Thursday 29 September 2022, 14:00 - 14:30
Bramwell Brizendine (University of Alabama in Huntsville)
Jacob Hince (VERONA Lab)
Austin Babcock (VERONA Lab)
Tarek Abdelmotaleb (VERONA Lab)
Sascha Walker (VERONA Lab)
Shelby VandenHoek (VERONA Lab)
SHAREM is a new shellcode analysis framework, funded by an NSA grant. SHAREM provides many capabilities to malware analysts, as the framework possesses a powerful emulator, a dedicated shellcode disassembler, timeless debugging, and abilities to deobfuscate shellcode through brute-force deobfuscation or via emulation.
SHAREM not only provides support for 16,000 WinAPI functions to be emulated and logged, but it is also the first project to support emulation of Windows syscalls, and 98% of all user-mode syscalls are supported, identifying the syscall and its parameters. In testing, we have emulated and logged over 300 APIs in a single large, complex shellcode.
Existing disassemblers are relatively poor at providing accurate disassembly of modern Windows shellcode. SHAREM’s dedicated disassembler uses static analysis to create disassembly of shellcode that is significantly more accurate. Additionally, SHAREM can use emulation to enhance the disassembly, and it also implements a complete code coverage algorithm, ensuring every instruction in the shellcode is executed. In so doing, we can enumerate all WinAPIs and their parameters, even those that would not normally be reached, and the disassembly obtained can be nearly flawless.
With SHAREM, a heavily encoded shellcode can be deobfuscated via emulation, and the disassembler will display not the encoded shellcode, but instead the decoded shellcode, with all WinAPI calls labelled, with vivid colours. Users can toggle between decoded and encoded shellcode. API tables are also discovered and identified in the disassembly, and many unique instructions associated with shellcode are identified. For users who prefer minimalist interactions, the config file may be set with numerous customizable options, generating a detailed text report and JSON output. While SHAREM may be used by individual malware analysts, it can also be deployed as part of a web service, allowing shellcode to be analysed comprehensively with results displayed online.
 |
Bramwell Brizendine Dr Bramwell Brizendine recently completed his Ph.D. in cyber operations, for which he did his dissertation on Jump-Oriented Programming, a hitherto seldom-studied and poorly understood subset of code-reused attacks. Bramwell developed a fully-featured tool that helps facilitate JOP exploit development, the JOP ROCKET. Previously, Bramwell was an assistant professor and the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab) at Dakota State University, specializing in vulnerability research, software exploitation, and the development of new, cutting-edge tools and techniques with respect to software exploitation and malware analysis. He is now an assistant professor of computer science at the University of Alabama in Huntsville. Bramwell has taught numerous undergraduate, graduate and doctoral level courses in software exploitation, reverse engineering, malware analysis and offensive security. Bramwell was a PI on an NSA grant to develop a shellcode analysis framework, SHAREM. Bramwell has been a speaker at many top security conferences, including Black Hat Asia, DEF CON, Hack in the Box Amsterdam, @Hack, Black Hat Middle East and Africa, and more.
|
 |
Jacob Hince Jacob Hince recently completed his computer science M.S. degree at Dakota State University. He is a security researcher and malware analyst at VERONA Lab, working on security tool development and shellcode analysis. Jacob is an accomplished speaker, having presented at numerous cybersecurity clubs. Jacob has been highly actively in collegiate cyber security competitions (CCDC, CPTC), and he participates in countless CTF competitions.
|
 |
Austin Babcock Austin Babcock recently completed an M.S. in computer science at Dakota State University. Austin has been a speaker at many top security conferences, such as Black Hat Asia, DEF Con, Hack in the Box Amsterdam, and more. Austin has worked for two years as a security researcher at VERONA Lab under Dr Bramwell Brizendine, and before moving to ARL as a malware analyst. Austin has extensively studied code-reuse attacks, doing research into the fundamentals of Jump-oriented Programming (JOP) in the Windows environment, in addition to developing JOP exploits.
|
 |
Tarek Abdelmotaleb Tarek Abdelmotaleb is a security researcher at VERONA Lab and a graduate student at Dakota State University, soon to graduate with a M.S. in computer science. Tarek specializes in malware development, software exploitation, reverse engineering, and malware analysis. Tarek recently published an IEEE paper that provides a new way for finding the base address of kernel32, making it possible to do shellcode without needing to make use of walking the Process Environment Block (PEB).
|
 |
Sascha Walker Sascha Walker is a security researcher and malware analyst at VERONA Lab and a student at Dakota State University, where he specializes in reverse engineering and malware analysis. Sascha recently presented his research providing a new technique to evade anti-virus detection at a local research symposium. In the course of his employment at VERONA Lab, Sascha has found and tested thousands of shellcode samples.
|
 |
Shelby VandenHoek Shelby VandenHoek works at VERONA Lab as a security researcher. Shelby studies malware analysis and reverse engineering at Dakota State University, where he is presently pursuing a Bachelor’s in cyber operations. Upon graduation, he hopes to pursue a Master’s in computer science. Shelby has also been active in the Malware Club at DSU. |