Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/EgeBalci/amber

Reflective PE packer.
https://github.com/EgeBalci/amber

amber assembly crypter packer payload pe shellcode shellcode-loader stub

Last synced: about 2 months ago
JSON representation

Reflective PE packer.

Awesome Lists containing this project

README

        




















# Inroduction

Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation [SGN encoder](https://github.com/EgeBalci/sgn). Amber uses [CRC32_API](https://github.com/EgeBalci/crc32_api) and [IAT_API](https://github.com/EgeBalci/iat_api) for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.

# Installation
Pre-compiled binaries can be found under [releases](https://github.com/EgeBalci/amber/releases).

***Building From Source***

The only dependency for building the source is the [keystone engine](https://github.com/keystone-engine/keystone), follow [these](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ

```
go install github.com/EgeBalci/amber@latest
```

***Docker Install***

[![Docker](http://dockeri.co/image/egee/amber)](https://hub.docker.com/r/egee/amber/)

```
docker pull egee/amber
docker run -it egee/amber
```

# Usage



The following table lists switches supported by the amber.


Switch
Type
Description


-f,--file
string
Input PE file.


-o,--out
string
Output binary payload file name.


-e
int
Number of times to encode the generated reflective payload



--iat
bool
Use IAT API resolver block instead of CRC API resolver block



-l
int
Maximum number of bytes for obfuscation (default 5)


--sys
bool
Perform raw syscalls. (only x64)


--scrape
bool
Scrape magic byte and DOS stub from PE.

**Example Usage**

- Generate reflective payload.
```
amber -f test.exe
```
- Generate reflective payload with IAT API resolver and encode the final payload 10 times.
```
amber -e 10 --iat -f test.exe
```

***Docker Usage***
```
docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe
```

# Demo

- [NOPcon 2018 DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc)
- [Pentest.blog - Deploying Reflective PE Files With Metasploit](https://www.youtube.com/watch?v=3en0ftnjEpE)
- [Pentest.blog - Deploying Reflective Ransomware POC](https://www.youtube.com/watch?v=JVv_spX6D4U)