{
	"id": "b0c59573-063d-41e1-90d2-4840b5087068",
	"created_at": "2026-04-06T00:13:16.244546Z",
	"updated_at": "2026-04-10T03:21:58.808697Z",
	"deleted_at": null,
	"sha1_hash": "081a9b812264e1b3d408c116d0f157688f3545eb",
	"title": "Defeating Guloader Anti-Analysis Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 736407,
	"plain_text": "Defeating Guloader Anti-Analysis Technique\r\nBy Mark Lim\r\nPublished: 2022-10-28 · Archived: 2026-04-05 21:17:45 UTC\r\nExecutive Summary\r\nUnit 42 researchers recently discovered a Guloader variant that contains a shellcode payload protected by anti-analysis techniques, which are meant to slow human analysts and sandboxes processing this sample. To help speed\r\nanalysis for this sample and others like it, we are providing a complete Python script to deobfuscate the Guloader\r\nsample that is available on GitHub.\r\nIn early September 2022, we discovered a Guloader variant with low VirusTotal detection. Guloader (also known\r\nas CloudEye) is a malware downloader first discovered in December 2019.\r\nWe analyzed the control flow obfuscation technique used by this Guloader sample to create the IDA Processor\r\nmodule extension script so researchers can deobfuscate the sample automatically. The script can be applied to\r\nother malware families like Dridex, which utilize similar anti-analysis techniques.\r\nPalo Alto Networks customers receive protections from malware families using similar anti-analysis techniques\r\nwith Cortex XDR or the Next-Generation Firewall with cloud-delivered security services, including WildFire and\r\nAdvanced Threat Prevention.\r\nGuloader Control Flow Obfuscation Technique\r\nThe Guloader sample in question uses the control flow obfuscation technique to hide its functionalities and evade\r\ndetection. This technique impedes both static and dynamic analysis.\r\nFirst, let’s look at how this threat hampers static analysis. In short, it uses CPU instructions that trigger exceptions,\r\nresulting in unintelligible code during static analysis.\r\nAfter peeling away the packer layer of our Guloader sample, we see that its code is obfuscated. Using static\r\nanalysis tools such as IDA Pro, we observe many 0xCC bytes (or int3 instructions) littered throughout the sample,\r\nas shown in Figure 1.\r\nFollowing the 0xCC bytes are junk instructions. These added bytes disrupt the static analysis tool’s disassembly\r\nprocess, resulting in the wrong disassembly listing.\r\nhttps://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/\r\nPage 1 of 6\n\nFigure 1. Obfuscated code blocks.\r\n0xCC bytes are CPU instructions that trigger an exception EXCEPTION_BREAKPOINT (0x80000003), which\r\npauses the execution of a process. The CPU will pass the code flow to the handler function before the execution\r\ncontinues. The handler function is responsible for moving the instruction pointer to the correct address.\r\nThe presence of these same 0xCC bytes make it so that using a debugger during dynamic analysis would crash the\r\nGuloader sample. Debuggers insert 0xCC bytes as software breakpoints to halt the execution of the sample. The\r\ndebugger handles the exception instead of the handler function.\r\nBefore understanding what happens in the handler function, we first have to locate its address.\r\nGuloader uses the AddVectoredExceptionHandler function to register the handler function, as shown in Figure 2.\r\nThe second argument of the AddVectoredExceptionHandler function points to the address of the handler function.\r\nFigure 2. Function prototype of AddVectoredExceptionHandler.\r\nUsing a debugger as shown in Figure 3, we locate the address of the handler function registered by the Guloader\r\nsample. With the address information, we can examine its code. Notably, this ExceptionHandler is registered with\r\nthe order of 1, meaning it is the first handler to be invoked.\r\nFigure 3. Debugging the call to AddVectoredExceptionHandler in Guloader sample.\r\nhttps://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/\r\nPage 2 of 6\n\nAnalyzing the Vectored Exception Handler Function\r\nThe first step of analyzing the handler function is to apply its type information, as shown in Figure 4.