Amber is a tool that allows you to package PE files (Portable Execution) regularly compiled in reflective PE files and can be used as a useful payload of infection in different stages.
I will not talk about the installation since I will do it in a next article because the Blackarch distribution brings it in its list of tools.
When only one test is performed and an extra parameter is not passed, only the name of our file that we want to execute the packer will generate a payload of multiple stages that will perform an RC4 encryption with a certain random key, then compile into a Portable file Execution that will use some additional anti-detection functions.
Simple example of use only applying the -k parameter specifying the length of the RC4 key that is randomly generated and the -a parameter that enabled the detection rate in VM-based malware analysis systems.
Then I leave a brief explanation of each of the parameters that Amber has in his wiki:
- -k / -keysize: this parameter specifies the length of the RC4 key generated randomly.
- -r / -reflective: if this option is enabled, amber generates a reflective payload that can be used in multi-stage attacks.
- -a, -anti-analysis: this option will enable the analysis functions in the go stub. Enabling this should decrease the detection rate in VM-based malware analysis systems.
- -i / -iat: When this flag is set to amber, it uses the entries in the import address table when calling the Windows API functions. (This option can be used for additional stealth against exploitation mitigations, such as Windows Defender Exploit Guard and EMET)
- -s / -scrape: when this indicator is set to amber, scrape some parts of the PE header in the generated file allocation. (More stealth against scanners at runtime)
- -no-resource: When this indicator changes to amber, do not add any resources or metadata to the output binary. (It also makes it smaller)
- -ignore-integrity: If this flag is set to amber, integrity check errors are ignored.
Portable Execution (PE)
It is a standard file format for executables, object code and DLL, which are used in their 32 and 64 bit versions in Windows operating systems. The technical PE format is structured into data that encapsulate information necessary for the Windows system loader to manage the adjusted executable code.
It is a symmetric flow encryption scheme, it is a scheme that its encryption is quite simple and can be used in software very efficiently, however RC4 has not been considered a secure algorithm for a long time.
Currently it is not a complete tool so some things could be broken however it is a very useful tool for packaging PE files in PE files that can be used as a payload of infection in multiple stages.