{"id":4972,"date":"2023-05-17T20:05:59","date_gmt":"2023-05-17T20:05:59","guid":{"rendered":"\/cybersecurity-blog\/?p=4972"},"modified":"2026-02-03T05:37:37","modified_gmt":"2026-02-03T05:37:37","slug":"deobfuscating-guloader","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/","title":{"rendered":"Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting\u00a0"},"content":{"rendered":"\n<p>In this article by <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guloader&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> analysts, we&#8217;ll discuss the <a href=\"https:\/\/any.run\/malware-trends\/guloader?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guloader&amp;utm_content=mtt\" target=\"_blank\" rel=\"noreferrer noopener\">GuLoader<\/a> malware and how to deobfuscate its code using the Ghidra scripting engine. <\/p>\n\n\n\n<p>We will:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identify <strong>obfuscated code patterns<\/strong><\/li>\n\n\n\n<li>Develop an <strong>algorithm to deobfuscate<\/strong> <strong>and optimize these code patterns<\/strong><\/li>\n\n\n\n<li>Write a script to <strong>semi-automate the code deobfuscation<\/strong> process.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We also detailed the obfuscation techniques for junior analysts. And mid-level and senior analysts will find strategies and tools for simplifying and deobfuscating GuLoader and other malware.<\/p>\n\n\n\n<p>Without further ado, let&#8217;s get into the analysis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Brief Overview of GuLoader&nbsp;<\/h2>\n\n\n\n<p>GuLoader is a widely used malware loader known for its complex obfuscation techniques that make it difficult to analyze and detect.&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Here&#8217;s some general information about this threat:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"841\" height=\"533\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/GuLoader-infographic.jpg\" alt=\"\" class=\"wp-image-5017\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/GuLoader-infographic.jpg 841w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/GuLoader-infographic-300x190.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/GuLoader-infographic-768x487.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/GuLoader-infographic-370x234.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/GuLoader-infographic-270x171.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/GuLoader-infographic-740x469.jpg 740w\" sizes=\"(max-width: 841px) 100vw, 841px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We are going to examine a GuLoader sample with the first submission time 2023-03-28 and SHA256 hash:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>653519cb7879ba9389474ab6fb92ae69475ea3166167e3b9b1e4405e14506f5d&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>You can download the original sample from <a href=\"https:\/\/app.any.run\/tasks\/32c71b72-752a-4b70-bb6e-9557dc99708e?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=privateloader&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">this link<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"217\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen0.png\" alt=\"\" class=\"wp-image-18184\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen0.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen0-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen0-768x163.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen0-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen0-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen0-740x157.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 1<em> \u2013 basic file information of the investigated Guloader sample&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Clearing the way: Why Deobfuscating Code is Crucial Before Analysis?&nbsp;<\/h3>\n\n\n\n<p>Deobfuscating code is an essential step in the process of malware analysis. When malware authors create their programs, they often use various obfuscation techniques to make it more difficult to understand and analyze their code.<\/p>\n\n\n\n<p>By deobfuscating the code, analysts can gain a better understanding of the malware&#8217;s functionality, identify its capabilities, and develop effective mitigation strategies.&nbsp;<\/p>\n\n\n\n<p>Consider this picture where Guloader\u2019s sophisticated assembly code is decompiled into ugly pseudo-code:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"285\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen1.png\" alt=\"\" class=\"wp-image-18185\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen1.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen1-300x83.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen1-768x214.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen1-370x103.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen1-270x75.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen1-740x206.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig.2 \u2014 <em>Guloader\u2019s sophisticated assembly code along with the decompilation result&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><\/p>\n\n\n\n<p>Obfuscation used in the code makes it almost impossible to understand what&#8217;s going on. That&#8217;s why today we will focus on deobfuscation \u2014 it will help us gain a better understanding of Guloader\u2019s behavior.<\/p>\n\n\n\n<p>By the way, if you want to see more examples of analyzing obfuscated code, <a href=\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">check out our deep dive into CryptBot<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Unpacking Guloader\u2019s Shellcode&nbsp;<\/h2>\n\n\n\n<p>&nbsp;Unpacking GuLoader&#8217;s shellcode is rather straightforward.<\/p>\n\n\n\n<p>Start by reaching the entry point of the malware. Once identified, set a breakpoint at the VirtualAllocEx function. This function is used to allocate memory for the GuLoader&#8217;s shellcode. The first break point should occur when the function finishes executing and the memory has been allocated.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"338\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen2.png\" alt=\"\" class=\"wp-image-18187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen2.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen2-300x99.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen2-768x254.