{
	"id": "bb7f4d23-e2c7-491f-9dc1-645f19e9f275",
	"created_at": "2026-04-06T00:11:58.842206Z",
	"updated_at": "2026-04-10T03:21:20.075713Z",
	"deleted_at": null,
	"sha1_hash": "4e6b146cbad1bea7acf22d02dde53dfdf1177a9b",
	"title": "GuLoader’s Anti-Analysis Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2030638,
	"plain_text": "GuLoader’s Anti-Analysis Techniques\r\nBy Hido Cohen\r\nPublished: 2021-06-29 · Archived: 2026-04-05 23:20:36 UTC\r\n7 min read\r\nJun 29, 2021\r\nGuLoader is a VB5/6 shellcode-based downloader, with many anti-analysis techniques used to make our lives, as\r\nmalware researchers, much harder. In this post, I’ll show you how I reversed engineer the loading mechanism and\r\nexplain the different anti-analysis methods used.\r\nWorking with Visual Basic\r\nVisual Basic isn’t the most pleasant language to reverse engineer. It interacts with only one DLL, MSVBVM60.DLL\r\nand has a different structure than C, C++ or any other famous programming language. Fortunately, IDA has an\r\nidc script written by Reginald Wong which parses the VB headers which identifies the form event functions.\r\nEvent functions\r\nWhere’s VirtualAlloc ?\r\nIt isn’t new that VB malwares are sometimes used for injecting another malicious code (PE/Shellcode). So, I\r\ndecided to set up a breakpoint at VirtualAlloc and see if this malware is also part of the group. And indeed, I\r\nnoticed that a shellcode is being written into a newly allocated memory section.\r\nLooking at the code in IDA didn’t see any reference to VirtualAlloc , which means that the function resolved\r\ndynamically. I located the function call in my debugger, and moved back to IDA to get a better understanding of\r\nwhat happened.\r\nThe first thing I’ve noticed is that the malware uses the following techniques in order to harden my analysis:\r\nHigh amount of JMP s\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 1 of 13\n\nInflating redundant instructions, for example, pushfd followed by popfd and mov ebx, ebx\r\nObfuscated values using predefined calculations\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nMagic bytes and first import address calculation\r\nVirtualAlloc resolving process is:\r\n1. Calculate the address of the first import from MSVBVM60.dll (as shown in the figure above)\r\n2. Locate VirtualAlloc inside MSVBVM60.dll 's import table — this done by searching backward from the\r\nfunction address in step (1) to the magic value calculated in the figure above. Once, the base address found\r\nthe malware adds hardcoded value of 0x10CC which points to VirtualAlloc import table entry\r\n3. Copy the address of VirtualAlloc for the import table\r\nShellcode’s Decryption and Execution\r\nThe shellcode is stored encrypted inside a global variable, which is copied into the newly created section.\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 2 of 13\n\nLoad the encrypted shellcode’s address into ESI in an unusual way\r\nThen, the malware decrypts the shellcode:\r\nPress enter or click to view image in full size\r\nXOR-decryption\r\nAt the end, the malware jumps to the new section address and starts executing the shellcode.\r\nShellcode Analysis\r\nLooking at the strings inside the shellcode suggest that the shellcode also uses some kind of strings obfuscation\r\nand dynamic function loading/resolving:\r\nC:\\Program Files\\Qemu-ga\\qemu-ga.exe\r\nC:\\Program Files\\qga\\qga.exe\r\nMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nSet W = CreateObject(\"WScript.Shell\")\\r\\nSet C = W.Exec (\"\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nMsi.dll\r\nwininet.dll\r\nPublisher\r\nkernel32\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 3 of 13\n\nadvapi32\r\nuser32\r\nntdll\r\nshell32\r\nwindir=\r\nmsvbvm60.dll\r\n\\syswow64\\\r\n\\METEROLO\r\nBefore continuing my research, I wanted to understand if and how the malware resolves those obfuscated strings\r\nand functions. I saw that the