README.md
April 26, 2025 Β· View on GitHub
Astral-PE is a low-level mutator (headers obfuscator and patcher) for Windows PE files (.exe, .dll, .sys) that rewrites structural metadata after compilation (or postbuild protection) β without breaking execution.
It does not pack, encrypt or inject. Instead, it mutates low-hanging but critical structures like timestamps, headers, section flags, debug info, import/export names, and more.
π Download Astral-PE build for Windows/Linux x64
π§ In what cases is it useful?
Youβve protected a binary β but public unpackers or YARA rules still target its unchanged structure.
π¨πΌβπ» Use Astral-PE as a post-processing step to:
- Prevent automated unpacking
- Break static unpacker logic
- Invalidate reverse-engineering signatures
- Disrupt clustering in sandboxes
- Strip metadata, overlays (only if file is signed), debug traces...
π€© Perfect for:
- For packed/protected builds (e.g. legacy Enigma)
- To create your own protector on this base
- Hardened loaders that remain structurally default
- To create interesting crackme quests
- For educational purposes
β¨ What it modifies
Astral-PE applies precise, compliant, and execution-safe mutations:
| Target | Description |
|---|---|
| π Timestamp | Clears TimeDateStamp in file headers |
| π§ Rich Header | Fully removed β breaks toolchain fingerprinting |
| π Section Names | Wiped (.text, .rsrc, etc. β null) |
| π Checksum | Reset to zero |
| π¦ Overlay | Stripped if file was signed |
| 𧡠TLS Directory | Removed if unused |
| β Load Config | Deleted (if CFG not present) |
| 𧬠Relocations | Removed if not used in the file |
| 𧱠Large Address Aware | Enables 4 GB memory range for 32-bit processes |
| 𧩠Header Flags | Stripped: DEBUG_STRIPPED, LOCAL_SYMS_STRIPPED, LINE_NUMS_STRIPPED |
| π§Ό Subsystem Version | Minimum OS and Subsystem versions set to zero |
| π§ Stack & Heap Reserve | Increased to safe defaults (32/64 MB) if too low |
| π Version Info | Erased from optional header |
| π Original Filename | Located and zeroed in binary tail |
| π Debug Info | PDB paths wiped, Debug Directory erased |
| π Entry Point Patch | Replaces or shuffles prologue, changes AddressOfEntryPoint... |
| π§ͺ Import Table | DLL names mutated: case, prefix, randomized formatting |
| π· Export Table | Faked if absent (baits certain scanners) |
| π Data Directory | All unused entries cleaned |
| πΎ Permissions | R/W/X + code flags applied to all sections |
| π DOS Stub | Reset to clean "MZ", patched e_lfanew |
π Does not support .NET binaries. Native PE only.
π Usage
Astral-PE.exe <input.exe> -o <output.exe>
-o,--outputβ output file name (optional). Default output:<input>_ast.exe-l,--legacy-win-compat-modeβ specify to ensure compatibility with Windows 7, 8, or 8.1. Obfuscation will be less effective!- No args? Shows help
π§ͺ Example
Astral-PE.exe payload.exe -o payload_clean.exe
π Combination with other protections
Use Astral-PE after applying protectors.
Chain it into your CI, cryptor, or loader pipeline:
Build β Any packer β Astral-PE β Sign β Distribute
Or (A more effective way):
Build β Astral-PE β Any packer β Astral-PE β Sign β Distribute
π¬ What itβs not
- Not a cryptor
- Not a stub injector
- Not a runtime packer
- Not a code obfuscator
Itβs a surgical metadata cleaner and PE-headers/entrypoint obfuscator for post-processing protected binaries.
π Before and after
A file compiled via Microsoft Visual C++ was chosen as a sample for demonstration.
File analyzers go crazy.
Scanned with Detect It Easy. No reliable verdicts other than the heuristic analysis.
Imports have become mutated.
This makes it very difficult for all existing PE file analyzers to analyze the file.
No debug data in PE!
Automatically remove references to PDB files, embedded debug information or other patterns that can simplify analysis (e.g. Rich signature)
