Static IOC extraction (text & logs)
High-throughput extraction of URLs, domains, IPs, hashes, file paths, Base64, and crypto wallets — fully deterministic and adversarial-tested.
IOCX — deterministic static IOC extraction
Static IOC extraction & PE analysis for adversarial environments
Precision by default. Zero execution risk.
IOCX is a deterministic, static-only engine for extracting indicators of compromise and analysing Windows PE binaries. Built for DFIR teams, SOC automation, CI/CD security gates, and large-scale threat-intel pipelines where correctness, reproducibility, and safety actually matter.
Scroll to quickstart
↓
Try IOCX in 10 seconds
Install IOCX and extract indicators immediately — no setup, no sandbox, no risk.
pip install iocx
echo "http://malicious.example" | iocx -
iocx suspicious.exe -a deep
Watch IOCX Analyze a Real Binary
A fast, 17‑second walkthrough of deterministic static analysis — no sandboxing, no heuristics, no guesswork.
Having trouble? Watch on YouTube
What’s new in v0.7.3
The latest release focuses on structural correctness and deterministic heuristics:
- Hardened PE structural validators
- Deterministic, snapshot-stable behaviour
- Clear, consistent ReasonCodes
- Heuristics built on structural truth
What is IOCX?
IOCX is the official deterministic static IOC extraction and PE analysis engine from MalX Labs. It combines high-throughput IOC extraction from text and binaries with binary-aware PE structural analysis, all under a strict static-only, zero-execution-risk model.
Modern malware is adversarial by default. IOCX is engineered for that reality — not for idealised input.
Why IOCX matters
Most IOC tools break under adversarial conditions:
- Binary-unaware tools: collapse under malformed or corrupted PE files
- Sandboxes: unsafe, slow, and unusable in CI/CD
- Non-deterministic output: breaks automation and downstream contracts
IOCX is built for environments where correctness, determinism, and safety are non-negotiable: DFIR, SOC automation, CI/CD security, threat-intel platforms, and malware research labs.
What makes IOCX different
| Capability | IOCX | Typical extractors | Sandboxes |
|---|---|---|---|
| Safety | Static-only | Regex-only | Executes malware |
| Determinism | Guaranteed | Volatile | Non-deterministic |
| Binary awareness | Full PE parsing | None | Yes (unsafe) |
| Adversarial resilience | High | Low | Medium |
| CI/CD friendly | Yes | Partial | No |
Core capabilities
Binary-aware PE analysis
Structural analysis of sections, entrypoints, RVA graphs, TLS callbacks, signatures, and entropy — without executing untrusted code.
Deterministic output
Snapshot-validated, schema-stable JSON designed as a contract for downstream systems.
Zero execution risk
IOCX never executes untrusted code. Safe for CI/CD, production pipelines, and strict environments.
CLI & Python API
Use the CLI for triage and scripting, or integrate via Python for ETL and automation.
Extensible plugin ecosystem
Custom detectors, heuristics, and binary-aware modules — all snapshot-tested for deterministic behaviour.
How IOCX works
IOCX is a layered, deterministic static-analysis pipeline:
- Entry points: CLI or Python API
- Input module: safe text and binary handling
- Core engine: binary-aware parsing and IOC detectors
- Plugin layer: deterministic, snapshot-tested extensions
- Output layer: schema-stable JSON
Command‑Line (CLI)
Python API
▼
Input Module
- File Reading
- PE Parsing
- Text Processing
▼
Core IOCX Engine
- Built‑In Extractors (URLs, IPs, Domains, Hashes…)
- IOC Output Handler
▼
Plugin Framework
Transformer Plugins
Input pre‑processing
Detector Plugins
IOC extraction logic
Enricher Plugins
Metadata & context enrichment
▼
IOCX Results
JSON • Structured Output
Examples
Example 1: Full PE Static Analysis Output (Real IOCX Example)
Command
iocx heuristic_rich.full.exe -a fullOutput
{
"file": "heuristic_rich.full.exe",
"type": "PE",
"iocs": {
"urls": [
"http://not-a-real-domain.test/payload"
],
"domains": [
"example-malware.com"
],
"ips": [
"192.0.2.123"
],
"hashes": [
"abcd1234ef567890abcd1234ef567890",
"1234567890"
]
},
"metadata": {
"imports": [
"KERNEL32.dll",
"msvcrt.dll",
"USER32.dll"
],
"sections": [
".text",
".data",
".rwx",
"UPX0"
],
"tls": {
"start_address": 5368758272,
"end_address": 5368758280
},
"header": {
"entry_point": 5088,
"image_base": 5368709120,
"machine": "AMD64"
}
},
"analysis": {
"sections": [
{ "name": ".text", "entropy": 5.92 },
{ "name": ".rwx", "entropy": 0.00 },
{ "name": "UPX0", "entropy": 0.34 }
],
"obfuscation": [
{
"value": "abnormal_section_layout_virtual_only",
"metadata": {
"section": ".bss",
"virtual_size": 384
}
}
],
"heuristics": [
{
"value": "packer_suspected",
"metadata": {
"reason": "packer_section_name",
"section": "UPX0"
}
},
{
"value": "anti_debug_heuristic",
"metadata": {
"reason": "anti_debug_api_import",
"dll": "kernel32.dll",
"function": "CheckRemoteDebuggerPresent"
}
},
{
"value": "pe_structure_anomaly",
"metadata": {
"reason": "section_overlaps_headers",
"section": ".bss",
"raw_address": 0
}
}
]
}
}
Example 2: Extract indicators from unstructured text
Input
We observed traffic to hxxp://malicious.example/login.php from 185.199.110.153.
