Wednesday 2 October 15:00 - 15:30, Green room
Bramwell Brizendine (University of Alabama in Huntsville)
SHAREM was released at VB2022, as a game-changing shellcode analysis framework, with some unprecedented capabilities. Not only can SHAREM emulate tens of thousands of WinAPI functions as well as virtually all user-mode Windows syscalls, but it also features timeless debugging and a dedicated shellcode disassembler. With SHAREM’s unique complete code coverage capabilities, allowing shellcode to start and restart as many times as necessary, virtually all of a given shellcode sample could be emulated. As SHAREM can integrate emulation data with its generated shellcode, this can result in virtually flawless disassembly. SHAREM also automatically generates executables with the shellcode embedded, allowing users to easily debug their shellcode outside of SHAREM in a debugger, if need be.
In 2024, we plan to unveil new capabilities, leveraging AI to analyse the shellcode. After the shellcode has been analysed by SHAREM, AI can provide useful interpretations of SHAREM’s results, looking for known patterns of malicious behaviour. For instance, is the shellcode using a known technique that corresponds to the MITRE ATT&K framework? If so, SHAREM can provide detailed, plain language explanations. This can be immensely useful for getting a quick, big picture analysis of what is going on.
Additionally, we plan to look at enhancements made to SHAREM, including its vastly improved complete-code coverage, which considers multiple unusual situations. We also look at enhancing timeless debugging capabilities, which now allow us to capture parts of memory, allowing for more in depth analysis, if needed, instruction by instruction. Finally, we will very briefly allude to some of the excellent work done by Trellix to extend SHAREM to Ghidra. After all, if SHAREM is the only way to get accurate disassembly on shellcode, why not extend that to Ghidra?
Shellcode remains an omnipresent threat. With SHAREM, we improve upon state-of-the-art capabilities and look at some shellcode and see how powerful SHAREM can be. Additionally, with the increased capabilities of AI, there is always the danger an otherwise unskilled person might use AI to create shellcode. We will look at an example of this – and how SHAREM can quickly deal with it.
SHAREM was supported by NSA Grant H98230-20-1-0326.
Bramwell Brizendine Dr Bramwell Brizendine completed his Ph.D. in cyber operations. A security researcher, Bramwell is currently an assistant professor at the University of Alabama in Huntsville, and he is the Founding Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab). A cybersecurity expert, Bramwell has taught numerous undergraduate, graduate, and doctoral level courses in reverse engineering, software exploitation, advanced software exploitation, malware analysis, and offensive security. Additionally, Bramwell has authored several important cybersecurity tools, including JOP ROCKET, SHAREM, ShellWasp and ROP ROCKET, which are open source and freely available. Bramwell was a PI on a $300,000 NSA research grant to develop a shellcode analysis framework, SHAREM. Bramwell has been a speaker at many top security conferences across the globe, including different regional variations of Black Hat, DEFCON, Hack in the Box, and more. |
Back to VB2024 conference page