Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Matrix ThePornDude
Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Live Stream VOD: Dumpulator vs. Guloader VEH Obfuscation (Patreon)

Published:
2023-01-26 19:17:48
Imported:
2023-09

Content

In this twitch stream we take another look at Guloader's VEH obfuscation using Dumpulator. With Dumpulator we are able to bypass the obfuscation to extract the encrypted strings, as well as create a simple instruction color trace in IDA to identify the program flow.

Sample

E3A8356689B97653261EA6B75CA911BC65F523025F15649E87B1AEF0071AE107

Notes

Dumpulator VEH 

Files

Live Stream VOD: Dumpulator vs. Guloader

This is "Live Stream VOD: Dumpulator vs. Guloader" by OALABS on Vimeo, the home for high quality videos and the people who love them.

Comments

m4n0w4r

I saw c3rb3ru5d3d53c analyzing the recent version of GuLoader. The VEH in this new version has added two more exceptions, EXCEPTION_ACCESS_VIOLATION and EXCEPTION_SINGLE_STEP, to patch the shellcode's control flow. I hope you have time to stream about this new version, as well as add more code to Unit42's IDA plugin to patch the shellcode's control flow! <3

m4n0w4r

Note here, the latest Guloader shellcode has added a new exception: EXCEPTION_PRIV_INSTRUCTION (Ref: https://jeffpar.github.io/kbarchive/kb/114/Q114473/).