v3.0 Stable Release !!!

.gitignore

@@ -19,6 +19,11 @@
 
 .idea
 
+# vscode debug configs
+.vscode
+.vscode/*
+
 # BUILDS
 build
+stub/*.exe
 amber

.vscode/launch.json

@@ -11,7 +11,7 @@
             "mode": "auto",
             "program": "${fileDirname}",
             "env": {},
-            "args": []
+            "args": ["-f","/tmp/putty.exe"]
         }
     ]
 }

Dockerfile

@@ -1,12 +1,29 @@
+FROM golang:1.15-buster as builder
 
-FROM ubuntu:17.10
-MAINTAINER Ege Balcı <[email protected]>
-USER root
-RUN apt-get update -y
-RUN apt-get install -y git golang nasm fonts-powerline
-RUN mkdir /root/go
-ENV GOPATH /root/go
-RUN go get -v github.com/egebalci/amber
-
-ENTRYPOINT ["/root/go/bin/amber"]
-CMD ["--help"]
+RUN apt-get update && apt-get -y install \
+    build-essential \    
+    cmake \
+    g++-multilib \
+    gcc-multilib \
+    git \
+    libcapstone-dev \
+    python3 \
+    time
+WORKDIR /root/
+RUN git clone https://github.com/EgeBalci/keystone
+RUN mkdir keystone/build
+WORKDIR /root/keystone/build
+
+RUN ../make-lib.sh
+RUN cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DLLVM_TARGETS_TO_BUILD="AArch64;X86" -G "Unix Makefiles" ..
+RUN make -j8
+RUN make install && ldconfig
+
+WORKDIR /root
+RUN git clone https://github.com/egebalci/amber
+WORKDIR /root/amber
+RUN go build -o /root/bin/amber -ldflags '-w -s -extldflags -static' -trimpath main.go
+
+FROM scratch
+COPY --from=builder /root/bin/amber /amber
+ENTRYPOINT ["/amber"]

README.md

@@ -1,53 +1,43 @@
 
+<p align="center">
+  <img src="https://github.com/EgeBalci/amber/raw/master/img/banner.png">
+  <br/>
+  <a href="https://github.com/EgeBalci/amber">
+    <img src="https://img.shields.io/badge/version-3.0.0-green.svg?style=flat-square">
+  </a>
+  <a href="https://goreportcard.com/report/github.com/egebalci/amber">
+    <img src="https://goreportcard.com/badge/github.com/egebalci/amber?style=flat-square">
+  </a>
+  <a href="https://github.com/EgeBalci/amber/issues">
+    <img src="https://img.shields.io/github/issues/egebalci/amber?style=flat-square&color=red">
+  </a>
+  <a href="https://raw.githubusercontent.com/EgeBalci/sgn/master/LICENSE">
+    <img src="https://img.shields.io/github/license/egebalci/amber.svg?style=flat-square">
+  </a>
+  <a href="https://twitter.com/egeblc">
+    <img src="https://img.shields.io/badge/[email protected]?style=flat-square">
+  </a>
+</p>
 
-[![Banner](https://github.com/EgeBalci/amber/raw/master/banner.png)](https://github.com/egebalci/amber)
+# Inroduction
 
-[![Version](https://img.shields.io/badge/version-2.0.0-green.svg)](https://github.com/egebalci/amber) [![License](https://img.shields.io/packagist/l/doctrine/orm.svg)](https://raw.githubusercontent.com/EgeBalci/amber/master/LICENSE) [![Go Report Card](https://goreportcard.com/badge/github.com/egebalci/amber)](https://goreportcard.com/report/github.com/egebalci/amber) [![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/egeblc)
+Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation [SGN encoder](https://github.com/EgeBalci/sgn). Amber uses [CRC32_API](https://github.com/EgeBalci/crc32_api) and [IAT_API](https://github.com/EgeBalci/iat_api) for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners. 
 
+Developed By Ege Balcı @[PRODAFT](https://prodaft.com).
 
-amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products and application white-listing mitigations.  If you want to learn more about the packing methodology used inside amber check out below. For more detail about usage, installation and how to decrease detection rate check out [WIKI](https://github.com/egebalci/amber/wiki).
+# Installation
 
+Pre-compiled binaries can be found under [releases](https://github.com/EgeBalci/amber/releases).
 
-Developed By Ege Balcı from [INVICTUS](https://invictuseurope.com)/[PRODAFT](https://prodaft.com).
+***Building From Source***
 
-# REFLECTIVE PE PACKING WITH AMBER
+The only dependency for building the source is the [keystone engine](https://github.com/keystone-engine/keystone), follow [these](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ
 
-<br>
-
-<a href="https://pentest.blog/introducing-new-packing-method-first-reflective-pe-packer" target="_blank">
-		<img height="250" align="left" src="https://pentest.blog/wp-content/uploads/68747470733a2f2f696d6167652e6962622e636f2f66426e51566d2f70656e746573745f626c6f67332e6a7067.jpeg" alt="DEMO1"  />
-</a>
-<a href="https://raw.githubusercontent.com/EgeBalci/amber/master/PAPER.pdf"></a>
-<a href="https://github.com/EgeBalci/amber/raw/master/PAPER.pdf">
-	<img align="right" src="https://pentest.blog/wp-content/uploads/pdf2.png"/>
-</a>
-
-<br><br><br><br><br><br><br><br>
-
-# INSTALLATION
-
-
-***DEPENDENCIES***
-
-- [go](https://golang.org/dl/)
-- [NASM](https://www.nasm.us/)
-
-On *nix systems both of the dependencies can be installed with OS packet managers. (APT/PACMAN/YUM)
-
-
-Get one of the pre-build release [here](https://github.com/egebalci/amber/releases). Or get it with following alternatives.
-
-***GO (suggested)***
-```
-go get github.com/egebalci/amber
-```
-
-***BLACKARCH INSTALL***     
 ```
-sudo pacman -S amber
+go get github.com/EgeBalci/amber
 ```
 
