLS, or signatures must be inferred.
  • iocs
    • No IOCs must be emitted as a side‑effect of misaligned or oversized raw data.

This ensures IOCX’s section‑analysis engine behaves predictably even when confronted with adversarial PE files containing invalid alignment, contradictory size fields, or malformed raw offsets.