Dr. Bramwell Brizendine takes a selfie in Prague.
Dr. Bramwell Brizendine appreciates the sights in Prague while visiting to present new SHAREM framework.

vb2022 withdate shadow

Dr. Bramwell Brizendine, Assistant Professor in the Department of Computer Science at the University of Alabama in Huntsville (UAH) was selected through peer review to present at the Virus Bulletin (VB) 2022 conference in Prague, Czech Republic. VB is a "world-renowned security event" that has been running for over 30 years, covering a broad range of IT security topics and providing a venue for the brains of IT security from around the world to learn, debate, pass on their knowledge and move the industry forward. The VB website claims that the conference is "considered by many to be a must-attend security event."

Funded by a $300,000 National Security Agency - National Centers for Academic Excellence research grant, Brizendine led a team of researchers that developed a new shellcode analysis framework.

The framework, SHAREM, boasts many novel and innovative features. The framework has the capacity to emulate more than 12,000 Windows APIs and virtually all Windows syscalls. Additionally, SHAREM has an original disassembler, allowing users to see an approximation of the Assembly language instructions from shellcode samples. The disassembler can uniquely integrate emulation data, to provide nearly perfect disassembly. One of the features of many shellcode samples is the fact that they are encoded, preventing a user from being able to view the contents in a disassembler. That can add a layer of stealth to what an attacker may be doing. SHAREM uniquely can emulate an encoded shellcode and use novel logic to present its deobfuscated form in the disassembler. In fact, this is true even if the shellcode re-encodes itself.

The framework also provides a new area of research, creating a way to obtain complete code coverage to be achieved via emulation, to discover hidden functionality that would otherwise be inaccessible. 

screenshot 2022 10 18 122550

tweet

screenshot 2022 10 18 122629

 

There was a great deal of highly enthusiastic, positive feedback about the framework at Virus Bulletin. Brizendine says "the malware analysis and reverse engineering community uses Twitter a lot, so I am happy to see it flourish there and attract attention. After I presented, I received an email from a student in the US at a previous university congratulating me on it - I had not told him about it - but he had seen it on Twitter."

Since SHAREM's release on September 30th at Virus Bulletin, there have been been more than 700 unique visitors at the GitHub. As part of the conference proceedings, Brizendine's research paper will be published.