malware uses DJB hashing algorithm:\r\nPress enter or click to view image in full size\r\nDJB hash function — source code VS malware implementation\r\nUsing that hashing algorithm, the malware parses the PE headers of the requested DLL and look for the function\r\nname hash in the export table:\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 4 of 13\n\nPress enter or click to view image in full size\r\nLoop for every export table entry and look for name with the suitable hash\r\nAfter labeling the function that is responsible for dynamic function loading and the hash function I was ready to\r\nmove forward to reveal the different anti-analysis techniques used by the malware.\r\nAnti-Analysis Techniques\r\nRunning the malware without any changes will result with the following message:\r\nError message — VM/Debugger detected\r\nAnd the malware will terminate itself.\r\nHow did it find out that it is running inside a VM or there’s a debugger attached?\r\n#1 — VM Detection 1 — Memory Scan\r\nThe malware scans the process’s virtual memory address space using ZwQueryVirtualMemory WinAPI and uses\r\npre-calculated string hashes (again, using DJB hash function).\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 5 of 13\n\nMemory scan routine\r\nOnce the malware detects one of the following string hashes it will display the message box and terminate itself.\r\n0x2D9CC76C\r\n0xDFCB8F12\r\n0x27AA3188\r\n0xF21FD920\r\n0x3E17ADE6\r\n0xA7C53F01 \\\\ \"VBoxTrayToolWndClass\"\r\n0x7F21185B \\\\ \"HookLibraryx86.dll\"\r\n0xB314751D \\\\ \"vmtoolsdControlWndClass\"\r\n#2 — VM Detection 2— Hypervisor Feature Bit\r\nIn this method, the malware utilizes the cpuid instruction with EAX=1 . This means that the result will be stored\r\ninside ECX and EDX , where the 31st bit of ECX register is the hypervisor feature bit.\r\nThe hypervisor feature bit indicate a hypervisor present, which means that this value is always zero for physical-CPUs.\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 6 of 13\n\nCheck the 31st bit of ECX after CPUID instruction\r\n#3 — VM Detection 3— QEMU Guest Agent\r\nThe malware checks if QEMU related files exist on the infected system:\r\nCheck if the file can be opened\r\nIt searches in the following files:\r\nC:\\Program Files\\Qemu-ga\\qemu-ga.exe\r\nC:\\Program Files\\qga\\qga.exe\r\n#4 — Anti-Sandbox 1 — RTDSC Wrapper\r\nThe rtdsc instruction is used to determine how many CPU ticks took place since the processor was reset, which\r\ncan be used for Sandbox/VM detection mechanism.\r\nGet Hido Cohen’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn the case of that malware, as we can see at #2, if the readings are the same, the malware enters into an endless\r\nloop.\r\n#5— Anti-Sandbox 2— Windows Enumeration\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 7 of 13\n\nThe malware uses EnumWindows WinAPI in order to count the top-level windows running on the system, if the\r\nnumber is lower than 12, it will call TerminateProcess .\r\n#6— Anti-Sandbox 3— Long Delays\r\nThe malware calls to the same function many times in order to extend the execution time of the program before\r\nrevealing its real intentions. For example,\r\nCalling 100,000 times to the same function\r\nThis is technique used in order to evade sandboxes since they’re usually time-limited.\r\n#7— Anti-Attaching— Patch Important Functions\r\nThe malware patches DbgBreakPoint and DbgUiRemoteBreakin calls which are being used by debuggers and\r\ndisrupting their actions.\r\nChange protection and patch functions\r\nBefore patching the functions, the malware needs to change the page protection of ntdll.dll to RWX .\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 8 of 13\n\nThen, the malware writes 0x90 (NOP) into DbgBreakPoint and kernel32!ExitProcess calls inside\r\nDbgUiRemoteBreakin .