Amber vs Donut
GitHub Stats
About Amber
Amber is a reflective PE packer written in Go that converts standard Windows PE (Portable Executable) files into position-independent shellcode payloads. It uses a reflective loading technique to execute PE files entirely in memory without writing them to disk, bypassing many traditional antivirus and endpoint detection mechanisms that rely on file-based scanning. Red team operators and exploit developers use Amber to prepare payloads for advanced adversary simulations, converting compiled executables into shellcode that can be injected into running processes or delivered through custom loaders. The tool supports both 32-bit and 64-bit PE files and can add custom stubs for additional evasion, making it a key component in payload development pipelines for authorized offensive engagements.
About Donut
Donut is a position-independent code generation tool that creates x86 or x64 shellcode payloads from .NET assemblies, PE files, DLLs, and VBS/JS/XSL files. The generated shellcode can load and execute the payload entirely in memory without touching disk, making it extremely useful for AV/EDR evasion. Donut supports encryption (Chaskey cipher), decoy module loading, and CLR bootstrapping for .NET payloads. It's a critical component in modern red team toolchains.
Platform Support
Tags
Shared
Amber only
Donut only