Skip to content

2. Quick Start Analysis

Shiva Shashank edited this page Sep 22, 2022 · 14 revisions

Shellcode Files

Analysis of “raw” shellcode files is also available and works similarly to PE files. Analysis of shellcode is the focal point of SHAREM. SHAREM accepts both true binary data and text files containing ASCII representations of opcodes such as the following:

image2

To analyze “raw” files, use the -r32 flag instead of -pe. This will analyze the shellcode a 32-bit shellcode. If the file is 64-bit, use the -r64 flag to indicate this as SHAREM cannot automatically detect architecture without PE file headers. The -r option can be used to reflect the desired cpu architecture setting in the config file (32 or 64-bit).

shellcode_menu

Example commands:

  • python main.py -r32 sc_test.txt
  • python main.py -r64 sc_test_64.bin

Once the interface has been launched, the z option can be used to quickly perform many of SHAREM’s features. The z option will do all possible options and will utilize specific settings made in the config file, which automatically will set or unset options in the interface. Changes in the interface will also be reflected by typing z in the main menu.

For shellcode files, SHAREM can emulate shellcode instructions, and it will do so automatically when using the z option. If the shellcode performs self-modification, that is an indicator of it deobfuscating itself, and SHAREM will use the newly decoded shellcode to analyze.

image4

The shellcode emulation process can also reveal additional information about WinAPI calls and Syscalls made by the sample.

image5

The steps to save and display analysis information for “raw” files are the same as those for PE files: use the p option to open the Print Menu, then use the z option to print and save selections. The z option will not display all results for all possible features to the screen, but all will be used in the text file report and JSON file that are generated. That also includes disassembly of the shellcode, which identifies the APIs used.

shellcode_apis

PE Files

First, navigate to the ../sharem/sharem_cli folder. Once there, SHAREM’s command line interface can be launched via the main.py script. To analyze a PE file, type the command python main.py -pe <path_to_file> like so:

image7

To quickly analyze the file, use the q option (all options) to perform several actions at once, or the z option – which is the same, except it uses settings from the config:

Find imports

  • Find additional DLLs
  • Detect potentially significant strings
  • Look for suspicious instruction patterns
  • PEB walking
  • GetPC (self location) techniques
  • Heaven’s gate
  • Windows Syscalls

If any the above instruction patterns are present within the sample, it may indicate that sections of shellcode are present within the file, and that is why a shellcode analysis supports analysis of PE files. SHAREM is not designed to extract these shellcode candidates from a PE file, but a knowledgeable user could investigate those areas more closely.

After these actions are completed, results can be saved and shown using the p option, to “print” the results, both all data in a highly detailed text report and in JSON format. By default, SHAREM will show and export all the significant discoveries it made. If desired, selections can be toggled off and on via the Printing Menu options, although the default is to print everything. (These options can also be set or unset in the config file.) Use the z option to display/save all of the selections chosen in the menu. This data can be viewed in the console and in the logs folder found at …/sharem/sharem/sharem/sharem/logs. This folder will also contain the corresponding JSON files created by SHAREM if that option was selected in the Print Menu.

Configuration File

While the SHAREM command-line interface contains many submenus and numerous custom options, these do not need to be manually set each time the tool is run, although that is possible. Instead, they can be controlled via the config file located at sharem/sharem/sharem/sharem/config.cfg. This file contains several headers corresponding to different sections of SHAREM, and each option corresponds to a menu option within the tool. A notable exception is the startup_enabled option under the “SHAREM STARTUP” header. This option, when enabled, will bypass the CLI and execute selected features automatically upon running the tool.

Rather than setting each option in the config file, options can be set via the command line interface. After the desired configuration is achieved in the SHAREM menus, it can be saved to the config file by selecting c at the main menu, allowing for changes or updates to the config to be preserved. Properly setting the configuration file to the desired settings can save a significant amount of time when analyzing multiple samples with SHAREM.

In all, the config file provides dozens of options to be set, to minimize interactions with UI or to bypass using it entirely, and just obtain reports and disassembly with the desired settings.

config_emulation