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen2-370x122.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen2-270x89.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen2-740x244.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 3 \u2014 <em>allocated memory for the shellcode&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Note that the return address in the stack the \u2018System.dll\u2019 module \u2014 not the executable itself. This means that the malware brings this module with itself.<\/p>\n\n\n\n<p>At this point, set a hardware execution breakpoint at the first byte of the memory address returned in the EAX register. This will create a break at the first instruction of the shellcode.<\/p>\n\n\n\n<p>After setting this breakpoint, run the malware. When the breakpoint is hit, you will be at the first instruction of the shellcode.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"443\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen3.png\" alt=\"\" class=\"wp-image-18188\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen3.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen3-300x130.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen3-768x332.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen3-370x160.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen3-270x117.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen3-740x320.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 4 \u2014 <em>shellcode\u2019s entry point<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>To further analyze the shellcode, navigate to the memory map and create a dump of the memory region allocated by \u201cVirtualAllocEx\u201d. This dump can be loaded into a disassembler, allowing you to analyze the shellcode in more detail.&nbsp;<\/p>\n\n\n\n<p>It is worth noting that, we used Windows 7 (x32) as our unpacking environment. Keep in mind that the algorithm will be slightly different for the other OS versions. If you don&#8217;t have time or a suitable environment to unpack GuLoader shellcode by yourself, you can download an archive with an already unpacked sample from our <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/GuLoader\/dump.zip\">GitHub repository<\/a> (password: infected).&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Identifying Obfuscated and Junk Code Patterns&nbsp;<\/h2>\n\n\n\n<p>In this section, we will search for junk and obfuscated code in GuLoader\u2019s shellcode to use them as templates for deobfuscating and optimization techniques.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">XMM instructions&nbsp;<\/h3>\n\n\n\n<p>There are many XMM instructions present in the code. They look chaotic and complicate the analysis process. We encountered them from the first byte of the unpacked shellcode:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"231\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen4.png\" alt=\"\" class=\"wp-image-18191\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen4.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen4-300x68.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen4-768x173.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen4-370x83.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen4-270x61.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen4-740x167.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 5 \u2014 <em>XMM instructions at the start of the shellcode&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>these instructions are quite effective at obfuscating the code, as they can <em>break many emulation engines<\/em>. That&#8217;s Because most of them are not supported by default. We have tested Angr, Triton as well as Ghidra embedded engines \u2013 all of them <em>failed<\/em>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Unconditional JMP instructions&nbsp;<\/h3>\n\n\n\n<p>Guloader authors used lots of JMP instructions to divide the code into small blocks and connect them together. Not only does this technique make the code more difficult to analyze, but it also prevents detection by antivirus software and other security tools. What&#8217;s more, jumping between these blocks can be quite tedious and annoying for analysts, especially when dealing with a large amount of code.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"878\" height=\"946\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen5.png\" alt=\"\" class=\"wp-image-18192\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen5.png 878w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen5-278x300.png 278w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen5-768x827.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen5-370x399.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen5-270x291.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen5-740x797.png 740w\" sizes=\"(max-width: 878px) 100vw, 878px\" \/><figcaption class=\"wp-element-caption\">Fig. 6 \u2014 <em>an example of small blocks on the graph connected by JMP instructions&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Junk instructions&nbsp;<\/h3>\n\n\n\n<p>The GuLoader code contains junk assembly instructions, which are often incorporated as an extra layer of obfuscation to complicate its analysis. These instructions have no practical function, generally leaving the value of registers, execution flow, or memory unchanged. Their purpose is to hinder analysis and obscure the genuine functionality of the code.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"228\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen6.png\" alt=\"\" class=\"wp-image-18194\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen6.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen6-300x67.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen6-768x171.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen6-370x82.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen6-270x60.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen6-740x165.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig.7 \u2014 <em>an example of a junk instruction \u2018OR\u2019&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We may highlight instructions that perform no operation (\u201cNOP\u201d, \u201cFNOP\u201d), and instructions that shift or rotate a value by zero bits (\u201cSHL reg, 0\u201d; \u201cROL reg, 0\u201d). Also, the code may contain instructions like \u201cOR reg, 0\u201d, \u201cXOR reg, 0\u201d, \u201cCLD\u201d, \u201cWAIT\u201d and others, which are equally useless, making no impact on the code&#8217;s behavior.