GScript: Scriptable dynamic runtime execution of malware

GScript (Genesis Scripting Engine)

Genesis Scripting (gscript for short) is a technology I’ve developed to enable more intelligent malware stagers. Typically, stagers are pretty dumb. Most stagers are unique to the malware they deploy and do not allow for “bundling” of multiple payloads. Sophisticated attackers do in fact bundle their payloads, which makes runtime uncertainty even more assured.

GScript changes that. GScript allows for dynamic execution logic per payload. This is achieved by a modified Javascript runtime that is statically embedded in the final stager binary. This runtime/virtual machine runs “hook” functions that you’ve defined in your script, checking to ensure the script wishes to proceed after each hook.



GScript has significant benefits over traditional tactics:

Scripts are far more “sandboxed” from each other. If you’re bundling 10 payloads and 1 of them has a syntax error in its script, with gscript, only that scripts VM dies, not the entire program.

GScript’s VM, while sandboxed, has native hooks injected into it. This allows the VM to interact with things outside of the VM (filesystem, network, registry, etc.).

These functions are by and large, completely cross-platform. This allows someone to only learn GScript to write scripts without having to learn a different programming language.

Execution is also parallelized using the very effective go routine paradigm, resulting in the much faster execution of stagers with multiple payloads.

This development process is incredibly efficient with our gscript CLI utility.



The compiler is what translates your gscripts and their assets into a finalized binary. Some features of the compiler:

  • Support native binary compilation for all major operating systems: Windows, Linux, OS X
  • Can support large numbers of scripts and assets into a single executable.
  • Built-in lossless compression and obfuscation of both scripts and embedded assets.
  • VERY FAST. Compilation times generally less than 5 seconds.
  • Post compilation obfuscation to remove references to the library.
  • Defaults to a null logger for the final binary (no output ever!), but can be overridden to inject a development logger into the final binary for testing.



VM Engine

The final binary contains the gscript engine with all scripts and their imported assets. It will initialize VMs, one for each script, and execute them generally in parallel (there’s priority overrides, but more on that below!).

The VMs cannot interact with one another and errors in one VM will be gracefully handled by the engine. This prohibits one VM from causing instability or fatal errors preventing other scripts from executing.

The Engine has been designed to be lean and free from bloated imports. It’s come a long way, but there will be more improvements here in the future as well.



Most Popular Training Courses at Indian Cyber Security Solutions:


Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training


Cybersecurity services that can protect your company:


Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you