Installation

Requirements

Python 3.8+
Ubuntu 20.04+ (or any Linux with kernel 5.x+)
bpftrace (for eBPF runtime monitor)
Wasabi + Node.js (for dynamic instrumentation)
Graphviz (for CFG visualization)

Step 1 — Clone and Setup

git clone https://github.com/WASM-Shark/wasmshark.git
cd wasmshark

Step 2 — Python Dependencies

No pip packages required. WASMShark uses only Python standard library.

Optional for YARA integration:

pip install yara-python --break-system-packages

Step 3 — eBPF Runtime Monitor

sudo apt install bpftrace -y
sudo bpftrace -e 'BEGIN { print("bpftrace OK\n"); exit(); }'

Step 4 — Wasabi Dynamic Instrumentation

# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source ~/.cargo/env

# Clone and build Wasabi
git clone https://github.com/danleh/wasabi.git
cd wasabi/crates
cargo install --path ./wasabi
cd ../..

# Verify
wasabi --help

Step 5 — Node.js and long.js

sudo apt install nodejs npm -y
cd ~/wasmshark
npm install long

Step 6 — wasmtime (for eBPF demos)

curl https://wasmtime.dev/install.sh -sSf | bash
source ~/.bashrc
wasmtime --version

Step 7 — Graphviz (for CFG visualization)

sudo apt install graphviz -y
dot -V

Step 8 — Generate Test Samples

python3 generate_samples.py

This generates 6 synthetic test WASM binaries:

File	Size	Description
`sample_cryptominer.wasm`	697 B	SHA-256/RandomX/Keccak + .onion C2
`sample_ransomware.wasm`	1,076 B	WASI ransomware + BTC ransom + PowerShell
`sample_obfuscated_loader.wasm`	2,526 B	Indirect calls + encrypted blob + custom sections
`sample_credential_thief.wasm`	702 B	SSH/AWS/shadow + WASI + network exfil
`sample_browser_cryptojack.wasm`	1,022 B	Clipboard + cookie theft + C2
`sample_clean.wasm`	85 B	Fibonacci — clean baseline

Verify Installation

python3 wasmshark.py sample_cryptominer.wasm -q --rules ./rules/

Expected output:

MALICIOUS  malice=100.0  obfusc=37.0  confidence=54%