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Fake comparison instructions&nbsp;<\/h3>\n\n\n\n<p>GuLoader code frequently utilizes fake comparison instructions for obfuscation. These instructions usually involve comparing a register or memory location with a fixed value, like &#8220;CMP EAX, 0&#8221; or &#8220;TEST EDX, EDX&#8221;. Yet, the outcome of these comparisons isn&#8217;t applied in following instructions, rendering the comparison pointless.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"250\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen7.png\" alt=\"\" class=\"wp-image-18196\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen7.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen7-300x73.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen7-768x188.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen7-370x90.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen7-270x66.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen7-740x181.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 8 \u2014 <em>an example of a fake comparison instruction \u2018TEST EDX, EDX\u2019&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Fake PUSHAD instructions&nbsp;<\/h3>\n\n\n\n<p>The use of fake \u201cPUSHAD\u201d instructions, when paired with a corresponding \u201cPOPAD\u201d instruction, is another common obfuscation technique used in the GuLoader code.<\/p>\n\n\n\n<p>These instructions can be used to temporarily modify the values of registers between the \u201cPUSHAD\u201c and \u201cPOPAD\u201d instructions. However, the final \u201cPOPAD\u201d instruction restores all registers to their original values, effectively nullifying any modifications made by the code. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"147\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen8.png\" alt=\"\" class=\"wp-image-18197\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen8.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen8-300x43.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen8-768x110.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen8-370x53.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen8-270x39.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen8-740x106.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 9 \u2014 <em>an example of a useless \u2018pushad\u2019 instruction combined with a \u2018popad\u2019<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Fake PUSH instructions<\/h3>\n\n\n\n<p>The use of fake \u201cPUSH\u201d instructions is yet another obfuscation method that is rather similar to the previous one. These pairs of instructions involve pushing a value onto the stack and then immediately popping it off again.<\/p>\n\n\n\n<p>For example, the code may include a \u201cPUSH SS\u201d instruction, followed by one or more instructions that modify the value of a particular register or memory location. However, when the corresponding \u201cPOP SS\u201d instruction is executed, the content of the stack pointer is restored to its original value.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"94\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen9.png\" alt=\"\" class=\"wp-image-18199\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen9.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen9-300x28.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen9-768x71.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen9-370x34.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen9-270x25.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen9-740x68.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 10 \u2014 <em>an example of a fake \u2018PUSH\u2019 instruction&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Opaque predicates&nbsp;<\/h3>\n\n\n\n<p>GuLoader code also incorporates opaque predicates to increase the difficulty in comprehending the code&#8217;s logic. These predicates are essentially conditional statements that consistently evaluate to either true or false. However, they are designed to be challenging to analyze or predict.<\/p>\n\n\n\n<p>For example, the code may include a pair of instructions such as \u201cMOV BL, 0xB6\u201d and \u201cCMP BL, 0xB6\u201d, followed by a conditional jump instruction such as \u201cJNZ ADDR\u201d. However, since the value being compared is the same as the value that was just moved into the register, the comparison will always evaluate to false, making the conditional jump unnecessary and confusing.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"138\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen10.png\" alt=\"\" class=\"wp-image-18202\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen10.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen10-300x40.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen10-768x104.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen10-370x50.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen10-270x36.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen10-740x100.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><br>Fig. 11 \u2014 <em>opaque predicate that is always evaluates to false&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Arithmetic Expressions&nbsp;<\/h3>\n\n\n\n<p>Obfuscated arithmetic expressions are one of the most interesting obfuscation methods used in GuLoader to make the actual arithmetic operations harder to understand. These expressions involve arithmetic instructions like addition, subtraction, and exclusive or, which are mixed with other obfuscation techniques such as fake comparisons, opaque predicates, and junk instructions.<\/p>\n\n\n\n<p>One example of arithmetic obfuscation in GuLoader code is to move a constant value into a register and perform arithmetic operations on it:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen11.png\" alt=\"\" class=\"wp-image-18203\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen11.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen11-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen11-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen11-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen11-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen11-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 12 \u2014 <em>an example of arithmetic obfuscation distributed between two small blocks<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Another example is to push a constant value onto the stack and perform mathematical operations on the memory located on the stack:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"242\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen12.png\" alt=\"\" class=\"wp-image-18204\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen12.