-
Notifications
You must be signed in to change notification settings - Fork 209
USAGE
Ege Balcı edited this page Dec 15, 2018
·
10 revisions
USAGE:
amber [options] file.exe
OPTIONS:
-k, -keysize Size of the encryption key in bytes (Max:255/Min:8)
-r, -reflective Generated a reflective payload
-a, -anti-analysis Add anti-analysis masures
-i, -iat Use import address table entries instead of export address table
-s, -scrape Scrape the PE header info (May break some files)
-no-resource Don't add any resource data (removes icon)
-ignore-integrity Ignore integrity check errors
-v, -verbose Verbose output mode
-h, -H Show this massage
EXAMPLE:
(Default settings if no option parameter passed)
amber -k 8 file.exe
-
-k/-keysize: This parameter specifies the length of the randomly generated RC4 key.
-
-r/-reflective: If this flag is set, amber generates a reflective payload that can be used in multi stage attacks.
- -a,-anti-analysis: This flag will enable anti analysis functions inside the go stub. Enabling this should decrease the detection rate on VM based malware analysis systems.
-
-i/-iat: When this flag is set amber uses the import address table entries when calling the Windows API functions. (This option can be used for additional stealth against exploit mitigations such as Windows Defender Exploit Guard & EMET)
-
-s/-scrape: When this flag is set amber scrapes few parts of the PE header on generated file mapping.(More stealth against run-time scanners)
- -no-resource: When this flag passed amber don't add any resource or metadata to the output binary.(Also makes it smaller)
- -ignore-integrity: If this flag is set amber ignores the integrity check errors.
In order to pack a file using docker image the folder that is containing the target file should be mounted with -v parameter.
Example:
docker run -it -v /tmp/:/tmp/ egee/amber /tmp/file.exe