WASMShark — WebAssembly Malware Analyzer

WASMShark is a university project. It’s a WebAssembly malware analyzer combining static analysis, dynamic instrumentation, and eBPF kernel-level runtime monitoring — the first tool of its kind for WASM binary analysis.

██╗    ██╗ █████╗ ███████╗███╗   ███╗███████╗██╗  ██╗ █████╗ ██████╗ ██╗  ██╗
██║    ██║██╔══██╗██╔════╝████╗ ████║██╔════╝██║  ██║██╔══██╗██╔══██╗██║ ██╔╝
██║ █╗ ██║███████║███████╗██╔████╔██║███████╗███████║███████║██████╔╝█████╔╝
██║███╗██║██╔══██║╚════██║██║╚██╔╝██║╚════██║██╔══██║██╔══██║██╔══██╗██╔═██╗
╚███╔███╔╝██║  ██║███████║██║ ╚═╝ ██║███████║██║  ██║██║  ██║██║  ██║██║  ██╗
 ╚══╝╚══╝ ╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝
WebAssembly Malware Analyzer

Key Capabilities

• Static Analysis — Full WASM binary parser, disassembler, CFG, taint analysis

• Dynamic Analysis — Wasabi instruction-level instrumentation, state machine extraction

• Runtime Monitoring — eBPF/bpftrace kernel tracepoints, W+X memory detection

• 170+ Detection Rules — Cryptominer, ransomware, C2, dropper, credential theft

• CFG Analysis — Dominance trees, SCC, natural loops, irreducibility detection

---

Getting Started

• Installation
  • Requirements
  • Step 1 — Clone and Setup
  • Step 2 — Python Dependencies
  • Step 3 — eBPF Runtime Monitor
  • Step 4 — Wasabi Dynamic Instrumentation
  • Step 5 — Node.js and long.js
  • Step 6 — wasmtime (for eBPF demos)
  • Step 7 — Graphviz (for CFG visualization)
  • Step 8 — Generate Test Samples
  • Verify Installation
• Quick Start
  • Basic Scan
  • Full Analysis
  • Static + Dynamic Analysis
  • View Dynamic CFG
  • Directory Scan with CSV
  • Diff Two Samples
  • eBPF Runtime Monitor
  • W+X Memory Detection
  • Watch Mode

Analysis Modules

• Static Analysis
  • Binary Parser
  • Disassembler
  • CFG Builder
  • Taint Analysis
  • Entropy Analysis
  • Crypto Constant Detection
  • Scoring Engine
  • Import Fingerprinting (Imphash)
• Dynamic Analysis (Wasabi)
  • How It Works
  • Runtime Metrics Collected
  • Static ↔ Dynamic Correlations
  • Example Output
  • State Machine Extraction
  • Dynamic CFG Reconstruction
  • Supported Samples
• eBPF Runtime Monitor
  • How It Works
  • Basic Usage
  • Alert Levels
  • W+X Memory Detection Demo
  • Command Line Options
  • Runtime Report Fields
  • Threat Score Calculation
• CFG Analysis
  • Algorithms
  • Running CFG Analysis
  • Anomaly Detection
  • Module Overview Export

Detection

• Detection Rules
  • Rule Format
  • Available Conditions
  • Rule Files
  • Notable Rules
  • Writing Custom Rules
• Plugins
  • Built-in Plugins
  • Running Plugins
  • Writing Custom Plugins

Reference

• CLI Reference
  • Arguments
  • Output Options
  • Analysis Options
  • Batch Operations
  • Examples
  • Watch Mode
  • eBPF Monitor
• Output Formats
  • HTML Report
  • JSON Report
  • SARIF Report
  • CSV Report
  • Dynamic CFG DOT
• Architecture
  • Module Map
  • Data Flow
  • Plugin Interface
  • Rule Engine

---

Detection Results

Sample	Verdict	Rules Matched
sample_cryptominer.wasm	MALICIOUS 100/100	CRYPTOMINER_WASM, TOR_C2_BEACON, RANDOMX_MONERO_MINER
sample_ransomware.wasm	MALICIOUS 100/100	WASI_RANSOM_TRIAD, RANSOMWARE_KW, WASI_DROPPER
sample_obfuscated_loader.wasm	MALICIOUS 100/100	BALANCED_MALICE_OBFUSC, XOR_DECRYPTOR, INDIRECT_DISPATCHER
sample_credential_thief.wasm	MALICIOUS 100/100	WASI_DROPPER, CREDENTIAL_EXFIL
sample_browser_cryptojack.wasm	MALICIOUS 100/100	CRYPTOMINER_WASM, BROWSER_STORAGE_EXFIL
sample_clean.wasm	CLEAN 0/100	—