egebalci / amber Goto Github PK

Reflective PE packer.

License: MIT License

Assembly 46.22% Go 47.75% Dockerfile 0.65% Makefile 0.54% C 2.02% Shell 2.82%

packer pe crypter assembly stub shellcode shellcode-loader payload amber

amber's Introduction

Inroduction

Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation SGN encoder. Amber uses CRC32_API and IAT_API for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.

Installation

Pre-compiled binaries can be found under releases.

Building From Source

The only dependency for building the source is the keystone engine, follow these instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ

go install github.com/EgeBalci/amber@latest

Docker Install

docker pull egee/amber
docker run -it egee/amber

Usage

The following table lists switches supported by the amber.

Switch	Type	Description
-f,--file	`string`	Input PE file.
-o,--out	`string`	Output binary payload file name.
-e	`int`	Number of times to encode the generated reflective payload
--iat	`bool`	Use IAT API resolver block instead of CRC API resolver block
-l	`int`	Maximum number of bytes for obfuscation (default 5)
--sys	`bool`	Perform raw syscalls. (only x64)
--scrape	`bool`	Scrape magic byte and DOS stub from PE.

Example Usage

Generate reflective payload.

amber -f test.exe

Generate reflective payload with IAT API resolver and encode the final payload 10 times.

amber -e 10 --iat -f test.exe

Docker Usage

docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe

Demo

amber's People

Contributors

Stargazers

Watchers

Forkers

securycore kernullist codeabyss cacker nemesisqp jwpl190 0xhellord samshine blacktrace shuixi2013 securityresearchstaff smrk3r ajblane seth1002 phpplay stupidjia wisdark elix0r beyondcy johnjohnsp1 techlord-rce shantanu561993 grukz suriya73 cartonsta de8gman1990 aclicetom m4rm0k ibreiten jakuta-tech mshafiqsb heruix vysecurity vidushi12 newjacks samentlc dosglas r3dfruitrollup ru-dust bby203 d4mn4t10n lidd1224856175 du0l ysheldon r0cknrolla gavz listinvest zhuhuibeishadiao explife0011 theshiv303 p3nt4 trietptm-on-coding-algorithms avgirl crackercat leahxucud killvxk oksbsb attackgithub uid0000 slooppe decay88 topotam boogie77 hymeca raystyle bxlcity orf53975 thewover nelly113113 eltorobiz huynhdattnt cyper77 voraka mlalibs hmyit modulexcite jeffry38 wade1990 johnwins appcoreopc imulmul nothingonyoumoon seabreg pwnagelabs gaogaostone k3v1n1990s matrixhan fengjixuchui tzf-omkey reversetools red-infosec pokevas digitalarche gyakusetsu michaelkoczwara ykankaya 5l1v3r1 oldsecureiqlab 0x00-0x00 a-new

amber's Issues

Doesn't work on SOME PE files + key size issue

Shows "File successfully packed !", but 64-bit executable doesn't run.

Tested on: Windows 10 64-bit Version 1809 (OS Build 17763.437)
Executable tested: procexp64.exe (Windows Sysinternals)

go get is broken

[user@hostname 19:34:47 ~/packer ]$ go get github.com/EgeBalci/amber
# cd /home/user/go/src/github.com/EgeBalci/amber; git submodule update --init --recursive
fatal: No url found for submodule path 'loader/CRC32_API' in .gitmodules
package github.com/EgeBalci/amber: exit status 128

Package PE file with command line parameters

is there a way to package PE file with command line parameters?
like

mimikatz.exe privilege::debug sekurlsa::logonpasswords exit

package as shellcode

cannot open C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

Hi, When I execute the PSH payload on target Win7 machine, the Windows prompt the following message.

Fatal Error!
Cannot open self C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe or
archive
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.pkg

collect2: error:

┌──(kali㉿kali)-[~/Desktop/Client]
└─$ go install github.com/EgeBalci/amber@latest

github.com/EgeBalci/amber

/usr/lib/go-1.21/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/usr/bin/ld: cannot find -lkeystone: No such file or directory
/usr/bin/ld: cannot find -lkeystone: No such file or directory
collect2: error: ld returned 1 exit status

┌──(kali㉿kali)-[~/Desktop/Client]
how i can solve this.
thank you

EXE files with bounded imports not supported

Hello,

Thanks for your works!

