GScript: Scriptable dynamic runtime execution of malware
Category : Blog
GScript (Genesis Scripting Engine)
Genesis Scripting (gscript for short) is a technology I’ve developed to enable more intelligent malware stagers. Typically, stagers are pretty dumb. Most stagers are unique to the malware they deploy and do not allow for “bundling” of multiple payloads. Sophisticated attackers do in fact bundle their payloads, which makes runtime uncertainty even more assured.
GScript has significant benefits over traditional tactics:
Scripts are far more “sandboxed” from each other. If you’re bundling 10 payloads and 1 of them has a syntax error in its script, with gscript, only that scripts VM dies, not the entire program.
GScript’s VM, while sandboxed, has native hooks injected into it. This allows the VM to interact with things outside of the VM (filesystem, network, registry, etc.).
These functions are by and large, completely cross-platform. This allows someone to only learn GScript to write scripts without having to learn a different programming language.
Execution is also parallelized using the very effective go routine paradigm, resulting in the much faster execution of stagers with multiple payloads.
This development process is incredibly efficient with our gscript CLI utility.
The compiler is what translates your gscripts and their assets into a finalized binary. Some features of the compiler:
- Support native binary compilation for all major operating systems: Windows, Linux, OS X
- Can support large numbers of scripts and assets into a single executable.
- Built-in lossless compression and obfuscation of both scripts and embedded assets.
- VERY FAST. Compilation times generally less than 5 seconds.
- Post compilation obfuscation to remove references to the library.
- Defaults to a null logger for the final binary (no output ever!), but can be overridden to inject a development logger into the final binary for testing.
The final binary contains the gscript engine with all scripts and their imported assets. It will initialize VMs, one for each script, and execute them generally in parallel (there’s priority overrides, but more on that below!).
The VMs cannot interact with one another and errors in one VM will be gracefully handled by the engine. This prohibits one VM from causing instability or fatal errors preventing other scripts from executing.
The Engine has been designed to be lean and free from bloated imports. It’s come a long way, but there will be more improvements here in the future as well.
Most Popular Training Courses at Indian Cyber Security Solutions:
Cybersecurity services that can protect your company: