Recon 2026

EnglishFrançais • 
login

Orchestrating Chaos: Defeating Guloader's VEH and Obfuscation with Unicorn
.ical
Language: English

Standard sandboxes and automated scanners fall short when faced with the modern state of Guloader. Its reliance on Vectored Exception Handling (VEH) to redirect control flow through intentional exceptions creates a "black box" for traditional debuggers and linear disassemblers. This 3 hour workshop bypasses the basics and dives straight into the heavy lifting of modern malware deobfuscation.

We will perform a deep-dive dissection of a multi-stage infection chain, moving rapidly through PowerShell loaders into the core of the matter: multi-layered shellcode. Participants will reverse-engineer the "exception soup" of Guloader, mapping out how it uses various CPU instructions and a custom handler to mask its code flow.

The highlight of the session is a transition from manual analysis to programmatic automation. We will leverage the Unicorn emulator framework to build a custom configuration extractor capable of reconstructing non-contiguous encrypted payloads that stay hidden from static analysis.

Key Technical Deep-Dives:

  • The VEH Maze: Bypassing exception-based control flow flattening.
  • Extracting secrets hidden via Constant Unfolding
  • Emulation-Based Solution: Using Python and Unicorn to automate the extraction of C2 and multiple encrypted strings from obfuscated DWORDS.
  • Indirect Syscalls: Identifying and neutralizing EDR-evasion techniques within shellcode.

Workshop Focus

  • Recent variants of real-world malware samples: Unlike theoretical exercises, this workshop utilizes live, updated malware samples of Guloader. This immersive approach ensures that participants gain experience with the actual challenges posed by modern threats.
  • Chained Attack Scenarios: The workshop will simulate a multi-stage attack where Guloader acts as the initial entry vector, deploying and executing payload. This chained scenario highlights how different malware types collaborate in complex attacks, providing a holistic view of the threat landscape.
  • Practical, Hands-On Experience: The entire workshop is fundamentally practical. Attendees will actively engage in analyzing malware, utilizing industry-standard tools and techniques. This hands-on methodology fosters deep understanding and skill development.
  • The ratio of presentation to hands-on training: 90% hands-on

Workshop Outline

  1. Phase 1: Shellcode Extraction & Context Reconstruction (10 min)
    Recon-Exclusive: PowerShell obfuscation analysis is removed. Attendees are provided a de-obfuscated script solely to extract the shellcode.
     Vector Isolation: Isolate the specific Windows callback and their parameters used for execution transfer to replicate the initial register state for the loader.

  2. Phase 2: Defeating Indirect Syscalls & Loader Internals (30min)
    Heuristic Analysis: Identifying and bypassing "Hell's Gate" and related indirect syscall techniques used to blind EDRs.
     Gadget Hunting: Manually locating the "gadgets" the loader uses to construct syscalls, rather than relying on automated tool output.
    Opaque Predicates:* Analyzing and defeating the unpacking loops that guard the next-stage shellcode, preparing the binary for the core VEH analysis.

Break (10 min)

  1. Phase 3: Windows Internals & The VEH State Machiner (60 min)

This section represents the core "Delta" from previous workshops, focusing on undocumented Windows structures.

  • Manual Traversal of Windows 10 Structure: Instead of relying on conventional debugger commands, participants will manually locate the registered Vector Exception Handler (VEH) function. This involves writing an IDA script to walk the undocumented _LdrpVectorHandlerList structure in memory and overcoming pointer encoding challenges.
  • Reversing AddVectoredExceptionHandler: A deep dive into the kernel32 implementation of exception registration to understand how Guloader hijacks this mechanism.
  • Context Manipulation & RIP Hijacking: Analyzing how the handler modifies the PCONTEXT structure (specifically Eip/Rip) to "skip" variable-length junk bytes and resume execution at dynamically calculated offsets.
  • Anti-Debug Logic: Decompiling the handler’s logic to see how it inspects Hardware Breakpoints (DR0-DR7) within the context record to detect analysis tools.

Break (10 min)

  1. Phase 4: Advanced Emulation & Custom Instrumentation (60 min)
    Moving beyond "using Unicorn," this phase focuses on "fixing Unicorn" to handle hostile code.
    * Solving the Halting Problem: Participants will write a custom Unicorn harness that handles UC_MEM_READ_UNMAPPED and UC_HOOK_INTR events to emulate the OS loader's exception dispatching behavior.
    * Configuration Extraction: Automating the decryption of non-contiguous strings and C2 configurations, effectively bypassing the need for a fully functional debugger.
    * Optimization: mitigating the performance penalties of Python-based emulation when handling millions of instructions.

Detailed explanations and working solutions will be provided for all exercises to support attendees' learning.

Take away from this workshop

  • A Weaponized Emulation Harness: Walk away with a robust, custom-built Python-Unicorn harness specifically engineered to bridge the gap between static emulation and dynamic Windows Exception Handling (VEH). You will own the code to simulate complex OS-level callbacks that standard emulators fail on.
  • Automated Deobfuscation Logic: Master the implementation of a custom hook management within Unicorn to trace, intercept, and defeat junk code and control-flow flattening without touching the debugger.
  • Genericizing the Solution: Learn how to transform a specific Guloader solution into a reusable methodology for defeating other exception-based obfuscators (like those found in modern Dridex or Ursnif variants) by leveraging purely emulated execution traces.

What audience needs to bring to this workshop

  • Laptops that have at least 8GB RAM and 100GB of free SSD space
  • Due to EULA of various software. Each student is to set up a Windows 10 VM prior to the workshop. This VM has to contain the following tools:
  • Latest version of Visual Studio Code with Powershell extension (from Microsoft)
  • IDA Free 9.2+ (Note: All scripts utilized in this workshop have been strictly tested to work on IDA Pro and Free 9.2+).
  • Python 3.13 (x64)
  • Unicorn Framework python module (https://www.unicorn-engine.org/)
  • SystemInformer (for dumping memory pages)
  • Decompiler will not be necessary for this workshop

Target Audience

  • Mid to senior-level cybersecurity practitioners
  • Malware analysts, incident responders, threat hunters
  • Professionals seeking hands-on malware analysis skills

Skills required

  • Fluent x86/x64 Assembly: Must be comfortable manually tracing control flow, stack operations, and register states without relying exclusively on decompilers (as the obfuscation renders Hex-Rays/Ghidra ineffective).
  • Intermediate Python Scripting: Ability to write functional scripts using external libraries. Familiarity with Python's struct module or memory mapping concepts is critical for the emulation phase.
  • Windows Internals Fundamentals: A conceptual understanding of how Windows handles exceptions (VEH/SEH), Context Records, and hardware breakpoints is highly recommended.
  • IDA Pro Proficiency: Standard navigation skills (following cross-references, patching bytes, defining code/data) are assumed.
See also: Exercises used for previous runs of this workshop