EvilVM Documentation Site


NolaCon 2019 Presentation

I presented EvilVM’s Alpha release at NolaCon, 2019. You can see Irongeek’s video recording on YouTube, for a good intro to the project and some demos:

Download slides from NolaCon 2019 talk libreoffice ODP format, PDF format.

Get the Code

Find the code for EvilVM at https://github.com/jephthai/EvilVM/.

Basic Intro

To do a quick dive into the system, follow the instructions in the Quickstart Guide.


This site hosts documentation for EvilVM and its constituent tools. The project is built around a native code Forth compiler that is deployed as a position independent shellcode. It provides a platform for remote code execution, useful in information security contexts.

The primary use case for EvilVM is to deploy the agent on a remote system, and interact with it. The language’s outer interpreter is presented as an interactive shell or REPL, and the system provides the capability to deliver code to the agent, which is compiled, and added to the hyperstatic global environment.

Technology choices are made with the project’s goals in mind:

  1. Small, easily deployed payload: the EvilVM agent is a position independent, x86_64 shellcode that weighs in somewhere between 5-10KB, depending on options and encapsulation.
  2. Remote I/O streams: the standard I/O paradigm for interacting with the language is via abstracted network-capable streams, allowing transport over TCP, HTTP, etc.
  3. Low level access: the runtime environment provides direct access to compiler internals, machine code, and direct memory interaction.
  4. Native interoperability: a simple C FFI is provided, making it easy to import DLLs, find exports, and wrap them with Forth function definitions.
  5. Expressive language: while Forth provides a ‘low floor’, functioning close to the assembly language level, it also offers a ‘high ceiling’, permitting runtime syntactic extension of the language, and is well-suited to metaprogramming techniques.
  6. Infosec considerations: generation of payloads supports different encoding and encapsulation schemes to fit in well with typical malicious delivery scenarios (exploits, injection, etc.).
Last updated on 6 May 2019