I try to pack normal notepad.exe or calc.exe using the Amber but it failed due to below:

[!] ERROR: EXE files with bounded imports not supported.

What can I do?

Thank you!

Stager for reflective payload

When I create a reflective payload a stager (to download and execute it in memory) is not created as previously.

Не работает

Любой файл который провожу через amber ломается пишет не возможно запустить файл на вашем пк

custom stub not working

I want to use a custom stub for example adding some functionality (like decrypting, ...) to the stub. but the default stub is base64 binary and obviously can't edit it. there is a folder named stub in the repo that contains the C source of a simple stub. I compiled it and gave it to amber but the generated file doesn't work. so I appreciate it if you give me the source of the b64 default stub or tell me why the C stub doesn't work.
thank you

Additional feature

This tool is awesome, the only thing that is missing in my opinion is to have an optional feature to build a PE containing the .bin code generated
so,
1 mode ( the actual one ): generate the .bin from an .exe with all the evasion techniques used by the tool to evade security solutions
2 mode ( the one i suggest ): generate the .bin from and exe and build another .exe ( that can support also console interation like mimikatz ) and containing the .bin code that can run with all the evasion techniques used by the tool to evade security solutions

Cannot find file to PE Pack

Hello,

I am trying to test this with an application and cannot have amber find the file:

root@test/# docker run -it egee/amber -r /putty.exe

[] File: /putty.exe
[] Reflective: true
[] Key Size: 8
[] API: EAT
[*] Verbose: false

5 / 24 [============>----------------------------------------------] 20.83% 0s

2019/06/01 20:14:22 open /putty.exe: no such file or directory
root@test/#

runtime error: invalid memory address or nil pointer dereference

System: Macos mojave
Error:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1243e0b]

goroutine 1 [running]:
gopkg.in/cheggaaa/pb%2ev1.(*ProgressBar).Finish(0x0)
	/Users/ziyiliu/Documents/Golang/src/gopkg.in/cheggaaa/pb.v1/pb.go:227 +0x3b
main.parseErr(0x13427a0, 0xc00009c500)
	/Users/ziyiliu/Documents/Golang/src/github.com/egebalci/amber/common.go:143 +0xe3
main.banner()
	/Users/ziyiliu/Documents/Golang/src/github.com/egebalci/amber/common.go:208 +0x9d
main.main()
	/Users/ziyiliu/Documents/Golang/src/github.com/egebalci/amber/amber.go:35 +0x483

Help using Amber

Hi,

I've downloaded the 32 and 64bit version of Amber for windows, and I have tried packing putty (32 and 64bit) with this command:

amber32 -f putty.exe -build

However when I execute putty_packed.exe it crashes with the following message:

'Firma con problemas:
Nombre del evento de problema: APPCRASH
Nombre de la aplicación: putty_packed.exe
Versión de la aplicación: 0.0.0.0
Marca de tiempo de la aplicación: 00000000
Nombre del módulo con errores: StackHash_0a9e
Versión del módulo con errores: 0.0.0.0
Marca de tiempo del módulo con errores: 00000000
Código de excepción: c000001d
Desplazamiento de excepción: 0066019a
Versión del sistema operativo: 6.1.7601.2.1.0.256.1
Id. de configuración regional: 3082
Información adicional 1: 0a9e
Información adicional 2: 0a9e372d3b4ad19135b953a78882e789
Información adicional 3: 0a9e
Información adicional 4: 0a9e372d3b4ad19135b953a78882e789

Lea nuestra declaración de privacidad en línea:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0c0a

Si la declaración de privacidad en línea no está disponible, lea la declaración de privacidad sin conexión:
C:\Windows\system32\es-ES\erofflps.txt'

What am I doing wrong?

Thanks for your time.

Missing handler file

Hi, may I know how to i issue handler command like ./handler /test/putty.exe.stage 4444 with this latest branch?

