99 adversarial PE files: exploring malformed‑binary behaviour across major analysis tools
This analysis presents a corpus of 99 adversarial Portable Executable (PE) files designed to explore how major PE analysis tools behave when confronted with deliberately malformed but loadable binaries. The study identifies different anomaly patterns such as entrypoint redirection, overlapping sections, header inconsistencies, and more. It evaluates six common tools used in exploit development workflows, revealing varying behaviors including masking of anomalies, crashes, or lack of anomaly visibility. The research highlights how malformed PE structures can be leveraged for parser differentials, crash primitives, metadata confusion, loader inconsistencies, and analysis evasion.
AI Analysis
Technical Summary
A set of 99 adversarial PE files was created to systematically test the behavior of six widely used PE analysis tools (IOCX, Ghidra, Detect It Easy, radare2, PEview, CFF Explorer) against specific corruption patterns. The files introduce single corruption types such as entrypoint redirection, overlapping/invalid sections, header inconsistencies, and others. The tools exhibited distinct behaviors: literal parsers never crashed but failed to show anomalies; semantic parsers fixed corruptions masking inconsistencies; heuristic tools ignored malformed metadata; reconstructive loaders rewrote metadata and sometimes crashed; hybrid tools preserved raw bytes and explicitly surfaced anomalies. This corpus maps how malformed PE files can be used to evade analysis or cause inconsistent parsing, which is relevant for exploit development and malware analysis.
Potential Impact
The impact lies in the potential for attackers or malware authors to exploit differences and weaknesses in PE parsing tools to evade detection, cause crashes, or create confusion in analysis workflows. Malformed PE files can serve as primitives for evasion, crash induction, or metadata manipulation, complicating reliable static and dynamic analysis. However, no direct exploit or active threat is reported, and this work primarily informs tool developers and analysts about limitations and behaviors of existing PE parsers.
Mitigation Recommendations
This is an analysis and research corpus rather than a vulnerability with a patch. No official fixes or patches are applicable. Security professionals and tool developers should review the findings to improve PE parsing robustness and anomaly detection in their tools. Users of these tools should be aware of potential blind spots or crash conditions when analyzing malformed PE files. No immediate remediation is required beyond incorporating these insights into tool development and analysis practices.
99 adversarial PE files: exploring malformed‑binary behaviour across major analysis tools
Description
This analysis presents a corpus of 99 adversarial Portable Executable (PE) files designed to explore how major PE analysis tools behave when confronted with deliberately malformed but loadable binaries. The study identifies different anomaly patterns such as entrypoint redirection, overlapping sections, header inconsistencies, and more. It evaluates six common tools used in exploit development workflows, revealing varying behaviors including masking of anomalies, crashes, or lack of anomaly visibility. The research highlights how malformed PE structures can be leveraged for parser differentials, crash primitives, metadata confusion, loader inconsistencies, and analysis evasion.
Reddit Discussion
I’ve built a 99‑fixture adversarial PE corpus to explore how different tools behave when confronted with deliberately malformed but still loadable binaries.
Each fixture introduces one corruption pattern - no packers or multi‑anomaly noise, which allows for clean attribution of behaviour. The anomalies span:
- entrypoint redirection
- overlapping/invalid sections
- header inconsistencies
- directory OOB conditions
- TLS edge cases
- recursive/malformed resources
- Authenticode structural corruption
- entropy‑field manipulation
I tested 6 tools commonly used in exploit dev workflows:
- IOCX
- Ghidra
- Detect It Easy
- radare2
- PEview
- CFF Explorer
Behavioural patterns with exploit‑relevant implications:
- Literal parsers (r2, PEview) never crashed but provided no anomaly visibility
- Semantic parsers (CFF) “fixed” corruption, masking exploit‑useful inconsistencies
- Heuristic tools (DIE) ignored structure, blind to malformed metadata
- Reconstructive loaders (Ghidra) rewrote metadata, omitted fields, and crashed on entropy fixtures
- Hybrid literal‑semantic tools (IOCX) preserved raw bytes and surfaced anomalies explicitly
For exploit dev, malformed PE structures can act as:
- parser differentials
- crash primitives
- metadata confusion vectors
- loader‑model inconsistencies
- analysis‑evasion surfaces
This corpus maps those behaviours systematically.
Full write‑up (Part 1):
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A set of 99 adversarial PE files was created to systematically test the behavior of six widely used PE analysis tools (IOCX, Ghidra, Detect It Easy, radare2, PEview, CFF Explorer) against specific corruption patterns. The files introduce single corruption types such as entrypoint redirection, overlapping/invalid sections, header inconsistencies, and others. The tools exhibited distinct behaviors: literal parsers never crashed but failed to show anomalies; semantic parsers fixed corruptions masking inconsistencies; heuristic tools ignored malformed metadata; reconstructive loaders rewrote metadata and sometimes crashed; hybrid tools preserved raw bytes and explicitly surfaced anomalies. This corpus maps how malformed PE files can be used to evade analysis or cause inconsistent parsing, which is relevant for exploit development and malware analysis.
Potential Impact
The impact lies in the potential for attackers or malware authors to exploit differences and weaknesses in PE parsing tools to evade detection, cause crashes, or create confusion in analysis workflows. Malformed PE files can serve as primitives for evasion, crash induction, or metadata manipulation, complicating reliable static and dynamic analysis. However, no direct exploit or active threat is reported, and this work primarily informs tool developers and analysts about limitations and behaviors of existing PE parsers.
Mitigation Recommendations
This is an analysis and research corpus rather than a vulnerability with a patch. No official fixes or patches are applicable. Security professionals and tool developers should review the findings to improve PE parsing robustness and anomaly detection in their tools. Users of these tools should be aware of potential blind spots or crash conditions when analyzing malformed PE files. No immediate remediation is required beyond incorporating these insights into tool development and analysis practices.
Technical Details
- Source Type
- Subreddit
- ExploitDev+pwned+hacking
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:analysis","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["analysis"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a2aa88757b0f63cf39e4d07
Added to database: 6/11/2026, 12:22:31 PM
Last enriched: 6/11/2026, 12:22:36 PM
Last updated: 6/11/2026, 4:36:40 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.