\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nThe patched functions\r\n#8 — Defense Evasion— WinAPI Function Hooks Removal\r\nSecurity products (AV, EDR, etc…) usually insert JMP instruction in the first 5 bytes of WinAPI functions to\r\nexecute their code before the real function being called. This allows them to have better control over the process’s\r\nactions.\r\nThe malware searches for known syscall patterns inside ntdll , for example, in the figure below we can see that\r\nthe malware searches for the pattern:\r\nB8 ?? ?? ?? ??\r\nB9 ?? ?? ?? ??\r\n8D 54 24 04\r\nUnhooking routine\r\nThis pattern matches, for example, to ZwReleaseMutant function call:\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 9 of 13\n\nZwReleaseMutant pattern\r\nAs we can see, after the malware finds the pattern, it extracts the syscall number and restores the function call to\r\nits appropriate structure.\r\n#9 — Anti-Analysis — Check Installed Software and Running Services\r\nThe malware utilizes MsiEnumProduct and MsiGetProductInfo functions in order to iterate over the installed\r\nsoftware in the system.\r\nFor each installed software, the malware checks if the Publisher is inside its black list.\r\nPublisher black listing\r\nThe same thing is done with running services:\r\nPress enter or click to view image in full size\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 10 of 13\n\nServices black listing\r\nThe malware enumerates the running services and searches for the following service names hash (probably\r\nsecurity products):\r\n0x30871D6D\r\n0xD03596C8\r\n0x1B7912B2\r\n#10— Anti-Debugging 1 — Protected Function Calls\r\nThe malware implemented a Win32 API function calls wrapper which perform checks before calling the actual\r\nfunction:\r\nPress enter or click to view image in full size\r\nChecks the malware does before calling a certain function\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 11 of 13\n\nUsing NtGetThreadContext , the malware checks if there are any hardware breakpoints (by inspecting the DRx\r\nregisters values) and software breakpoint (represented by 0xCC , 0x3CD and 0xB0F ).\r\nThe arguments to the Win32API function pushed earlier to the stack.\r\n#11 — Anti-Debugging 2— ThreadHideFromDebugger\r\nThe malware calls to NtSetInformationThread with THREADINFOCLASS.ThreadHideFromDebugger flag.\r\n#12 — Anti-Debugging 3— ProcessDebugPort\r\nThe malware uses ZwQueryInformationProcess to detect if a debugger is attached to the process.\r\nPress enter or click to view image in full size\r\nAccording to MSDN:\r\nRetrieves a DWORD_PTR value that is the port number of the debugger for the process. A nonzero\r\nvalue indicates that the process is being run under the control of a ring 3 debugger.\r\nConclusions\r\nGuLoader implements many anti-analysis techniques and uses different methods which makes the analysis harder.\r\nAfter reading this post you have the knowledge of how to overcome those techniques. Those techniques used in\r\nmany other malwares which you now be able to identify in your research.\r\nHope you found this post useful :)\r\nReferences\r\n[1] http://sandsprite.com/vb-reversing/\r\n[2] https://theartincode.stanis.me/008-djb2/\r\n[3] https://en.wikipedia.org/wiki/CPUID#EAX.3D1:_Processor_Info_and_Feature_Bits\r\n[4] https://www.dimva2019.org/wp-content/uploads/sites/31/2019/06/DIMVA19-slides-13.pdf\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 12 of 13\n\n[5] https://www.crowdstrike.com/blog/guloader-malware-analysis/\r\nSource: https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nhttps://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195"
	],
	"report_names": [
		"guloaders-anti-analysis-techniques-e0d4b8437195"
	],
	"threat_actors": [],
	"ts_created_at": 1775434318,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e6b146cbad1bea7acf22d02dde53dfdf1177a9b.pdf",
		"text": "https://archive.orkl.eu/4e6b146cbad1bea7acf22d02dde53dfdf1177a9b.txt",
		"img": "https://archive.orkl.eu/4e6b146cbad1bea7acf22d02dde53dfdf1177a9b.jpg"
	}
}