Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time


Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation SGN encoder. Amber uses CRC32_API and IAT_API for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.

Developed By Ege Balcı @PRODAFT.


Pre-compiled binaries can be found under releases.

Building From Source

The only dependency for building the source is the keystone engine, follow these instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ

go get

Docker Install


docker pull egee/amber
docker run -it egee/amber


The following table lists switches supported by the amber.

Switch Type Description
-b,--build bool Build EXE stub that executes the generated reflective payload
-e int Number of times to encode the generated reflective payload
-f,--file string Input PE file.
-iat bool Use IAT API resolver block instead of CRC API resolver block
-ignore-checks bool Ignore integrity check errors.
-max int Maximum number of bytes for obfuscation (default 5)
-s,--stub string Use custom stub file for executing the generated reflective payload (currently very unstable)

Example Usage

  • Generate reflective payload.
amber -f test.exe
  • Generate reflective payload and build EXE stub for executing it.
amber -build -f test.exe

Docker Usage

docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe