Plugins

WASMShark has an extensible plugin architecture. Plugins receive the complete analysis report and return additional findings.

Built-in Plugins

plugin_call_graph

Builds a function call graph and identifies suspicious call paths.

[call_graph]
total_functions: 1
suspicious_paths: [{'from_func': 5, 'reaches': 'env.sha256_block'}]
summary: 1 suspicious call paths found

Outputs a Graphviz DOT call graph with suspicious paths highlighted in red.

plugin_cfg_anomaly

Detects structural anomalies in function CFGs:

  • Unreachable basic blocks

  • High cyclomatic complexity

  • Dispatcher blocks (control flow flattening)

  • Monolithic single-block functions (possible packing)

plugin_cfg_advanced

Advanced CFG analysis using compiler algorithms:

  • Dominance tree (Lengauer-Tarjan)

  • Strongly connected components (Tarjan)

  • Natural loop detection

  • Irreducible CFG detection

  • Path count estimation

  • CFG fingerprinting

plugin_complexity_analyzer

Computes software complexity metrics per function:

  • Halstead volume and effort

  • Fan-in / fan-out

  • Opcode entropy

  • Cyclomatic complexity

[complexity_analyzer]
top_complex_functions:
  func[5]: halstead_volume=599.7  effort=1199.4  cyclomatic=1

plugin_memory_safety

Detects suspicious memory access patterns:

  • Excessive memory.grow calls (heap spray indicator)

  • Sequential bulk memory writes (encryption/wipe pattern)

  • Unchecked loop memory access (buffer overread indicator)

plugin_memory_behavior

Behavioral memory analysis:

  • Load/store ratio anomalies

  • Write-only functions (data staging)

  • Read-only functions (data scanning)

  • Cross-region memory movement

plugin_opcode_anomaly

Statistical anomaly detection on opcode frequency distributions using KL-divergence. Functions whose opcode distribution deviates significantly from the module baseline are flagged.

plugin_string_deobfuscator

Attempts to decode obfuscated strings using:

  • Base64 decoding

  • Hex decoding

  • ROT13

  • Single-byte XOR brute force

  • URL decoding

Running Plugins

# Run all plugins
python3 wasmshark.py sample.wasm \
  --plugins ./plugins/ --rules ./rules/

# Run specific plugins (drop unwanted .py files from plugins/)
python3 wasmshark.py sample.wasm \
  --plugins ./plugins/

Writing Custom Plugins

Create a Python file in plugins/ with a WASMPlugin class:

from wasmshark_core import AnalysisReport

class WASMPlugin:
    name        = "my_plugin"
    description = "My custom analysis plugin"
    version     = "1.0"

    def analyze(self, report: AnalysisReport) -> dict:
        # Access report fields
        functions = report.functions
        imports   = report.imports
        findings  = report.findings

        # Return results dict
        return {
            "my_metric": 42,
            "summary":   "Plugin analysis complete"
        }

Available report fields:

report.filename          # str
report.file_size         # int
report.sha256            # str
report.functions         # List[FunctionAnalysis]
report.imports           # List[ImportEntry]
report.exports           # List[ExportEntry]
report.strings           # List[str]
report.iocs              # List[Tuple[str,str]]
report.crypto_hits       # List[Dict]
report.findings          # List[Finding]
report.matched_rules     # List[Dict]
report.malice_score      # float
report.obfuscation_score # float
report.verdict           # str
report.imphash           # str
report.dead_functions    # List[int]