https://github.com/dosx-dev/astral-pe
Astral-PE is a low-level mutator (Headers/EP obfuscator) for native Windows PE files (x32/x64)
https://github.com/dosx-dev/astral-pe
cpp cs cybersecurity dotnet hacktoberfest infosec low-level low-level-programming malware-analysis mutator native obfuscation obfuscator pe pentest reverse-engineering security static-analysis
Last synced: about 1 month ago
JSON representation
Astral-PE is a low-level mutator (Headers/EP obfuscator) for native Windows PE files (x32/x64)
- Host: GitHub
- URL: https://github.com/dosx-dev/astral-pe
- Owner: DosX-dev
- License: mit
- Created: 2025-03-26T14:57:12.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2025-04-26T07:22:57.000Z (about 2 months ago)
- Last Synced: 2025-05-07T04:58:21.634Z (about 1 month ago)
- Topics: cpp, cs, cybersecurity, dotnet, hacktoberfest, infosec, low-level, low-level-programming, malware-analysis, mutator, native, obfuscation, obfuscator, pe, pentest, reverse-engineering, security, static-analysis
- Language: C#
- Homepage: https://dosx.su
- Size: 1.77 MB
- Stars: 467
- Watchers: 5
- Forks: 22
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
---
Astral-PE is a **low-level mutator** (headers obfuscator and patcher) for Windows PE files (`.exe`, `.dll`, `.sys`) that rewrites structural metadata after compilation (or postbuild protection) β **without breaking execution**.
It **does not pack, encrypt or inject**. Instead, it mutates low-hanging but critical structures like timestamps, headers, section flags, debug info, import/export names, and more.
> #### π [**Download Astral-PE build for Windows/Linux x64**](https://github.com/DosX-dev/Astral-PE/releases/tag/Stable)
## π§ In what cases is it useful?
Youβve protected a binary β but public unpackers or YARA rules still target its **unchanged structure**.
> ### π¨πΌβπ» Use Astral-PE as a **post-processing step** to:
> - Prevent automated unpacking
> - Break static unpacker logic
> - Invalidate reverse-engineering signatures
> - Disrupt clustering in sandboxes
> - Strip metadata, overlays (only if file is signed), debug traces...> ### π€© **Perfect for:**
> - For packed/protected builds (e.g. legacy Enigma)
> - To create your own protector on this base
> - Hardened loaders that remain structurally default
> - To create interesting crackme quests
> - For educational purposes## β¨ What it modifies
Astral-PE applies precise, compliant, and execution-safe mutations:
| Target | Description |
|-------------------------|---------------------------------------------------------------------------|
| π Timestamp | Clears `TimeDateStamp` in file headers |
| π§ Rich Header | Fully removed β breaks toolchain fingerprinting |
| π Section Names | Wiped (`.text`, `.rsrc`, etc. β null) |
| π Checksum | Reset to zero |
| π¦ Overlay | Stripped if file was signed |
| π§΅ TLS Directory | Removed if unused |
| β Load Config | Deleted (if CFG not present) |
| 𧬠Relocations | Removed if not used in the file |
| π§± Large Address Aware | Enables 4 GB memory range for 32-bit processes |
| π§© Header Flags | Stripped: `DEBUG_STRIPPED`, `LOCAL_SYMS_STRIPPED`, `LINE_NUMS_STRIPPED` |
| π§Ό Subsystem Version | Minimum OS and Subsystem versions set to zero |
| π§ Stack & Heap Reserve | Increased to safe defaults (32/64 MB) if too low |
| π Version Info | Erased from optional header |
| π Original Filename | Located and zeroed in binary tail |
| π Debug Info | PDB paths wiped, Debug Directory erased |
| π Entry Point Patch | Replaces or shuffles prologue, changes `AddressOfEntryPoint`... |
| π§ͺ Import Table | DLL names mutated: case, prefix, randomized formatting |
| π· Export Table | Faked if absent (baits certain scanners) |
| π Data Directory | All unused entries cleaned |
| πΎ Permissions | R/W/X + code flags applied to all sections |
| π DOS Stub | Reset to clean "MZ", patched `e_lfanew` |π **Does not support .NET binaries**. Native PE only.
## π Usage
```cmd
Astral-PE.exe -o
```- `-o`, `--output` β output file name (optional). Default output: `_ast.exe`
- `-l`, `--legacy-win-compat-mode` β specify to ensure compatibility with Windows 7, 8, or 8.1. **Obfuscation will be less effective!**
- No args? Shows help## π§ͺ Example
```cmd
Astral-PE.exe payload.exe -o payload_clean.exe
```## π Combination with other protections
Use Astral-PE **after** applying protectors.
Chain it into your CI, cryptor, or loader pipeline:```
Build β Any packer β Astral-PE β Sign β Distribute
```Or (A more effective way):
```
Build β Astral-PE β Any packer β Astral-PE β Sign β Distribute
```## π¬ What itβs not
- Not a cryptor
- Not a stub injector
- Not a runtime packer
- Not a **code** obfuscatorItβs a **surgical metadata cleaner** and **PE-headers/entrypoint obfuscator** for post-processing protected binaries.
## π Before and after
A file compiled via Microsoft Visual C++ was chosen as a sample for demonstration.> ### File analyzers go crazy.
> Scanned with **[Detect It Easy](https://github.com/horsicq/Detect-It-Easy)**. No reliable verdicts other than the heuristic analysis.
> > ### Imports have become mutated.
> This makes it very difficult for all existing PE file analyzers to analyze the file.
> > ### No debug data in PE!
> Automatically remove references to PDB files, embedded debug information or other patterns that can simplify analysis (e.g. Rich signature)
> ---
