# Inroduction Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation [SGN encoder](https://github.com/EgeBalci/sgn). Amber uses [CRC32_API](https://github.com/EgeBalci/crc32_api) and [IAT_API](https://github.com/EgeBalci/iat_api) for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners. # Installation Pre-compiled binaries can be found under [releases](https://github.com/EgeBalci/amber/releases). ***Building From Source*** The only dependency for building the source is the [keystone engine](https://github.com/keystone-engine/keystone), follow [these](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ ``` go install github.com/EgeBalci/amber@latest ``` ***Docker Install*** [![Docker](http://dockeri.co/image/egee/amber)](https://hub.docker.com/r/egee/amber/) ``` docker pull egee/amber docker run -it egee/amber ``` # Usage

The following table lists switches supported by the amber.

Switch	Type	Description
-f,--file	`string`	Input PE file.
-o,--out	`string`	Output binary payload file name.
-e	`int`	Number of times to encode the generated reflective payload
--iat	`bool`	Use IAT API resolver block instead of CRC API resolver block
-l	`int`	Maximum number of bytes for obfuscation (default 5)
--sys	`bool`	Perform raw syscalls. (only x64)
--scrape	`bool`	Scrape magic byte and DOS stub from PE.

**Example Usage** - Generate reflective payload. ``` amber -f test.exe ``` - Generate reflective payload with IAT API resolver and encode the final payload 10 times. ``` amber -e 10 --iat -f test.exe ``` ***Docker Usage*** ``` docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe ``` # Demo - [NOPcon 2018 DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc) - [Pentest.blog - Deploying Reflective PE Files With Metasploit](https://www.youtube.com/watch?v=3en0ftnjEpE) - [Pentest.blog - Deploying Reflective Ransomware POC](https://www.youtube.com/watch?v=JVv_spX6D4U)