Amber vs ScareCrow
GitHub Stats
About Amber
Amber is a reflective PE packer written in Go that converts standard Windows PE (Portable Executable) files into position-independent shellcode payloads. It uses a reflective loading technique to execute PE files entirely in memory without writing them to disk, bypassing many traditional antivirus and endpoint detection mechanisms that rely on file-based scanning. Red team operators and exploit developers use Amber to prepare payloads for advanced adversary simulations, converting compiled executables into shellcode that can be injected into running processes or delivered through custom loaders. The tool supports both 32-bit and 64-bit PE files and can add custom stubs for additional evasion, making it a key component in payload development pipelines for authorized offensive engagements.
About ScareCrow
ScareCrow is a payload creation framework designed to generate loaders that bypass Endpoint Detection and Response (EDR) products. It uses direct Windows system calls instead of standard WinAPI calls, avoiding the userland hooks that EDR products use for detection. ScareCrow supports multiple loader types (DLL sideloading, binary, JScript, HTA), code signing with spoofed certificates, and integration with shellcode generators like Donut. It represents the current state of the art in EDR evasion.
Platform Support
Tags
Shared
Amber only
ScareCrow only