\r\nFigure 4. Type information for the handler function.\r\nNext, we apply the type information for three Windows data structures (shown in Figure 5) used by the handler\r\nfunction.\r\nFigure 5. Type information of three Windows data structures to be applied on the handler function.\r\nWith the type information applied, we can examine how the function handled the exceptions caused by the 0xCC\r\nbytes. Figure 6 shows the decompiled handler function (Func_VectoredExceptionHandler) annotated with\r\ncomments.\r\nhttps://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/\r\nPage 3 of 6\n\nFigure 6. Decompiled handler function.\r\nThe handler function begins with anti-debugging checks. It will terminate execution when hardware or software\r\nbreakpoints are found. Next, the offset value is computed by XOR decoding the byte after the 0xCC byte with\r\n0xA9. Finally, the offset value is added to the instruction pointer before the code execution resumes. Code\r\nexecution continues at the address pointed to by the updated instruction pointer.\r\nAfter understanding how the obfuscation is carried out, we can identify the legitimate instructions and discard the\r\nunwanted ones, as shown in Figure 7.\r\nFigure 7. Labeled code block.\r\nTo completely deobfuscate the Guloader sample, we need to replace all the 0xCC bytes with a JMP short\r\ninstruction (0xEB) and the following byte with the decoded offset value.\r\nBecause doing all this manually is time consuming, in the next section we will show you how to write an IDA\r\nProcessor module extension to automate the deobfuscation process.\r\nWriting an IDA Processor Module Extension\r\nhttps://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/\r\nPage 4 of 6\n\nIDA Processor module extensions allow us to influence the disassembler logic in IDA Pro. These extensions are\r\nwritten using Python to enable us to filter and manipulate how IDA Pro disassembles the instructions in the\r\nsample.\r\nThe Python script extends the ev_ana_insn method in the IDP_Hooks class. It starts by checking if the current\r\ninstruction is the 0xCC byte. Next, the 0xCC byte is replaced with the JMP short instruction (0xEB). Finally, the\r\nfollowing byte is replaced with the decoded offset value.\r\nFigure 8 shows the function in the Python script where this deobfuscation is implemented.\r\nFigure 8. Extending the ev_ana_insn() to deobfuscate the sample.\r\nAfter applying the Python script, IDA Pro can deobfuscate the Guloader sample automatically, as shown in Figure\r\n9.\r\nFigure 9: Obfuscated code (left) and code block after deobfuscation (right).\r\nConclusion: Malware Analysts vs. Malware Authors\r\nMalware authors often include obfuscation techniques, hoping that they will increase the time and resources\r\nrequired for malware analysts to process their creations. Using the steps above, you can reduce the time needed to\r\nanalyze these malware samples from Guloader, as well as those of other families using similar techniques.\r\nhttps://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/\r\nPage 5 of 6\n\nPalo Alto Networks customers receive protections from malware families using similar anti-analysis techniques\r\nwith Cortex XDR or the Next-Generation Firewall with cloud-delivered security services, including WildFire and\r\nAdvanced Threat Prevention.\r\nIndicators of Compromise\r\nSQ21002728.IMG:\r\nSHA256: fb8e52ec2e9d21a30d7b4dee8721d890a4fbec48103a021e9c04dfb897b71060\r\nSQ21002764\r\nSQ21002728.vbs:\r\nSHA256: 56cdfaa44070c2ad164bd1e7f26744a2ffe54487c2d53d3ae318d842c6f56178\r\nSQ21002764\r\nSource: https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/\r\nhttps://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/"
	],
	"report_names": [
		"guloader-variant-anti-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/081a9b812264e1b3d408c116d0f157688f3545eb.pdf",
		"text": "https://archive.orkl.eu/081a9b812264e1b3d408c116d0f157688f3545eb.txt",
		"img": "https://archive.orkl.eu/081a9b812264e1b3d408c116d0f157688f3545eb.jpg"
	}
}