Skip to content
/ Malwasm Public

Malwasm is a command-line tool that detects the usage of WASM in websites and performs analysis to determine if the WASM files contain any malicious functions.

Notifications You must be signed in to change notification settings

Lyc4on/Malwasm

Repository files navigation

Malwasm

Introduction

Malwasm is a command-line tool that detects the usage of WASM in websites and performs analysis to determine if the WASM files contain any malicious functions.

Requirements

  • Python 3
  • Google Chrome

Installation

git clone https://github.com/Lyc4on/Malwasm.git
pip install -r requirements.txt # Recommended to use pyenv

# Set up chrome driver for Selenium
sudo apt-get install -y curl unzip xvfb libxi6 libgconf-2-4 fonts-liberation
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install ./google-chrome-stable_current_amd64.deb
rm google-chrome-stable_current_amd64.deb

System Architecture

Usage

Run Malwasm using wasmanalyzer.py:

# Scrape URL for wasm resources
python3 wasmanalyzer.py -u https://example.com

# Disassemble wasm binary to generate _dis.txt & _dis.wat
# _dis.wat - pseudo .wat file
# _dis.txt - contains CFG dictionary data, Module semantic profile, Functions' profile
python3 wasmanalyzer.py -d -f cryptonight.wasm

# Generate _rule.json rule file for analysis
python3 wasmanalyzer.py -gr -f cryptonight.wasm

# Deep analysis [-a 2] (Semantic Profiling) of game.wasm based on cryptonight_rule.json 
python3 wasmanalyzer.py -a 2 -f game.wasm -r cryptonight_rule.json

# Gnerate Call Graph from wasm file 
python3 wasmanalyzer.py -cg -f cryptonight.wasm 

# Gnerate Control Flow Graph from wasm file 
python3 wasmanalyzer.py -cfg -fn <function name> -f cryptonight.wasm 

# Gnerate Data Flow Graph from wasm file 
python3 wasmanalyzer.py -dfg -fn <function name> -f cryptonight.wasm 

# Run yara program against wasm file for malicious signature
# custom rules can be added to resources/yara_rules/ directory and the program will compile the rules
python3 wasmanalyzer.py -y -f cryptonight.wasm 
Options:
    -u          url of website to scrape wasm binaries & save in Temp folder
    -f          specify .wasm file to analyze/generate json rule
    -gr         generate json rule of -f .wasm input & save _rule.json in Output folder
    -d          disassemble .wasm & output _dis.txt, _dis.wat & save in Output folder
    -a          analyze -f .wasm based on -r rule.json & save _analysis.txt in Output folder
                -a [1, 2] - default=1, 1 = Quick Analysis, 2 = Deep Analysis
                Quick Analysis based on function's total instructions/block count
                Deep Analysis based on function's semantic profiling
    -r          specify .json rule for analysis
    -fn         specify the function name for generation of the control flow and data flow graph
    -y          specify yara malware detection program to run
    -cg         generate call graph from specified wasm file
    -cfg        generate control flow graph from specified wasm file with the specified function name
    -dfg        generate data flow graph from specified wasm file with the specified function name

Demo

Malwasm_ICT2206.mp4

Sample Usage

Scrape wasm file from URL

Disassebmle wasm file

Generate semantic profile rule from wasm file

Quick analysis of wasm file against generated rule

Deep analysis of wasm file against generated rule

Generate Call Graph of wasm file

Generate Control Flow Graph of specified function in wasm file

Generate Data Flow Graph of specified function in wasm file

Scan wasm file againsts YARA rule

About

Malwasm is a command-line tool that detects the usage of WASM in websites and performs analysis to determine if the WASM files contain any malicious functions.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •