Repository files navigation

Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generationSGN encoder. Amber usesCRC32_API andIAT_API for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.

Pre-compiled binaries can be found underreleases.

Building From Source

The only dependency for building the source is thekeystone engine, followthese instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ

go install github.com/EgeBalci/amber@latest

Docker Install

docker pull egee/amberdocker run -it egee/amber

The following table lists switches supported by the amber.

Example Usage

• Generate reflective payload.

amber -f test.exe

• Generate reflective payload with IAT API resolver and encode the final payload 10 times.

amber -e 10 --iat -f test.exe

Docker Usage

docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe

• NOPcon 2018 DEMO
• Pentest.blog - Deploying Reflective PE Files With Metasploit
• Pentest.blog - Deploying Reflective Ransomware POC