Astral-PE: A low-level mutator (headers obfuscator) for native Windows PE files
Astral-PE is a low-level mutator (headers obfuscator and patcher) for Windows PE files (.exe, .dll) that rewrites structural metadata after compilation (or postbuild protection) — without breaking execution.
It does not pack, encrypt or inject. Instead, it mutates low-hanging but critical structures like timestamps, headers, section flags, debug info, import/export names, and more.
In what cases is it useful?
You’ve protected a binary — but public unpackers or YARA rules still target its unchanged structure.
??? Use Astral-PE as a post-processing step to:
- Prevent automated unpacking
- Break static unpacker logic
- Invalidate reverse-engineering signatures
- Disrupt clustering in sandboxes
- Strip metadata, overlays (only if file is signed), debug traces…
? Perfect for:
- For packed/protected builds (e.g. legacy Enigma)
- To create your own protector on this base
- Hardened loaders that remain structurally default
- To create interesting crackme quests
- For educational purposes
What it modifies
Astral-PE applies precise, compliant, and execution-safe mutations:
| Target | Description |
|---|---|
| ? Timestamp | Clears TimeDateStamp in file headers |
| ? Rich Header | Fully removed — breaks toolchain fingerprinting |
| ? Section Names | Wiped (.text, .rsrc, etc. → null) |
| ? Checksum | Reset to zero |
| ? Overlay | Stripped if file was signed |
| ? TLS Directory | Removed if unused |
| ⚙ Load Config | Deleted (if CFG not present) |
| ? Relocations | Removed if not used in the file |
| ? Large Address Aware | Enables 4 GB memory range for 32-bit processes |
| ? Header Flags | Stripped: DEBUG_STRIPPED, LOCAL_SYMS_STRIPPED, LINE_NUMS_STRIPPED |
| ? Subsystem Version | Minimum OS and Subsystem versions set to zero |
| ? Stack & Heap Reserve | Increased to safe defaults (32/64 MB) if too low |
| ? Version Info | Erased from optional header |
| ? Original Filename | Located and zeroed in binary tail |
| ? Debug Info | PDB paths wiped, Debug Directory erased |
| ? Entry Point Patch | Replaces or shuffles PUSH/PROLOGUE bytes (e.g. UPX) |
| ? Import Table | DLL names mutated: case, prefix, randomized formatting |
| ? Export Table | Faked if absent (baits certain scanners) |
| ? Data Directory | All unused entries cleaned |
| ? Permissions | R/W/X + code flags applied to all sections |
| ? DOS Stub | Reset to clean “MZ”, patched e_lfanew |
Download & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
