Amber is a proof of concept packer for stealthy payload deployment and anti-virus evasion purposes, it can pack regularly compiled PE files into reflective PE files that can be used as multi stage infection payloads. If you want to learn the packing methodology used inside the Amber check out below. For more detail about usage, installation and how to decrease detection rate check out WIKI.
Developed By Ege Balcı from INVICTUS/PRODAFT.
SUPPORTED PLATFORMS:
| Operating system | Tested Version |
|---|---|
| Ubuntu | 16.04\16.10\17.04\17.08 |
| Kali linux | 2018.1\2017.1 |
| Manjaro | * |
| Arch Linux | * |
| Black Arch | * |
| Debian | 9.2 |
BUILD
For compiling from source running the setup file will be enough.
./setup.sh
DOCKER
docker pull egee/amber
docker run -it egee/amber
USAGE:
amber [options] file.exe
OPTIONS:
-k, --key [string] Custom cipher key
-ks,--keysize <length> Size of the encryption key in bytes (Max:255/Min:8)
--staged Generated a staged payload
--iat Uses import address table entries instead of export address table
--no-resource Don't add any resource
-v, --verbose Verbose output mode
-h, --help Show this massage
EXAMPLE:
(Default settings if no option parameter passed)
amber -ks 8 file.exe
On Docker
docker run -it -v /tmp/:/tmp/ amber /tmp/file.exe
