SHAREM shellcode analysis framework with emulation, a disassembler, and timeless debugging VERONA La

YouTube Excerpt: Presented at the VB2022 conference in Prague, 28 - 30 September, 2022. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-SHAREM-shellcode-analysis-framework-with-emulation-disassembler-and-timeless-debugging.pdf ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-SHAREM-shellcode-analysis-framework-with-emulation-disassembler-and-timeless-debugging.pdf → Details: https://www.virusbulletin.com/conference/vb2022/abstracts/sharem-shellcode-analysis-framework-emulation-disassember-and-timeless-debugging/ ✪ PRESENTED BY ✪ • Bramwell Brizendine (University of Alabama in Huntsville) • Sascha Walker (VERONA Lab) • Shelby VandenHoek (VERONA Lab) ✪ ABSTRACT ✪ SHAREM is a new shellcode analysis framework, funded by an NSA grant. SHAREM provides many capabilities to malware analysts, as the framework possesses a powerful emulator, a dedicated shellcode disassembler, timeless debugging, and abilities to deobfuscate shellcode through brute-force deobfuscation or via emulation. SHAREM not only provides support for 16,000 WinAPI functions to be emulated and logged, but it is also the first project to support emulation of Windows syscalls, and 98% of all user-mode syscalls are supported, identifying the syscall and its parameters. In testing, we have emulated and logged over 300 APIs in a single large, complex shellcode. Existing disassemblers are relatively poor at providing accurate disassembly of modern Windows shellcode. SHAREM’s dedicated disassembler uses static analysis to create disassembly of shellcode that is significantly more accurate. Additionally, SHAREM can use emulation to enhance the disassembly, and it also implements a complete code coverage algorithm, ensuring every instruction in the shellcode is executed. In so doing, we can enumerate all WinAPIs and their parameters, even those that would not normally be reached, and the disassembly obtained can be nearly flawless. With SHAREM, a heavily encoded shellcode can be deobfuscated via emulation, and the disassembler will display not the encoded shellcode, but instead the decoded shellcode, with all WinAPI calls labelled, with vivid colours. Users can toggle between decoded and encoded shellcode. API tables are also discovered and identified in the disassembly, and many unique instructions associated with shellcode are identified. For users who prefer minimalist interactions, the config file may be set with numerous customizable options, generating a detailed text report and JSON output. While SHAREM may be used by individual malware analysts, it can also be deployed as part of a web service, allowing shellcode to be analysed comprehensively with results displayed online.

Presented at the VB2022 conference in Prague, 28 - 30 September, 2022. ↓ Slides:...

Read Full Article 🔍

Curious about SHAREM Shellcode Analysis Framework With Emulation, A Disassembler, And Timeless Debugging VERONA La's Color? Explore detailed estimates, salary breakdowns, and financial insights that reveal the true scope of their profile.

Source ID: k9nPOcgsxtQ

Category: color style guide