ObfusHunter

ObfusHunter is a C++ command-line tool for Windows that scans executable files (PE files, the standard format for .exe and .dll binaries) and identifies signs of obfuscation or copy-protection techniques inside them. It is aimed at reverse engineers and malware analysts who need to understand what a binary is doing to hide its behavior.

The tool reads the binary without executing it (static analysis only) and searches for known byte patterns associated with specific obfuscation methods. It produces a report that lists each suspicious region by its location in the file, the category of technique detected, and a threat score based on how densely the obfuscation markers are packed.

The detection categories cover several common techniques. Junk code detection finds padding sequences inserted to confuse disassemblers. Anti-debugging detection looks for instructions that check whether a debugger is attached, such as hardware-breakpoint-clearing operations and timing checks. Virtualization detection looks for code dispatcher patterns used by virtual-machine-based protectors. String obfuscation detection finds cases where a string is built character by character in memory at runtime rather than stored as readable text, which makes static analysis harder. It also flags executable sections marked as both writable and executable, which is unusual and often a sign of self-modifying code.

One specific focus is detecting the Tiny C Compiler (TCC), a lightweight C compiler popular with some malware authors because of its small output size. ObfusHunter checks for TCC artifacts in the file header, the DOS stub, and the entry-point code to identify when a binary was compiled with TCC.

The tool is built with Visual Studio for Windows x86 or x64 targets. It uses Windows memory-mapping APIs to scan large files quickly. There is no installer; open the solution file in Visual Studio, build in Release mode, and run the resulting executable from the command line with a file path as the argument.