Skip to content

DosX-dev/Astral-PE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

73 Commits
 
 
 
 
 
 
 
 

Repository files navigation


Astral-PE is a low-level mutator (headers obfuscator and patcher) for Windows PE files (.exe, .dll, .sys) that rewrites structural metadata after compilation (or postbuild protection) — without breaking execution.

It does not pack, encrypt or inject. Instead, it mutates low-hanging but critical structures like timestamps, headers, section flags, debug info, import/export names, and more.

๐Ÿ”ง In what cases is it useful?

You’ve protected a binary — but public unpackers or YARA rules still target its unchanged structure.

๐Ÿ‘จ๐Ÿผ‍๐Ÿ’ป Use Astral-PE as a post-processing step to:

  • Prevent automated unpacking
  • Break static unpacker logic
  • Invalidate reverse-engineering signatures
  • Disrupt clustering in sandboxes
  • Strip metadata, overlays (only if file is signed), debug traces...

๐Ÿคฉ Perfect for:

  • For packed/protected builds (e.g. legacy Enigma)
  • To create your own protector on this base
  • Hardened loaders that remain structurally default
  • To create interesting crackme quests
  • For educational purposes

โœจ What it modifies

Astral-PE applies precise, compliant, and execution-safe mutations:

Target Description
๐Ÿ•“ Timestamp Clears TimeDateStamp in file headers
๐Ÿง  Rich Header Fully removed — breaks toolchain fingerprinting
๐Ÿ“œ Section Names Wiped (.text, .rsrc, etc. → null)
๐Ÿ“Ž Checksum Reset to zero
๐Ÿ“ฆ Overlay Stripped if file was signed
๐Ÿงต TLS Directory Removed if unused
โš™ Load Config Deleted (if CFG not present)
๐Ÿงฌ Relocations Removed if not used in the file
๐Ÿงฑ Large Address Aware Enables 4 GB memory range for 32-bit processes
๐Ÿงฉ Header Flags Stripped: DEBUG_STRIPPED, LOCAL_SYMS_STRIPPED, LINE_NUMS_STRIPPED
๐Ÿงผ Subsystem Version Minimum OS and Subsystem versions set to zero
๐Ÿง  Stack & Heap Reserve Increased to safe defaults (32/64 MB) if too low
๐Ÿ“‹ Version Info Erased from optional header
๐Ÿ“ Original Filename Located and zeroed in binary tail
๐Ÿ”Ž Debug Info PDB paths wiped, Debug Directory erased
๐Ÿš€ Entry Point Patch Replaces or shuffles prologue, changes AddressOfEntryPoint...
๐Ÿงช Import Table DLL names mutated: case, prefix, randomized formatting
๐Ÿท Export Table Faked if absent (baits certain scanners)
๐Ÿ“š Data Directory All unused entries cleaned
๐Ÿ’พ Permissions R/W/X + code flags applied to all sections
๐Ÿ“„ DOS Stub Reset to clean "MZ", patched e_lfanew

๐Ÿ“ Does not support .NET binaries. Native PE only.

๐Ÿš€ Usage

Astral-PE.exe <input.exe> -o <output.exe>
  • -o, --output — output file name (optional). Default output: <input>_ast.exe
  • -l, --legacy-win-compat-mode — specify to ensure compatibility with Windows 7, 8, or 8.1. Obfuscation will be less effective!
  • No args? Shows help

๐Ÿงช Example

Astral-PE.exe payload.exe -o payload_clean.exe

๐Ÿ“Ž Combination with other protections

Use Astral-PE after applying protectors.
Chain it into your CI, cryptor, or loader pipeline:

Build → Any packer → Astral-PE → Sign → Distribute

Or (A more effective way):

Build → Astral-PE → Any packer → Astral-PE → Sign → Distribute

๐Ÿ”ฌ What it’s not

  • Not a cryptor
  • Not a stub injector
  • Not a runtime packer
  • Not a code obfuscator

It’s a surgical metadata cleaner and PE-headers/entrypoint obfuscator for post-processing protected binaries.

๐Ÿ”Ž Before and after

A file compiled via Microsoft Visual C++ was chosen as a sample for demonstration.

File analyzers go crazy.

Scanned with Detect It Easy. No reliable verdicts other than the heuristic analysis.

Imports have become mutated.

This makes it very difficult for all existing PE file analyzers to analyze the file.

No debug data in PE!

Automatically remove references to PDB files, embedded debug information or other patterns that can simplify analysis (e.g. Rich signature)


Packages

 
 
 

Contributors