Astral-PE: A low-level mutator (headers obfuscator) for native Windows PE files
Astral-PE is a low-level mutator (headers obfuscator and patcher) for Windows PE files (.exe
, .dll
) that rewrites structural metadata after compilation (or postbuild protection) — without breaking execution.
It does not pack, encrypt or inject. Instead, it mutates low-hanging but critical structures like timestamps, headers, section flags, debug info, import/export names, and more.
In what cases is it useful?
You’ve protected a binary — but public unpackers or YARA rules still target its unchanged structure.
👨🏼💻 Use Astral-PE as a post-processing step to:
- Prevent automated unpacking
- Break static unpacker logic
- Invalidate reverse-engineering signatures
- Disrupt clustering in sandboxes
- Strip metadata, overlays (only if file is signed), debug traces…
🤩 Perfect for:
- For packed/protected builds (e.g. legacy Enigma)
- To create your own protector on this base
- Hardened loaders that remain structurally default
- To create interesting crackme quests
- For educational purposes
What it modifies
Astral-PE applies precise, compliant, and execution-safe mutations:
Target | Description |
---|---|
🕓 Timestamp | Clears TimeDateStamp in file headers |
🧠 Rich Header | Fully removed — breaks toolchain fingerprinting |
📜 Section Names | Wiped (.text , .rsrc , etc. → null) |
📎 Checksum | Reset to zero |
📦 Overlay | Stripped if file was signed |
🧵 TLS Directory | Removed if unused |
⚙ Load Config | Deleted (if CFG not present) |
🧬 Relocations | Removed if not used in the file |
🧱 Large Address Aware | Enables 4 GB memory range for 32-bit processes |
🧩 Header Flags | Stripped: DEBUG_STRIPPED , LOCAL_SYMS_STRIPPED , LINE_NUMS_STRIPPED |
🧼 Subsystem Version | Minimum OS and Subsystem versions set to zero |
🧠 Stack & Heap Reserve | Increased to safe defaults (32/64 MB) if too low |
📋 Version Info | Erased from optional header |
📁 Original Filename | Located and zeroed in binary tail |
🔎 Debug Info | PDB paths wiped, Debug Directory erased |
🚀 Entry Point Patch | Replaces or shuffles PUSH/PROLOGUE bytes (e.g. UPX) |
🧪 Import Table | DLL names mutated: case, prefix, randomized formatting |
🏷 Export Table | Faked if absent (baits certain scanners) |
📚 Data Directory | All unused entries cleaned |
💾 Permissions | R/W/X + code flags applied to all sections |
📄 DOS Stub | Reset to clean “MZ”, patched e_lfanew |