Astral-PE: A low-level mutator (headers obfuscator) for native Windows PE files

by ddos · Published · Updated

Astral-PE is a low-level mutator (headers obfuscator and patcher) for Windows PE files (.exe.dll) that rewrites structural metadata after compilation (or postbuild protection) — without breaking execution.

It does not pack, encrypt or inject. Instead, it mutates low-hanging but critical structures like timestamps, headers, section flags, debug info, import/export names, and more.

In what cases is it useful?

You’ve protected a binary — but public unpackers or YARA rules still target its unchanged structure.

👨🏼‍💻 Use Astral-PE as a post-processing step to:

  • Prevent automated unpacking
  • Break static unpacker logic
  • Invalidate reverse-engineering signatures
  • Disrupt clustering in sandboxes
  • Strip metadata, overlays (only if file is signed), debug traces…

🤩 Perfect for:

  • For packed/protected builds (e.g. legacy Enigma)
  • To create your own protector on this base
  • Hardened loaders that remain structurally default
  • To create interesting crackme quests
  • For educational purposes

What it modifies

Astral-PE applies precise, compliant, and execution-safe mutations:

Target Description
🕓 Timestamp Clears TimeDateStamp in file headers
🧠 Rich Header Fully removed — breaks toolchain fingerprinting
📜 Section Names Wiped (.text.rsrc, etc. → null)
📎 Checksum Reset to zero
📦 Overlay Stripped if file was signed
🧵 TLS Directory Removed if unused
⚙ Load Config Deleted (if CFG not present)
🧬 Relocations Removed if not used in the file
🧱 Large Address Aware Enables 4 GB memory range for 32-bit processes
🧩 Header Flags Stripped: DEBUG_STRIPPEDLOCAL_SYMS_STRIPPEDLINE_NUMS_STRIPPED
🧼 Subsystem Version Minimum OS and Subsystem versions set to zero
🧠 Stack & Heap Reserve Increased to safe defaults (32/64 MB) if too low
📋 Version Info Erased from optional header
📁 Original Filename Located and zeroed in binary tail
🔎 Debug Info PDB paths wiped, Debug Directory erased
🚀 Entry Point Patch Replaces or shuffles PUSH/PROLOGUE bytes (e.g. UPX)
🧪 Import Table DLL names mutated: case, prefix, randomized formatting
🏷 Export Table Faked if absent (baits certain scanners)
📚 Data Directory All unused entries cleaned
💾 Permissions R/W/X + code flags applied to all sections
📄 DOS Stub Reset to clean “MZ”, patched e_lfanew

Download & Use

Tags: headers obfuscator