Payload hash: 4d186321c1a7f0f354b297e8914ab240.Output
{
"urls": [
"http://malicious.example/login.php"
],
"ips": [
"185.199.110.153"
],
"hashes": [
"4d186321c1a7f0f354b297e8914ab240"
]
}Example 3: Extract indicators from a suspicious executable
Command
iocx suspicious.exeOutput
{
"domains": [
"api.badserver.net",
"cdn.shadowdrop.cc"
],
"ips": [
"91.210.47.12"
],
"filepaths": [
"/auth/check",
"/update/payload.bin"
]
}Example 4: Parse indicators from noisy logs
Input
[WARN] Connection attempt from 45.155.205.233:443
[WARN] Outbound request to http://evil.site/updateOutput
{
"ips": [
"45.155.205.233"
],
"urls": [
"http://evil.site/update"
]
}Example 5: Lightweight enrichment (IOCX Registry Keys Plugin)
Command
iocx mixed_iocs.txt --enrichOutput
{
"file": "mixed_iocs.txt",
"type": "text",
"iocs": {
"urls": [
"http://malicious.example.com"
],
"ips": [
"91.210.45.12"
],
"hashes": [
"44d88612fea8a8f36de82e1278abb02f"
],
"emails": [
"evil@phish.example"
],
"filepaths": [
"/tmp/runme.sh"
],
"crypto.btc": [
"1BoatSLRHtKNngkdXEeobR76b53LETtpyT"
],
"crypto.eth": [
"0x52908400098527886E0F7030069857D2E4169EE7"
],
"registry.keys": [
"HKLM\\Software\\BadStuff",
"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BadApp"
],
"registry.values": [
"REG_DWORD"
]
},
"enrichment": {
"registry.keys": [
{
"value": "HKLM\\Software\\BadStuff",
"score": 0,
"flags": {
"persistence": false
}
},
{
"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BadApp",
"score": 50,
"reasons": [
"Registry path contains persistence location: HKCU/HKLM Run key"
],
"flags": {
"persistence": true
}
}
]
}
}Plugin ecosystem & extensibility
Plugins are first-class citizens — deterministic, snapshot-tested, and safe to extend.
- Custom IOC detectors
- Binary-aware heuristics
- Pipeline-specific extractors
- Adversarial-aware modules
Performance profiles
Text / logs
150–300 MB/s sustained throughput.
Typical PE files
6–15 MB/s including structural analysis.
Adversarial dense PE
Approximately 7.6 MB/s with deterministic ReasonCodes.
Design philosophy
IOCX is engineered around a small set of non-negotiable principles:
- Determinism over ambiguity
- Static over dynamic
- Adversarial-first engineering
- Schema stability as a contract
- Performance without compromise
What IOCX is not
IOCX is intentionally not any of the following:
- A sandbox
- Behavioural analysis
- An emulator
- Dynamic analysis
- An enrichment engine
IOCX is static-only by design — for safety, determinism, and CI/CD compatibility.
Version highlights
Version history
v0.7.3 — structural correctness & deterministic heuristics
- Hardened PE validators
- Snapshot-stable behaviour
- Consistent ReasonCodes
- Heuristics built on structural truth
v0.7.1 — adversarial heuristics expansion
- Six new PE heuristics
- Expanded adversarial corpus
- Hardened extractors
v0.7.0 — deterministic heuristics
- Deterministic heuristics
- Snapshot-contract tests
v0.6.0 — stable output schema & deterministic metadata
- Fully stable JSON schema
- Normalised PE metadata
- Formalised analysis levels
v0.5.0 — analysis levels, PE section analysis, obfuscation hints
- New analysis-level system
- PE structural analysis
- Obfuscation heuristics
v0.4.0 — plugin architecture
- Plugin-ready rule engine
- Unified detection flow
v0.3.0 — crypto IOC detection
- Ethereum and Bitcoin wallet detection
v0.2.0 — high-reliability IP detection
- Major IPv4/IPv6 improvements
Responsible use
IOCX is intended for defensive research, SOC automation, CI/CD security, and threat-intelligence workflows. All usage must occur within authorised environments.
IOC extraction and static analysis are defensive capabilities. Misuse, including offensive or unauthorised activity, is not tolerated.
Get involved
IOCX welcomes contributors, researchers, and engineers who care about determinism, correctness, and precision in threat-analysis tooling.
Official IOCX repositories
Explore the official IOCX repositories:
- Core engine github.com/iocx-dev/iocx
- Plugins meta-repo github.com/iocx-dev/iocx-plugins
- Documentation & specs docs/specs
- PyPI package pypi.org/project/iocx