Challenge 35: PE Header Obfuscation (Astral-PE)
Objective
Use PE header obfuscation (e.g., Astral-PE) to corrupt or manipulate PE headers so the EDR’s parser fails silently and returns no analysis.
Prerequisites
edr_agent.exe --signatures signatures/malware_hashes.txt --verbose --no-kill
Scanner Behavior
Rule 9 parses the PE header sequentially:
proc analyzePeStructure(imagePath: string): PeAnalysis =
...
if dosHeader[0] != 0x4D or dosHeader[1] != 0x5A: return
...
if peData[0] != ord('P') or peData[1] != ord('E'): return
...
If any parsing step fails, the function returns PeAnalysis(valid: false) and Rule 9 produces zero detections. The binary can still execute because the Windows PE loader is more tolerant than this parser.
Rules
- Apply PE header obfuscation to a binary (e.g., using Astral-PE)
- The obfuscated binary must still execute correctly on Windows
- Rule 9’s
analyzePeStructuremust fail to parse it (returnsvalid: false) - No Rule 9 detections should trigger
Hints
Hint 1
Astral-PE can modify PE headers in ways that break third-party parsers but keep the Windows loader happy. Techniques include zeroing non-essential fields, corrupting the Rich header, and manipulating the DOS stub.Hint 2
The EDR validatese_lfanew <= 1024*1024 — what if it pointed to a valid but unusual location? The EDR also assumes section headers are contiguous — what if they're not?
MostShittyEDR