Scan a suspicious .exe or .dll file to find obfuscation techniques like anti-debugging instructions, virtual-machine protectors, or self-modifying code markers before attempting dynamic analysis.
Quickly check whether a Windows binary was compiled with the Tiny C Compiler, a common indicator in certain malware families.
Get a threat score and file-offset map of all obfuscation regions in a PE binary to prioritize where to focus your reverse-engineering effort.
Windows only, build with Visual Studio in Release mode, no installer provided, run the resulting .exe from the command line.
ObfusHunter is a C++ command-line tool for Windows that scans executable files (PE files, the standard format for .exe and .dll binaries) and identifies signs of obfuscation or copy-protection techniques inside them. It is aimed at reverse engineers and malware analysts who need to understand what a binary is doing to hide its behavior. The tool reads the binary without executing it (static analysis only) and searches for known byte patterns associated with specific obfuscation methods. It produces a report that lists each suspicious region by its location in the file, the category of technique detected, and a threat score based on how densely the obfuscation markers are packed. The detection categories cover several common techniques. Junk code detection finds padding sequences inserted to confuse disassemblers. Anti-debugging detection looks for instructions that check whether a debugger is attached, such as hardware-breakpoint-clearing operations and timing checks. Virtualization detection looks for code dispatcher patterns used by virtual-machine-based protectors. String obfuscation detection finds cases where a string is built character by character in memory at runtime rather than stored as readable text, which makes static analysis harder. It also flags executable sections marked as both writable and executable, which is unusual and often a sign of self-modifying code. One specific focus is detecting the Tiny C Compiler (TCC), a lightweight C compiler popular with some malware authors because of its small output size. ObfusHunter checks for TCC artifacts in the file header, the DOS stub, and the entry-point code to identify when a binary was compiled with TCC. The tool is built with Visual Studio for Windows x86 or x64 targets. It uses Windows memory-mapping APIs to scan large files quickly. There is no installer, open the solution file in Visual Studio, build in Release mode, and run the resulting executable from the command line with a file path as the argument.
← hackcascac on gitmyhub — every repo by this author, as a profile.
Verify against the repo before relying on details.