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen12-300x71.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen12-768x182.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen12-370x87.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen12-270x64.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen12-740x175.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 13 \u2014 <em>an example of math operations on the top of the stack&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Deobfuscating and Optimizing: Techniques and Strategies<\/h2>\n\n\n\n<p>In the previous sections, we&#8217;ve identified and discussed various obfuscation techniques often found in GuLoader, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Opaque predicates<\/li>\n\n\n\n<li>Obfuscated arithmetic expressions<\/li>\n\n\n\n<li>And junk instructions.<\/li>\n<\/ul>\n\n\n\n<p>Now, let&#8217;s focus on developing techniques and strategies to overcome these obfuscation methods and make the code easier to analyze.&nbsp;<\/p>\n\n\n\n<p>What&#8217;s more, we will show the state of the code before and after deobfuscation. You&#8217;ll see how using various deobfuscation techniques can render the code more readable and simplified for analysis.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">&#8220;Nopping&#8221; all XMM instructions&nbsp;<\/h3>\n\n\n\n<p>As previously noted, XMM instructions can complicate the analysis process due to their obfuscating impact on the code. Fortunately, our analysis shows that all of the XMM instructions used in GuLoader are extraneous and don&#8217;t influence the code&#8217;s intended behavior. These instructions are essentially pointless, as the outcome of their execution is never utilized.<\/p>\n\n\n\n<p>The result of &#8220;Nopping&#8221; all XMM instructions can be seen in the following table:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"294\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen13.png\" alt=\"\" class=\"wp-image-18206\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen13.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen13-300x86.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen13-768x221.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen13-370x106.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen13-270x78.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen13-740x212.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 14 \u2014 <em>the expected result of \u201cnopping\u201d all XMM instructions\u00a0<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>And here&#8217;s the achieved result of &#8220;Nopping&#8221; all XMM instructions in Ghidra:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen14.png\" alt=\"\" class=\"wp-image-18207\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen14.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen14-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen14-768x160.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen14-370x77.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen14-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen14-740x154.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 15 \u2014 <em>\u201cnopped\u201d XMM instructions in Ghidra\u00a0<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Leaving Unconditional JMP Instructions Untouched&nbsp;<\/h3>\n\n\n\n<p>When analyzing GuLoader, it can be tempting to remove unconditional JMP instructions to streamline the code and make it easier to read. But, it requires a lot of time and effort.<\/p>\n\n\n\n<p>Additionally, the disassembler in decompiled code can often do a good job of concatenating blocks and making the code more legible, even with the presence of these unconditional jumps. Thus we decided to leave small blocks and not concatenate them.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"673\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen15.png\" alt=\"\" class=\"wp-image-18208\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen15.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen15-300x197.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen15-768x505.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen15-370x243.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen15-270x177.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen15-740x486.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 16 \u2014 <em>two deobfuscated blocks on the graph without concatenation<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">\u201cNopping\u201d Junk Instructions&nbsp;<\/h3>\n\n\n\n<p>Junk instructions are those that do not affect the execution flow of the code and can be safely removed. One of the expected results of \u201cnopping\u201d all junk instructions is represented it the following table:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"174\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen16.png\" alt=\"\" class=\"wp-image-18210\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen16.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen16-300x51.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen16-768x131.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen16-370x63.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen16-270x46.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen16-740x126.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 17 \u2014 <em>an expected result of \u201cnopping\u201d junk instructions<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Defeating fake comparison instructions&nbsp;<\/h3>\n\n\n\n<p>Dealing with fake comparison instructions can be a bit more difficult than simply \u201cnopping\u201d junk instructions. Unlike junk instructions, we can&#8217;t just remove any comparison instruction we come across, because it may actually be needed for the code to function correctly. To handle this, we need to carefully identify which comparisons are fake and can be removed.