How to generate a reflective DLL payload with Amber?

Use the command 'amber -f yourfile.dll' to create a reflective payload. For enhanced stealth, add flags like '--iat' for IAT API resolution or '-e' for multiple encodings, as shown in the example usage.

Amber vs Donut for in-memory execution – which should I use?

Amber is optimized for native Windows PE files with strong evasion features like encoding and memory cleanup, while Donut supports broader formats including .NET and scripts. Choose Amber for PE-specific stealth in red team scenarios, Donut for versatility.

Can Amber bypass modern EDR solutions?

Amber incorporates techniques like raw syscalls and memory evasion to bypass EDR, but effectiveness varies with EDR updates and configurations. It's a tool in the evasion arsenal, not a guaranteed bypass.

Does Amber work with .NET executables?

No, Amber only handles native Windows PE files (EXE, DLL, SYS) and does not support managed .NET assemblies. For .NET, consider alternative tools like Donut or custom loaders.

How to install Amber without building from source?

Pre-compiled binaries are available in the GitHub releases section, or use Docker with 'docker pull egee/amber' for a containerized version, avoiding the keystone engine dependency.

What are the performance impacts of using Amber?

The encoding and reflective loading add overhead, increasing payload size and execution time, especially with multiple encodings (-e flag). This is a trade-off for evasion capabilities.

Open-Awesome

Amber

MITGov3.2

A reflective PE packer for in-memory execution of Windows executables to bypass security products.

GitHub

1.4k stars218 forks0 contributors

What is Amber?

Amber is a reflective PE packer that loads and executes Windows Portable Executable files (EXE, DLL, SYS) directly in memory. It solves the problem of deploying payloads stealthily by avoiding disk writes and bypassing security products like anti-virus and intrusion detection systems.

Target Audience

Security researchers, penetration testers, and red team operators who need to deploy evasive payloads during assessments or simulations.

Value Proposition

Developers choose Amber for its focus on evasion, offering features like in-memory execution, payload encoding, and memory cleanup that make it effective against modern security defenses.

Overview

Reflective PE packer.

Use Cases

Best For

Bypassing anti-virus and EDR solutions with fileless payloads
Deploying reflective DLLs for post-exploitation in red team exercises
Creating encoded shellcode from PE files for use in exploit development
Evading memory scanners by cleaning up payloads after execution
Performing raw syscalls on x64 systems for enhanced stealth
Generating staged payloads for remote command and control scenarios

Not Ideal For

Legitimate software distribution requiring standard installation and signing
Cross-platform development targeting non-Windows environments
Static malware analysis workflows that rely on unobfuscated PE files
General-purpose programming where disk-based execution is acceptable

Pros & Cons

Pros

Memory-Only Execution

Loads and executes PE files entirely in memory without touching disk, effectively bypassing file-based anti-virus and EDR solutions as highlighted in the README.

Advanced Payload Obfuscation

Automatically encodes payloads with the SGN encoder, adding multiple layers of obfuscation to evade signature-based detection, with configurable encoding iterations via the -e flag.

Stealthy API Resolution

Uses CRC32_API or IAT_API to resolve Windows API addresses inconspicuously, reducing forensic footprints by avoiding direct API name exposure.

Post-Execution Cleanup

Erases the reflective payload from memory after execution, as stated in the README, helping to evade memory scanners and forensic analysis tools.

Cons

Build Complexity

Requires installing the keystone engine from source for building, which adds non-trivial setup steps compared to simple Go toolchains, as noted in the installation instructions.

Windows-Only Limitation

Specifically designed for Windows PE files (EXE, DLL, SYS), making it useless for other platforms or executable formats like .NET assemblies or Linux ELF files.

Niche Focus

Tailored for offensive security and evasion, lacking features for legitimate software development, such as error handling or integration with standard deployment pipelines.

Frequently Asked Questions

Related Projects

ConfuserEx

An open-source, free protector for .NET applications

Stars2,863

Forks441

Last commit2 years ago

PEzor

Open-Source Shellcode & PE Packer

Stars2,107

Forks327

Last commit2 years ago

Crinkler

Crinkler is an executable file compressor (or rather, a compressing linker) for compressing small 32-bit Windows demoscene executables. As of 2026, it is the most widely used tool for compressing 1k/4k/8k intros.

Stars1,213

Forks61

Last commit1 month ago

ProtectMyTooling

Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. Featured with artifacts watermarking, IOCs collection & PE Backdooring. You feed it with your implant, it does a lot of sneaky things and spits out obfuscated executable.

Stars1,079

Forks147

Last commit8 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

Amber

MITGov3.2

A reflective PE packer for in-memory execution of Windows executables to bypass security products.

GitHub

1.4k stars218 forks0 contributors

What is Amber?

Target Audience

Security researchers, penetration testers, and red team operators who need to deploy evasive payloads during assessments or simulations.

Value Proposition

Developers choose Amber for its focus on evasion, offering features like in-memory execution, payload encoding, and memory cleanup that make it effective against modern security defenses.

Overview

Reflective PE packer.

Use Cases

Best For

Bypassing anti-virus and EDR solutions with fileless payloads
Deploying reflective DLLs for post-exploitation in red team exercises
Creating encoded shellcode from PE files for use in exploit development
Evading memory scanners by cleaning up payloads after execution
Performing raw syscalls on x64 systems for enhanced stealth
Generating staged payloads for remote command and control scenarios

Not Ideal For

Legitimate software distribution requiring standard installation and signing
Cross-platform development targeting non-Windows environments
Static malware analysis workflows that rely on unobfuscated PE files
General-purpose programming where disk-based execution is acceptable

Pros & Cons

Pros

Memory-Only Execution

Loads and executes PE files entirely in memory without touching disk, effectively bypassing file-based anti-virus and EDR solutions as highlighted in the README.

Advanced Payload Obfuscation

Automatically encodes payloads with the SGN encoder, adding multiple layers of obfuscation to evade signature-based detection, with configurable encoding iterations via the -e flag.

Stealthy API Resolution

Uses CRC32_API or IAT_API to resolve Windows API addresses inconspicuously, reducing forensic footprints by avoiding direct API name exposure.

Post-Execution Cleanup

Erases the reflective payload from memory after execution, as stated in the README, helping to evade memory scanners and forensic analysis tools.

Cons

Build Complexity

Requires installing the keystone engine from source for building, which adds non-trivial setup steps compared to simple Go toolchains, as noted in the installation instructions.

Windows-Only Limitation

Specifically designed for Windows PE files (EXE, DLL, SYS), making it useless for other platforms or executable formats like .NET assemblies or Linux ELF files.

Niche Focus

Tailored for offensive security and evasion, lacking features for legitimate software development, such as error handling or integration with standard deployment pipelines.