{
	"id": "30892b57-2e0f-43e9-8418-8e7129d84c15",
	"created_at": "2026-04-06T00:21:39.916651Z",
	"updated_at": "2026-04-10T03:21:20.594882Z",
	"deleted_at": null,
	"sha1_hash": "d2b34aa366ab7e34d9f5c505c2d05661cd0c7f7e",
	"title": "Guloader Deobfuscation using Ghidra",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 190989,
	"plain_text": "Guloader Deobfuscation using Ghidra\r\nBy irfan_eternal\r\nPublished: 2023-07-23 · Archived: 2026-04-05 23:16:46 UTC\r\nHi all, Today we will be Analyzing Guloader Shellcode using Ghidra. Our Objective is to Identify some Anti-analysis and\r\nObfuscation techniques used by Guloader and Defeat it using Automation. People who would like to follow along can\r\ndownload the sample from here . The File was was seen on 2023-05-11\r\nThe Shellcode is using API hashing to hide API’s being called. For Each API Resolving it first resolves LdrLoadDll add 5 to\r\nit’s address to avoid any Hooking done by EDR .Adding 5 to the API address is to avoid the classic 5 Byte Hook.Most EDR\r\nreplaces first first bytes with a jump to EDR’s code. It then use this address to Load the DLL. after Loading the DLL . it\r\nresolves the hash of the API it needs to call\r\nAPI Hashing function is the same as we see in the wild. it goes to the Export Directory of the DLL Loaded and performs\r\nHashing of all API name’s till the hashes match .if the hashes match it stores the Address of the API\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 1 of 10\n\nHashing Algorithm : In the past Guloader was using just DJB2 hash . Now it xors the result of djb2 hash with a hardcoded\r\nvalue to perform API Hashing\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 2 of 10\n\nI wrote a python script to identify the Hashes of the API’s used by the past Guloaders to identify the Functionalities of the\r\nCode\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\nval = 0x1505\r\nAPIstrings = [\"NtGetContextThread\", \"RtlAddVectoredExceptionHandler\", \"NtAllocateVirtualMemory\", \"DbgUIRemoteBreakIn\", \"LdrLoadDll\", \"Dbg\r\n \"NtResumeThread\", \"NtProtectVirtualMemory\", \"CreateProcessInternal\", \"GetLongPathNameW\", \"Sleep\", \"NtCreateThreadEx\", \"WaitF\r\n \"RegCreateKeyExA\",\"RegSetValueExA\", \"NtQueryInformationProcess\", \"InternetOpenA\", \"InternetSetOptionA\", \"InternetOpenUrlA\",\r\nfor APIstring in APIstrings:\r\n val = 0x1505\r\n for ch in instring:\r\n val += ((val \u003c\u003c5))\r\n val \u0026= 0xFFFFFFFF\r\n val += ord(ch)\r\n val \u0026= 0xFFFFFFFF\r\n val ^= 0x8131A1\r\n print(APIstring+\" : \"+hex(val))\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 3 of 10\n\nBefore Calling the API it performs some Checks to make sure it is not being Debugged\r\nIt compares the first few bytes of the API address with a) CC b) INT 3 c) UD2 to check if it’s being Debugged. if this is not\r\nthe case it calls the API\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 4 of 10\n\nControl Flow Obfuscation using Vectored Exception Handling\r\nTo Obfuscate the Control Flow it uses RtlAddVectoredExceptionHandler to register a vectored Exception Handler. If the\r\nException raised is any of below three cases it changes the EIP by an XOR operation\r\n1. EXCEPTION_ACCESS_VIOLATION while accessed memory Address is 0\r\n2. EXCEPTION_SINGLE_STEP (Single Stepping )\r\n3. EXCEPTION_BREAKPOINT (Software Break Point - CC)\r\nIf it is EXCEPTION_BREAKPOINT it calculates the value of the EIP by this expression EIP = EIP + *(EIP+1) ^ 6A\r\n(Changes with sample)\r\nIf it is EXCEPTION_ACCESS_VIOLATION or EXCEPTION_SINGLE_STEP it calculates the value of the EIP by this\r\nexpression EIP = EIP + *(EIP+2) ^ 6A (Changes with sample) .\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 5 of 10\n\nIn the Vectored Exception Handler function it also checks if any Dynamic anyalsis is being performed by Checking if any\r\nhardware breakpoint is set using ContextRecord a member of _EXCEPTION_POINTERS\r\nTo Understand Vectored Exception in Detail i would suggest to read this article\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 6 of 10\n\nAll the Important strings including the C2 URL is Encrypted using XOR. The Encrypted strings are created by Performing a\r\nlot of Mathematical Expression(not Hardcoded).After Encryption String is Fully Created . The first Dword contains the\r\nlength of the Encrypted string. then what follows is the Encrypted string. The Address of the Encrypted string is given as\r\nparameter to the String Decrpyion preperation Function. It store the Encrypted String length in a Varaible. And changes the\r\nFirst Dword to a Dummy Value . After that increments the Address of Encrypted String by a dword now it points to the\r\nActual start of the String. Encrypted_string and the Encrypted String length is given an paramerers to the next Function\r\ncalled which is a wrapper around the string decryption function\r\nThe wrapper function passes the Encrypted_string, Encrypted String length and the Key. The key is actually stored in the\r\nreturn address of the wrapper function\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 7 of 10\n\nThe Decrytion Algorithm is a Simple XOR were Encrypted string is calculated by Mathematical Expression and key is\r\nstored in the the return address of the wrapper function\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 8 of 10\n\nAnalyzing the shellcode dynamically will be very tiring because it has multiple checks for Anti-Analysis . Static Analysis\r\nwill also take much time due to Control Flow Obfusucation. So I wrote 2 Scripts to help in this Analysis . one is to\r\nDeobfuscate the Control Flow and the other is to Decrypt the Strings\r\nPlease Follow the Below Steps to Reduce your time on Guloader\r\n1. Import the Shellcode to Ghidra\r\n2. Disassemble (Key Binding D) the Start of the Shell code\r\n3. Run the Guloader_deobfusucate.py script Providing the Decryption Key and key for EIP modification\r\n4. Run the Gu_string_decryption.py script Providing the Decryption Key\r\nNOTE: For Both Cases Provide the keys as Hex String with out Ox Example if the key is 0x6A Provide it as 6A. My\r\nScripts are not the best way to Achieve this . Note to Self need to improve to write better code\r\nAfter these Steps the Control Flow will be Deobfusucated and Decrypted Strings and Payload key will be printed in the\r\nConsole . If you have a closer look at the below image you will see the C2 URl will not be starting with http:// this is to\r\nprevent it from XOR Bruteforcing\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 9 of 10\n\nI Have only Checked one sample with the scripts .Feel free to use it with Other Guloader Shell Code and let me know if you\r\nare able to see the Decrypted strings\r\nFile SHA1 : 992d98aa6f31ae6f8f42fac9866a19c2a2f879be\r\n1. SonicWall\r\n2. CheckPoint\r\n3. AnyRun\r\nSource: https://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nhttps://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/"
	],
	"report_names": [
		"guloader-deobfuscation-using-ghidra"
	],
	"threat_actors": [],
	"ts_created_at": 1775434899,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2b34aa366ab7e34d9f5c505c2d05661cd0c7f7e.pdf",
		"text": "https://archive.orkl.eu/d2b34aa366ab7e34d9f5c505c2d05661cd0c7f7e.txt",
		"img": "https://archive.orkl.eu/d2b34aa366ab7e34d9f5c505c2d05661cd0c7f7e.jpg"
	}
}