GitHub - EgeBalci/Amber: POC Reflective PE packer.
source link: https://github.com/EgeBalci/Amber
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Inroduction
Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation SGN encoder. Amber uses CRC32_API and IAT_API for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.
Developed By Ege Balcı @PRODAFT.
Installation
Pre-compiled binaries can be found under releases.
Building From Source
The only dependency for building the source is the keystone engine, follow these instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ
go get github.com/EgeBalci/amber
Docker Install
docker pull egee/amber
docker run -it egee/amber
Usage
The following table lists switches supported by the amber.
| Switch | Type | Description |
|---|---|---|
| -b,--build | bool | Build EXE stub that executes the generated reflective payload |
| -e | int | Number of times to encode the generated reflective payload |
| -f,--file | string | Input PE file. |
| -iat | bool | Use IAT API resolver block instead of CRC API resolver block |
| -ignore-checks | bool | Ignore integrity check errors. |
| -max | int | Maximum number of bytes for obfuscation (default 5) |
| -s,--stub | string | Use custom stub file for executing the generated reflective payload (currently very unstable) |
Example Usage
- Generate reflective payload.
amber -f test.exe
- Generate reflective payload and build EXE stub for executing it.
amber -build -f test.exe
Docker Usage
docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe
Recommend
-
148
README ooooo ooo ooooooooo. oo...
-
62
When performing reflective access to default methods in Java, Google seems to fail us. The solutions presented on Stack Overflow, for instance, seem to work only in a certain set of cases, and not on all Java versions. This article will illustra...
-
56
README.rst Reflective Polymorphism This project provides various utilities for the self-modification of PE images with the intention that they can be incorporated into external projects.
-
33
Key Takeaways We should focus on the big picture The most important person is the user NOT the developer Software Development is a team sport (Good...
-
43
README.md wise_enum Because reflection makes you wise, not smart wise_enum is a standalone smart enum li...
-
11
PEzor Read the blog posts here: ________________ < PEzor!! v3.0.3 > ---------------- \ / \ //\ \ |\___/| / \// \\ /0 0 \__ / // | \ \...
-
9
Ambiguous PNG Packer Craft PNG files that appear completely different in Apple software For context: https://www.da.vidbuchanan.co.uk/widgets/pngdiff/ Sam...
-
10
FuckThatPacker A simple python packer to easily bypass Windows Defender Basic usage # python FuckThatPacker.py --help ___ _ _____ _ _ ___ _ | __| _ __| |_|_ _|...
-
7
What is this repository? This repository is a fork of HashiCorp's Packer repository, created so that Bloomberg's engineering team can collaborate with each other (and the rest of the Packer community) on enhancements to Packer. Branc...
-
13
Node Modules Packer
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK