Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/EgeBalci/Amber

Reflective PE packer.
https://github.com/EgeBalci/Amber

amber assembly crypter packer payload pe shellcode shellcode-loader stub

Last synced: about 1 month ago
JSON representation

Reflective PE packer.

Host: GitHub
URL: https://github.com/EgeBalci/Amber
Owner: EgeBalci
License: mit
Created: 2017-05-30T23:10:05.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2024-02-22T17:44:19.000Z (4 months ago)
Last Synced: 2024-02-22T18:53:32.365Z (4 months ago)
Topics: amber, assembly, crypter, packer, payload, pe, shellcode, shellcode-loader, stub
Language: Go
Homepage:
Size: 6.4 MB
Stars: 1,068
Watchers: 44
Forks: 194
Open Issues: 6
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-go-security - Amber - Amber is a reflective PE packer for bypassing security products and mitigations. (Packers / Obfuscators)
cybersecurity-golang-security - Amber - Amber is a reflective PE packer for bypassing security products and mitigations. (Packers / Obfuscators)

README

# Inroduction

Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation [SGN encoder](https://github.com/EgeBalci/sgn). Amber uses [CRC32_API](https://github.com/EgeBalci/crc32_api) and [IAT_API](https://github.com/EgeBalci/iat_api) for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.

# Installation
Pre-compiled binaries can be found under [releases](https://github.com/EgeBalci/amber/releases).

***Building From Source***

The only dependency for building the source is the [keystone engine](https://github.com/keystone-engine/keystone), follow [these](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ

```
go install github.com/EgeBalci/amber@latest
```

***Docker Install***

[![Docker](http://dockeri.co/image/egee/amber)](https://hub.docker.com/r/egee/amber/)

```
docker pull egee/amber
docker run -it egee/amber
```

# Usage

The following table lists switches supported by the amber.

Switch
Type
Description

-f,--file
string
Input PE file.

-o,--out
string
Output binary payload file name.

-e
int
Number of times to encode the generated reflective payload

--iat
bool
Use IAT API resolver block instead of CRC API resolver block

-l
int
Maximum number of bytes for obfuscation (default 5)

--sys
bool
Perform raw syscalls. (only x64)

--scrape
bool
Scrape magic byte and DOS stub from PE.

**Example Usage**

- Generate reflective payload.
```
amber -f test.exe
```
- Generate reflective payload with IAT API resolver and encode the final payload 10 times.
```
amber -e 10 --iat -f test.exe
```

***Docker Usage***
```
docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe
```

# Demo

- [NOPcon 2018 DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc)
- [Pentest.blog - Deploying Reflective PE Files With Metasploit](https://www.youtube.com/watch?v=3en0ftnjEpE)
- [Pentest.blog - Deploying Reflective Ransomware POC](https://www.youtube.com/watch?v=JVv_spX6D4U)