Can we still download the previous branch which version without docker?

Running the generated payload

Hey,
I'm running version 2.0. I can generate the stub but I do not understand how to run it like I have to run it as a bin file cause in the video it is showing a --staged flag but in this version that flag is removed.

executable file not found in %PATH%

try to running on windows not on docker

2020/01/13 00:51:26 exec: "go": executable file not found in %PATH%

Partial method load fails in c++

amber version:3.1
os:Win10

//The following is the test code
//successful call ！！
 ////CreateThreadpoolWait
    HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);
    LPVOID shellcodeAddress = VirtualAlloc(NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    RtlMoveMemory(shellcodeAddress, buf, shellSize);
    PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL);
    SetThreadpoolWait(threadPoolWait, event, NULL);
    WaitForSingleObject(event, INFINITE);
    return 0;

    ////fiber
    PVOID mainFiber = ConvertThreadToFiber(NULL);
    PVOID shellcodeLocation = VirtualAlloc(NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(shellcodeLocation, buf, shellSize);
    PVOID shellcodeFiber = CreateFiber(NULL, (LPFIBER_START_ROUTINE)shellcodeLocation, NULL);
    SwitchToFiber(shellcodeFiber);
    return 0;
	

    ////APC & NtTestAlert Code
    typedef VOID(NTAPI* pNtTestAlert)(VOID);
    pNtTestAlert NtTestAlert = (pNtTestAlert)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtTestAlert");
    LPVOID lpBaseAddress = VirtualAlloc(NULL, shellSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(lpBaseAddress, buf, shellSize);
    QueueUserAPC((PAPCFUNC)lpBaseAddress, GetCurrentThread(), NULL);
    NtTestAlert();
    return 0;
//call failed！！
 ////基础调用
    DWORD oldprotect = 0;
    LPVOID  base_addr = NULL;
    //  申请一块buf_len长度大小的空间，RW权限，不要开rwx，PAGE_EXECUTE_READWRITE 
    base_addr = VirtualAlloc(0, shellSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    // 复制shellcode到新的空间，这个函数比较罕见，用memcpy也可以呀
    RtlMoveMemory(base_addr, buf, shellSize);
    // 修改为执行RX权限
    VirtualProtect(base_addr, shellSize, PAGE_EXECUTE_READ, &oldprotect);
    // 当前进程创建线程执行shellcode
    auto ct = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)base_addr, 0, 0, 0);
    // 等待线程返回值
    WaitForSingleObject(ct, -1);
    // 释放内存
    free(base_addr);

Use multiple method tests to draw conclusions

The failure seems to be related to CreateThread*, CreateRemote*, CreateProcess* etc. Create process, thread related
The strange thing is that the shellcode generated by donut can be loaded and executed normally.
Whether it is an error caused by c++ during coercion??
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms686736 Do not declare this callback function with a void return type and cast the function pointer to LPTHREAD_START_ROUTINE when creating the thread. Code that does this is common, but it can crash on 64-bit Windows.

Reset color before exit

https://github.com/EgeBalci/Amber/blob/192d2cfc30d2be3dbf01cbfaccec73ecd46eabc4/setup.sh#L119

a quistion

Request stub source code

I hope to get the stub source code to build it myself. I found stub.c in the root directory, but the result after compilation is inconsistent with the embedded result

go get is still broken

[user@hostname 23:57:15 ~/packer ]$ go get github.com/EgeBalci/amber
cannot find package "github.com/EgeBalci/sgn/lib" in any of:
	/usr/lib/go/src/github.com/EgeBalci/sgn/lib (from $GOROOT)
	/home/user/go/src/github.com/EgeBalci/sgn/lib (from $GOPATH)

Error

i keep getting these errors: (Unrecognised COFF file header machine value of 0x494d)
(unexpected EOF)

File not found

I dont get it to run, it always means that the file.exe is not existing. With given path, or without, executed in the same folder:

"2021/11/01 08:55:35 MAIN: open /tmp/file.exe: no such file or directory"

But there is a file called file.exe :D