Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/EgeBalci/Amber
Reflective PE packer.
https://github.com/EgeBalci/Amber
amber assembly crypter packer payload pe shellcode shellcode-loader stub
Last synced: 2 months ago
JSON representation
Reflective PE packer.
- Host: GitHub
- URL: https://github.com/EgeBalci/Amber
- Owner: EgeBalci
- License: mit
- Created: 2017-05-30T23:10:05.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2024-02-22T17:44:19.000Z (11 months ago)
- Last Synced: 2024-10-29T17:54:47.865Z (3 months ago)
- Topics: amber, assembly, crypter, packer, payload, pe, shellcode, shellcode-loader, stub
- Language: Go
- Homepage:
- Size: 6.4 MB
- Stars: 1,179
- Watchers: 46
- Forks: 207
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- cybersecurity-golang-security - Amber - Amber is a reflective PE packer for bypassing security products and mitigations. (Packers / Obfuscators)
- awesome-go-security - Amber - Amber is a reflective PE packer for bypassing security products and mitigations. (Packers / Obfuscators)
README
# Inroduction
Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation [SGN encoder](https://github.com/EgeBalci/sgn). Amber uses [CRC32_API](https://github.com/EgeBalci/crc32_api) and [IAT_API](https://github.com/EgeBalci/iat_api) for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.
# Installation
Pre-compiled binaries can be found under [releases](https://github.com/EgeBalci/amber/releases).***Building From Source***
The only dependency for building the source is the [keystone engine](https://github.com/keystone-engine/keystone), follow [these](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ
```
go install github.com/EgeBalci/amber@latest
```***Docker Install***
[![Docker](http://dockeri.co/image/egee/amber)](https://hub.docker.com/r/egee/amber/)
```
docker pull egee/amber
docker run -it egee/amber
```# Usage
The following table lists switches supported by the amber.
Switch
Type
Description
-f,--file
string
Input PE file.
-o,--out
string
Output binary payload file name.
-e
int
Number of times to encode the generated reflective payload
--iat
bool
Use IAT API resolver block instead of CRC API resolver block
-l
int
Maximum number of bytes for obfuscation (default 5)
--sys
bool
Perform raw syscalls. (only x64)
--scrape
bool
Scrape magic byte and DOS stub from PE.
**Example Usage**
- Generate reflective payload.
```
amber -f test.exe
```
- Generate reflective payload with IAT API resolver and encode the final payload 10 times.
```
amber -e 10 --iat -f test.exe
```***Docker Usage***
```
docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe
```# Demo
- [NOPcon 2018 DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc)
- [Pentest.blog - Deploying Reflective PE Files With Metasploit](https://www.youtube.com/watch?v=3en0ftnjEpE)
- [Pentest.blog - Deploying Reflective Ransomware POC](https://www.youtube.com/watch?v=JVv_spX6D4U)