MCPcopy Index your code
hub / github.com/EgeBalci/amber

github.com/EgeBalci/amber @v3.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v3.2 ↗ · + Follow
23 symbols 51 edges 9 files 7 documented · 30% updated 2y agov3.2 · 2023-06-24★ 1,4214 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Inroduction

Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation SGN encoder. Amber uses CRC32_API and IAT_API for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.

Installation

Pre-compiled binaries can be found under releases.

Building From Source

The only dependency for building the source is the keystone engine, follow these instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ

go install github.com/EgeBalci/amber@latest

Docker Install

Docker

docker pull egee/amber
docker run -it egee/amber

Usage

The following table lists switches supported by the amber.

Switch Type Description
-f,--file string Input PE file.
-o,--out string Output binary payload file name.
-e int Number of times to encode the generated reflective payload
--iat bool Use IAT API resolver block instead of CRC API resolver block
-l int Maximum number of bytes for obfuscation (default 5)
--sys bool Perform raw syscalls. (only x64)
--scrape bool Scrape magic byte and DOS stub from PE.

Example Usage

  • Generate reflective payload.
amber -f test.exe
  • Generate reflective payload with IAT API resolver and encode the final payload 10 times.
amber -e 10 --iat -f test.exe

Docker Usage

docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe

Demo

Core symbols most depended-on inside this repo

PrintStatus
called by 8
utils/helpers.go
PrintFatal
called by 6
utils/helpers.go
PrintErr
called by 2
utils/helpers.go
GetFileSize
called by 2
utils/helpers.go
printBanner
called by 1
main.go
PrintGreen
called by 1
utils/helpers.go
AssembleLoader
called by 1
pkg/amber.go
AddCallOver
called by 1
pkg/amber.go

Shape

Function 17
Method 4
Struct 2

Languages

Go83%
C17%

Modules by API surface

utils/helpers.go8 symbols
pkg/amber.go5 symbols
config/options.go4 symbols
main.go2 symbols
stub/stub.c1 symbols
loader/syscall-loader-x64/stub.c1 symbols
loader/loader-x86/stub.c1 symbols
loader/loader-x64/stub.c1 symbols

For agents

$ claude mcp add amber \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact