BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//Y7Z98G
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-recon-2026-Y7Z98G@cfp.recon.cx
DTSTART;TZID=EST:20260621T130000
DTEND;TZID=EST:20260621T160000
DESCRIPTION:Standard sandboxes and automated scanners fall short when faced
  with the modern state of **Guloader**. Its reliance on **Vectored Excepti
 on Handling (VEH)** to redirect control flow through intentional exception
 s creates a "black box" for traditional debuggers and linear disassemblers
 . This 3 hour workshop bypasses the basics and dives straight into the hea
 vy lifting of modern malware deobfuscation.\n\nWe will perform a deep-dive
  dissection of a multi-stage infection chain\, moving rapidly through Powe
 rShell loaders into the core of the matter: **multi-layered shellcode**. P
 articipants will reverse-engineer the "exception soup" of Guloader\, mappi
 ng out how it uses various CPU instructions and a custom handler to mask i
 ts code flow.\n\nThe highlight of the session is a transition from manual 
 analysis to **programmatic automation**. We will leverage the **Unicorn em
 ulator framework** to build a custom configuration extractor capable of re
 constructing non-contiguous encrypted payloads that stay hidden from stati
 c analysis.
DTSTAMP:20260612T173216Z
LOCATION:Soprano B
SUMMARY:Orchestrating Chaos: Defeating Guloader's VEH and Obfuscation with 
 Unicorn - Mark Lim
URL:https://cfp.recon.cx/recon-2026/talk/Y7Z98G/
END:VEVENT
END:VCALENDAR