SHAREM is a comprehensive shellcode analysis framework designed for security researchers and malware analysts. It offers advanced emulation of over 20,000 WinAPIs and Windows syscalls, coupled with a custom disassembler that integrates emulation data for enhanced clarity, particularly for obfuscated shellcode.

How It Works

SHAREM employs a sophisticated emulation engine capable of deobfuscating encoded shellcode by executing it within a controlled environment. It logs and categorizes all WinAPI and syscall interactions, providing detailed structure information and identifying unreachable code. The disassembler leverages this emulation data to present a more accurate, deobfuscated view of the shellcode, significantly improving analysis efficiency.

Quick Start & Requirements

• Installation: Install as a local Python package using setup.py via provided .bat files (Windows) or linux_installer.sh (Linux). Git is required for automated SSDeep installation on Windows.
• Prerequisites: Python, Git (Windows), Windows DLLs (harvested or manually provided for Linux).
• Initial Setup: The first emulation on Windows triggers a multi-minute DLL harvesting and inflation process, required separately for 32-bit and 64-bit.
• Resources: Requires access to Windows DLLs.
• Demo: Click on image to view demo
• Documentation: SHAREM Wiki

Highlighted Details

• Emulates over 20,000 WinAPIs and virtually all user-mode Windows syscalls.
• Custom disassembler integrates emulation data for deobfuscated shellcode views.
• Supports "timeless debugging" with stack context and complete code coverage analysis.
• Includes OpenAI integration for AI-assisted analysis tasks.

Maintenance & Community

• Presented at DEFCON 31 and Black Hat USA Arsenal.
• Companion Ghidra plugin available from Trellix.
• Supported by NSA Grant H98230-20-1-0326.
• Co-authors include Dr. Bramwell Brizendine and others.

Licensing & Compatibility

• License details are not explicitly stated in the README. Compatibility for commercial use or closed-source linking is not specified.

Limitations & Caveats

Documentation is sparse, with significant portions and features not yet documented. The "timeless debugging" feature is noted as being slow. Linux users must manually obtain and prepare Windows DLLs.