-***DOCKER INSTALL***
+***Docker Install***
 
 [![Docker](http://dockeri.co/image/egee/amber)](https://hub.docker.com/r/egee/amber/)
 
@@ -56,41 +46,84 @@ docker pull egee/amber
 docker run -it egee/amber
 ```
 
-# USAGE
+# Usage
+
+<p align="center">
+  <img src="https://github.com/EgeBalci/amber/raw/master/img/usage.gif">
+</p>
+
+The following table lists switches supported by the amber.
+
+<table border="1">
+  <tr>
+    <th>Switch</th>
+    <th>Type</th>
+    <th>Description</th>
+  </tr>
+
+  <tr>
+    <td><strong>-build</strong></td>
+    <td><var>bool</var></td>
+    <td>Build EXE stub that executes the generated reflective payload</td>
+  </tr>
+
+  <tr>
+    <td><strong>-e</strong></td>
+    <td><var>int</var></td>
+    <td>Number of times to encode the generated reflective payload</td>
+  </tr> 
+
+  <tr>
+    <td><strong>-f</strong></td>
+    <td><var>string</var></td>
+    <td>Input PE file.</td>
+  </tr>
+
+  <tr>
+    <td><strong>-iat</strong></td>
+    <td><var>bool</var></td>
+    <td>Use IAT API resolver block instead of CRC API resolver block</td>
+  </tr>
+
+   <tr>
+    <td><strong>-ignore-checks</strong></td>
+    <td><var>bool</var></td>
+    <td>Ignore integrity check errors.</td>
+  </tr>
+
+  <tr>
+    <td><strong>-max</strong></td>
+    <td><var>int</var></td>
+    <td>Maximum number of bytes for obfuscation (default 5)</td>
+  </tr>  
+
+  <tr>
+    <td><strong>-stub</strong></td>
+    <td><var>string</var></td>
+    <td>Use custom stub file for executing the generated reflective payload (currently very unstable)</td>
+  </tr>  
+
+</table>
+
+
+**Example Usage**
+
+- Generate reflective payload.
 ```
-USAGE: 
-  amber [options] file.exe
-OPTIONS:
-  -k, -keysize                Size of the encryption key in bytes (Max:255/Min:8)
-  -r, -reflective             Generated a reflective payload
-  -a, -anti-analysis          Add anti-analysis measures
-  -i, -iat                    Use import address table entries instead of export address table
-  -s, -scrape                 Scrape the PE header info (May break some files)
-  -no-resource                Don't add any resource data (removes icon)
-  -ignore-integrity           Ignore integrity check errors
-  -v, -verbose                Verbose output mode
-  -h, -H                      Show this massage
-EXAMPLE:
-  (Default settings if no option parameter passed)
-  amber -k 8 file.exe
+amber -f test.exe
 ```
+- Generate reflective payload and build EXE stub for executing it.
+```
+amber -build -f test.exe
+``` 
 
 ***Docker Usage***
 ```
-docker run -it -v /tmp/:/tmp/ amber /tmp/file.exe
+docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe
 ```
 
-# EXAMPLE USAGE
-
-- <strong>NOPcon 2018 [DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc)</strong>
-
-<br><br>
-
-<a href="https://www.youtube.com/watch?v=JVv_spX6D4U" target="_blank">
-	<img src="http://img.youtube.com/vi/JVv_spX6D4U/0.jpg" alt="DEMO1" width="400" height="300" align="right"/>
-</a>
+# Demo
 
-<a href="https://www.youtube.com/watch?v=3en0ftnjEpE" target="_blank">
-	<img src="https://pentest.blog/wp-content/uploads/Screenshot-at-2018-02-23-22-42-18-2-1024x704.png" alt="DEMO1" width="400" height="300" align="left"/>
-</a><br><br><br>
-<br>
+- [NOPcon 2018 DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc)
+- [Pentest.blog - Deploying Reflective PE Files With Metasploit](https://www.youtube.com/watch?v=3en0ftnjEpE)
+- [Pentest.blog - Deploying Reflective Ransomware POC](https://www.youtube.com/watch?v=JVv_spX6D4U)

go.mod

@@ -1,21 +1,11 @@
-module amber
+module github.com/EgeBalci/amber
 
 go 1.15
 
 require (
+	github.com/EgeBalci/debug v0.0.0-20201116162432-d79a6eb18848
 	github.com/EgeBalci/keystone-go v0.0.0-20200525180613-e6c7cd32ceae
+	github.com/EgeBalci/sgn v0.0.0-20201122214045-550a17d79251
 	github.com/briandowns/spinner v1.11.1
-	github.com/egebalci/sgn v0.0.0-20201106153228-98d40a9d3113
 	github.com/fatih/color v1.10.0
-	github.com/go-delve/delve v1.5.0 // indirect
-	github.com/google/go-dap v0.3.0 // indirect
-	github.com/mattn/go-runewidth v0.0.9 // indirect
-	github.com/peterh/liner v1.2.0 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sirupsen/logrus v1.7.0 // indirect
-	github.com/spf13/cobra v1.1.1 // indirect
-	go.starlark.net v0.0.0-20201113214410-e292e66a28cd // indirect
-	golang.org/x/arch v0.0.0-20201008161808-52c3e6f60cff // indirect
-	golang.org/x/sys v0.0.0-20201116194326-cc9327a14d48 // indirect
-	gopkg.in/yaml.v2 v2.3.0 // indirect
 )