README
¶
gscript
Genesis Scripting Engine
WARNING: This library is under active development. API is NOT stable and will have breaking changes for the foreseeable future.
Description
GENESIS Scripting (gscript for short) is a technology I've developed to allow dynamic runtime execution of malware installation based on parameters determined at runtime.
Inspiration for this comes from my old AutoRune™ days and from the need for malware to basically become self aware without a bunch of duplicate overhead code.
GScript uses a JS V8 Virtual Machine to interpret your genesis script and allow it to hook into the malware initialization.
The Engine itself is referred commonly as "GSE" - Genesis Scripting Engine.
Installation
We have created a command line SDK for gscript. You can download it from our Releases page:
https://github.com/gen0cide/gscript/releases
If you want to compile final binaries using gscripts compiler, you'll need the following dependencies installed and configured on your system:
- Golang v1.10 or higher
- jshint
After you have both of those, run:
$ go get github.com/gen0cide/gscript/cmd/gscript
What is GENESIS btw?
GENESIS was created by @vyrus, @gen0cide, @emperorcow, and @ahhh for dynamically bundling multiple payloads into one dropper for faster deployment of implants for the CCDC Red Team.
For more information on this work we do every year, see my blog post outlining our toolbox:
GSE's goal is to allow intelligent deployment of those payloads.
Variables
These variables are pre-defined and injected into the GENESIS VM at runtime for your convenience.
| Variable Name | Type | Example | Purpose |
|---|---|---|---|
USER_INFO |
object |
{uid: 0, gid: 0, username: "root", home_dir: "/root"} |
Information about the User. Will be basically whatever is returned with https://golang.org/pkg/os/user/#User |
HOSTNAME |
string |
example01 |
The hostname of the machine. |
IP_ADDRS |
array |
["127.0.0.1","192.168.1.5"] |
The IP addresses of the machine. |
OS |
string |
linux |
The operating system (basically runtime.GOOS) |
ARCH |
string |
amd64 |
The CPU architecture (basically runtime.GOARCH) |
Builtin Functions
These functions are available to you automatically within the GSE scripting context.
Halt()
Terminates the current GSE VM gracefully.
None
boolean (true = success, false = error)
Asset(filename)
Load an asset you previously imported during compilation from the packed store.
filename(String) - The name of the file that you imported into your dropper.
[]byte - Array of bytes of the file contents.
DeleteFile(path)
Delete the file located at path.
path(String) - Path to file you wish to delete.
boolean (true = success, false = error)
CopyFile(srcPath, dstPath)
Copy file from srcPath to dstPath.
srcPath(String) - Path to source file.dstFile(String) - Path to destination file.
boolean (true = success, false = error)
ReadFile(path)
Read provided path
path(String) - Path to file you would like to read.
string - Contents of target file
WriteFile(path, bytes, perms)
Write bytes to path and set perms to perms.
path(String) - Path to file you wish to write.bytes(Array) - Array of bytes you wish to write to thepathlocation.perms(String) - Octal unix permissions represented as a string. ie:0777.
boolean (true = success, false = error)
ExecuteFile(path, args)
Execute a file located at path with args as arguments.
path(String) - Path to file you wish to execute.args(Array) - Arguments to pass to during file execution.
boolean (true = success, false = error)
AppendFile(path, bytes)
Append bytes to the file located at path.
path(String) - Path to file you wish to append.bytes(Array) - Array of bytes you wish to append.
boolean (true = success, false = error)
ReplaceInFile(path, target, replace)
Replace any instances of target with replace in the file located at path.
path(String) - Path to file you wish to modify.target(String) - String value you wish to replace in the file.replace(String) - String value you wish to substitutetargetwith.
boolean (true = success, false = error)
Signal(pid, signal)
Send a signal to another process.
pid(String) - Process ID you wish to signalsignal(Integer) - Type of signal you wish to send (9, 15, etc.)
boolean (true = success, false = error)
RetrieveFileFromURL(url)
Retrieve a file via GET for a given url.
url(String) - Full URL of location you wish to retrieve.
[]bytes - Byte array of body response.
DNSQuery(question, type)
Perform a DNS lookup.
question(String) - DNS query question (eg: "twitter.com")type(String) - DNS question type (A, CNAME, MX, etc.)
Object - Reference VMDNSQueryResponse in response_objects.go for object details.
HTTPRequest(method, url, body, headers)
Perform an HTTP/S request.
method(String) - HTTP Method (GET, POST, PUT, DELETE, HEAD, etc.)url(String) - Full URL (including https://) you wish to make a request to.body(String) - Any body you wish to include (nil if none).headers(Object) - A key/value object that will be set as HTTP Request Headers.
Object - Reference VMHTTPRequestResponse in response_objects.go for object details.
