{"id":27933372,"url":"https://github.com/dosx-dev/astral-pe","last_synced_at":"2025-05-07T04:58:27.288Z","repository":{"id":284580669,"uuid":"955385016","full_name":"DosX-dev/Astral-PE","owner":"DosX-dev","description":"Astral-PE is a low-level mutator (Headers/EP obfuscator) for native Windows PE files (x32/x64)","archived":false,"fork":false,"pushed_at":"2025-04-26T07:22:57.000Z","size":1861,"stargazers_count":467,"open_issues_count":0,"forks_count":22,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-05-07T04:58:21.634Z","etag":null,"topics":["cpp","cs","cybersecurity","dotnet","hacktoberfest","infosec","low-level","low-level-programming","malware-analysis","mutator","native","obfuscation","obfuscator","pe","pentest","reverse-engineering","security","static-analysis"],"latest_commit_sha":null,"homepage":"https://dosx.su","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DosX-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-03-26T14:57:12.000Z","updated_at":"2025-05-07T00:43:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"e58b1117-20c1-475b-a46e-b1052a1cab53","html_url":"https://github.com/DosX-dev/Astral-PE","commit_stats":null,"previous_names":["dosx-dev/astral-pe"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DosX-dev%2FAstral-PE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DosX-dev%2FAstral-PE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DosX-dev%2FAstral-PE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DosX-dev%2FAstral-PE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DosX-dev","download_url":"https://codeload.github.com/DosX-dev/Astral-PE/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252816950,"owners_count":21808704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cpp","cs","cybersecurity","dotnet","hacktoberfest","infosec","low-level","low-level-programming","malware-analysis","mutator","native","obfuscation","obfuscator","pe","pentest","reverse-engineering","security","static-analysis"],"created_at":"2025-05-07T04:58:26.800Z","updated_at":"2025-05-07T04:58:27.281Z","avatar_url":"https://github.com/DosX-dev.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"pics/title.png\" style=\"align: center;\"\u003e\n\n---\n\nAstral-PE is a **low-level mutator** (headers obfuscator and patcher) for Windows PE files (`.exe`, `.dll`, `.sys`) that rewrites structural metadata after compilation (or postbuild protection) — **without breaking execution**.\n\nIt **does not pack, encrypt or inject**. Instead, it mutates low-hanging but critical structures like timestamps, headers, section flags, debug info, import/export names, and more.\n\n\u003e #### 🛠 [**Download Astral-PE build for Windows/Linux x64**](https://github.com/DosX-dev/Astral-PE/releases/tag/Stable)\n\n## 🔧 In what cases is it useful?\n\nYou’ve protected a binary — but public unpackers or YARA rules still target its **unchanged structure**.\n\n\u003e ### 👨🏼‍💻 Use Astral-PE as a **post-processing step** to:\n\u003e - Prevent automated unpacking\n\u003e - Break static unpacker logic\n\u003e - Invalidate reverse-engineering signatures\n\u003e - Disrupt clustering in sandboxes\n\u003e - Strip metadata, overlays (only if file is signed), debug traces...\n\n\u003e ### 🤩 **Perfect for:**\n\u003e - For packed/protected builds (e.g. legacy Enigma)\n\u003e - To create your own protector on this base\n\u003e - Hardened loaders that remain structurally default\n\u003e - To create interesting crackme quests\n\u003e - For educational purposes\n\n## ✨ What it modifies\n\nAstral-PE applies precise, compliant, and execution-safe mutations:\n\n| Target                  | Description                                                               |\n|-------------------------|---------------------------------------------------------------------------|\n| 🕓 Timestamp            | Clears `TimeDateStamp` in file headers                                   |\n| 🧠 Rich Header          | Fully removed — breaks toolchain fingerprinting                          |\n| 📜 Section Names        | Wiped (`.text`, `.rsrc`, etc. → null)                                    |\n| 📎 Checksum             | Reset to zero                                                             |\n| 📦 Overlay              | Stripped if file was signed                                              |\n| 🧵 TLS Directory        | Removed if unused                                                        |\n| ⚙ Load Config           | Deleted (if CFG not present)                                             |\n| 🧬 Relocations          | Removed if not used in the file                                          |\n| 🧱 Large Address Aware  | Enables 4 GB memory range for 32-bit processes                           |\n| 🧩 Header Flags         | Stripped: `DEBUG_STRIPPED`, `LOCAL_SYMS_STRIPPED`, `LINE_NUMS_STRIPPED`  |\n| 🧼 Subsystem Version    | Minimum OS and Subsystem versions set to zero                            |\n| 🧠 Stack \u0026 Heap Reserve | Increased to safe defaults (32/64 MB) if too low                         |\n| 📋 Version Info         | Erased from optional header                                              |\n| 📁 Original Filename    | Located and zeroed in binary tail                                        |\n| 🔎 Debug Info           | PDB paths wiped, Debug Directory erased                                  |\n| 🚀 Entry Point Patch    | Replaces or shuffles prologue, changes `AddressOfEntryPoint`...          |\n| 🧪 Import Table         | DLL names mutated: case, prefix, randomized formatting                   |\n| 🏷 Export Table         | Faked if absent (baits certain scanners)                                  |\n| 📚 Data Directory       | All unused entries cleaned                                               |\n| 💾 Permissions          | R/W/X + code flags applied to all sections                               |\n| 📄 DOS Stub             | Reset to clean \"MZ\", patched `e_lfanew`                                  |\n\n📝 **Does not support .NET binaries**. Native PE only.\n\n## 🚀 Usage\n\n```cmd\nAstral-PE.exe \u003cinput.exe\u003e -o \u003coutput.exe\u003e\n```\n\n- `-o`, `--output` — output file name (optional). Default output: `\u003cinput\u003e_ast.exe`\n- `-l`, `--legacy-win-compat-mode` — specify to ensure compatibility with Windows 7, 8, or 8.1. **Obfuscation will be less effective!** \n- No args? Shows help\n\n## 🧪 Example\n\n```cmd\nAstral-PE.exe payload.exe -o payload_clean.exe\n```\n\n## 📎 Combination with other protections\n\nUse Astral-PE **after** applying protectors.  \nChain it into your CI, cryptor, or loader pipeline:\n\n```\nBuild → Any packer → Astral-PE → Sign → Distribute\n```\n\nOr (A more effective way):\n```\nBuild → Astral-PE → Any packer → Astral-PE → Sign → Distribute\n```\n\n## 🔬 What it’s not\n\n- Not a cryptor\n- Not a stub injector\n- Not a runtime packer\n- Not a **code** obfuscator\n\nIt’s a **surgical metadata cleaner** and **PE-headers/entrypoint obfuscator** for post-processing protected binaries.\n\n## 🔎 Before and after\nA file compiled via Microsoft Visual C++ was chosen as a sample for demonstration.\n\n\u003e ### File analyzers go crazy.\n\u003e Scanned with **[Detect It Easy](https://github.com/horsicq/Detect-It-Easy)**. No reliable verdicts other than the heuristic analysis.\n\u003e ![](pics/before_and_after_1.png)\n\n\u003e ### Imports have become mutated.\n\u003e This makes it very difficult for all existing PE file analyzers to analyze the file.\n\u003e ![](pics/before_and_after_2.png)\n\n\u003e ### No debug data in PE!\n\u003e Automatically remove references to PDB files, embedded debug information or other patterns that can simplify analysis (e.g. Rich signature)\n\u003e ![](pics/before_and_after_3.png)\n\n---\n\n![](pics/preview.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdosx-dev%2Fastral-pe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdosx-dev%2Fastral-pe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdosx-dev%2Fastral-pe/lists"}