Shulou(Shulou.com)06/03 Report--

This article mainly explains "what is Guloader". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what is Guloader?"

1. Directly use DIE to detect the program and find that it is a loader written by Microsoft Visual Basic 6.0.

two。 If you use ProcessMom to probe the program, you will find that you have queried the registry once and found that if you run in the virtual machine, you will end your own process.

Confirm that there is detection virtual machine code in it.

Use the API Trace tool for API Trace

Found that the memory space was allocated using VirtualAlloc and the execution flow was executed to the newly allocated memory space to execute ShellCodo code

3. Use x64dbg to make a breakpoint for VirtualAlloc

Analyze the call parameters in it and get the allocated memory size of 0x9000

The memory property is PAGE_EXECUTE_READWRITE read and write execution

Then according to the memory address returned by VirtualAlloc, the hardware executable breakpoint F9 does reach the memory space requested by VirtualAlloc.

Navigate to the place where the user calls the ShellCode code based on stack backtracking

4. Now you can download the ShellCode dump according to the return parameters of VirtualAlloc and then use IDA static analysis

Guloader ShellCode was extracted.

At this point, I believe you have a deeper understanding of "what is Guloader", might as well come to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.