Exec(cmd, args)
Execute the given command and arguments.
cmd(String) - Base command you wish to runargs(Array) - Arguments as an array of strings.
Object - Reference VMExecResponse in response_objects.go for object details.
MD5(bytes)
Create a MD5 hash of the given bytes.
path(Array) - Array of bytes.
string - Hex encoded MD5 hash.
SHA1(bytes)
Create a SHA1 hash of the given bytes.
bytes(Array) - Array of bytes.
string - Hex encoded SHA1 hash.
B64Encode(bytes)
Perform a Base64 encode on bytes.
bytes(Array) - Array of bytes you wish to base64 encode.
string - Base64 encoded string representation.
B64Decode(string)
Perform a Base64 decode on string.
string(String) - Base64 encoded string
[]bytes - Byte array of the deserialized b64 string.
Timestamp()
Get current time in Epoch.
None
integer - Current time in Epoch.
CPUStats()
Retreive specs about the machine's CPU.
None
Object - Reference VMCPUStatsResponse in response_objects.go for object details.
MemStats()
Retreive specs about the machine's memory.
None
Object - Reference VMMemStatsResponse in response_objects.go for object details.
SSHExec(host, port, creds, cmds)
Executes SSH commands on the given host.
host(String) - Host you wish to connect to.port(String) - Port you wish to connect to.creds(Object) - Credential Object:{ username: "", password: "", privateKey: "" }cmds(Array) - Commands you wish to run as an array of strings.
Object - Reference VMSSHExecResponse in response_objects.go for object details.
Sleep(seconds)
Sleep for seconds number of seconds.
seconds(Int) - Sleep Duration
boolean (true = success, false = error)
GetDirsInPath()
Get a list of all the directories currently in our PATH.
None
[]string - Array of directories in the current PATH as strings.
EnvVars()
Retrieve an array of all environment variables in the current execution.
None
Object - Reference VMEnvVarsResponse in response_objects.go for object details.
GetEnv(varname)
Retrieve the value for Environment Variable varname.
varname(String) - Environment variable name.
string - Value, empty if undefined.
FileCreateTime(path)
Lookup the creation time for file located at path.
path(String) - Path to target file.
int - Last modified time in Epoch format.
FileModifyTime(path)
Lookup the last modified time for file located at path.
path(String) - Path to target file.
int - Last modified time in Epoch format.
LoggedInUsers()
Gets an array of unique users currently logged in.
None
[]string - Array of usernames as strings.
UsersRunningProcs()
Gets an array of unique users currently running processes.
None
[]string - Array of usernames as strings.
ServeDataOverHTTP(data, port, timeout)
Starts an HTTPServer that will respond to GET / with the data provided on port port.
data(String) - Data you wish to serve.port(Int) - What port should we listen on?timeout(Int) - How many seconds should we listen? (Cannot be > globaltimeoutvariable!)
boolean (true = success, false = error)
Notes
This is just my design chicken scratch. I'll slowly migrate this stuff over to more formal documentation as I implement.
// Genesis Hooks (Can be user defined)
function BeforeDeploy() {};
function Deploy() {};
function AfterDeploy() {};
function OnError() {};
// Research Functions (Should *not* be overridden!)
// These functions allow you to get information about
// a given system in order to make decisions based off
// the context the runtime is executing in.
function LocalUserExists(username) { return boolean; };
function ProcExistsWithName(name) { return boolean; };
function CanReadFile(path) { return boolean; };
function CanWriteFile(path) { return boolean; };
function CanExecFile(path) { return boolean; };
function FileExists(path) { return boolean; };
function DirExists(path) { return boolean; };
function FileContains(path, match) { return boolean; };
function IsVM() { return boolean; };
function IsAWS() { return boolean; };
function HasPublicIP() { return boolean; };
function CanMakeTCPConn(dst, port) { return boolean; };
function ExpectedDNS(query, type, resp) { return boolean; };
function CanMakeHTTPConn(url) { return boolean; };
function DetectSSLMITM(url, cert_fp) { return boolean; };
function CmdSuccessful(cmd) { return boolean; };
function CanPing(dst) { return boolean; };
function TCPPortInUse(port) { return boolean; };
function UDPPortInUse(port) { return boolean; };
function ExistsInPath(progname) { return boolean; };
function CanSudo() { return boolean; };
function Matches(string, match) { return boolean; };
function CanSSHLogin(ip, port, u, p) { return boolean; };
TODO
- Implement All Functions
- Implement Global Variables
- Implement Runtime Variable Loading
- Implement Timeout
- Implement Hook Callers
- Implement CLI Framework (cmd/gscript)
- Implement Compiler / Crypter
Credits
Shoutouts to the homies:
- vyrus
- ahhh
- cmccsec
- carnal0wnage
- indi303
- emperorcow
- rossja \n\ntest
Directories