&nbsp;<\/p>\n\n\n\n<p>One way to do this is to \u201cmark\u201d any comparison instruction we encounter, and then look for any subsequent instructions that may use the result of the comparison. If no such instructions are found, we can safely replace the comparison instruction with a NOP. If we encounter a conditional jump or another instruction that may use the comparison result, we need to \u201cunmark\u201d the previous comparison so that it is not removed.&nbsp;<\/p>\n\n\n\n<p>An example of properly &#8220;nopping&#8221; out junk comparison instructions is illustrated in the following table. As shown, all comparison instructions except for \u201cCMP EDX,0x0\u201d have been removed:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"356\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen17.png\" alt=\"\" class=\"wp-image-18211\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen17.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen17-300x104.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen17-768x267.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen17-370x129.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen17-270x94.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen17-740x257.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 18 \u2014 <em>an example of \u201cnopping\u201d fake-comparison instructions<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Defeating fake PUSHAD instructions<\/h3>\n\n\n\n<p>Our investigation revealed that all \u201cPUSHAD\u201d instructions used in the GuLoader code are useless. So, we simply nop the \u201cPUSHAD\u201d and \u201cPOPAD\u201d instructions, and everything in between them:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen18.png\" alt=\"\" class=\"wp-image-18212\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen18.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen18-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen18-768x264.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen18-370x127.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen18-270x93.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen18-740x254.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 19 \u2014 <em>an example of nopping everything between \u201cPUSHAD\u201d and \u201cPOPAD\u201d<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Note that <strong>not all \u201cPOPAD\u201d instructions found in the GuLoader code are junk<\/strong>. Some of them may not have a corresponding \u201cPUSHAD\u201d instruction. In such cases, we leave the \u201cPOPAD\u201d instruction untouched.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Defeating fake PUSH instructions<\/h3>\n\n\n\n<p>Cleaning up fake PUSH instructions is akin to handling fake PUSHAD instructions, but we need to make sure that the registers that are not pushed remain unaffected.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen19.png\" alt=\"\" class=\"wp-image-18213\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen19.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen19-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen19-768x160.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen19-370x77.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen19-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen19-740x154.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 20 \u2014<em>an example of nopping \u201cPUSH\u201d and \u201cPOP\u201d instructions<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Opaque predicates<\/h3>\n\n\n\n<p>Overcoming opaque predicates might appear challenging initially, as it requires &#8220;predicting&#8221; the jump condition. However, in our case, it&#8217;s relatively straightforward because all discovered opaque predicates are situated within the &#8220;PUSHAD&#8221; and &#8220;POPAD&#8221; blocks. When processing &#8220;PUSHAD&#8221; blocks, we simply nullify all opaque predicates between the &#8220;PUSHAD&#8221; and the corresponding &#8220;POPAD&#8221; instruction.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Calculating Arithmetic Expressions<\/h3>\n\n\n\n<p>To deobfuscate the arithmetic expressions in Guloader, we follow a similar approach to the fake comparison instructions. We mark all &#8220;MOV&#8221; instructions where the second argument is a scalar value and all &#8220;PUSH&#8221; instructions where the argument is a scalar too. When we encounter an arithmetic operation, we update the constant value in the first instruction and nop the current instruction. In this way, the first met instruction will always have the result value, and the rest of the arithmetic instructions will be &#8220;nopped&#8221;.&nbsp;<\/p>\n\n\n\n<p>See the following example with the optimized \u201cMOV\u201d operation:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"398\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen20.png\" alt=\"\" class=\"wp-image-18215\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen20.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen20-300x117.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen20-768x299.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen20-370x144.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen20-270x105.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen20-740x288.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 21 \u2014 <em>optimizing \u201cMOV\u201d arithmetic operations<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Here is another example where we optimize \u201cPUSH\u201d instructions:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"390\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen21.png\" alt=\"\" class=\"wp-image-18216\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen21.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen21-300x114.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen21-768x293.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen21-370x141.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen21-270x103.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen21-740x282.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 22 \u2014 <em>optimizing \u201cPUSH\u201d math operations<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It&#8217;s important to be careful when dealing with the size of the operands \u2013 we need to ensure that we preserve the correct size when performing the arithmetic operations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Automating Malware Analysis with a Ghidra Script&nbsp;<\/h2>\n\n\n\n<p>In the earlier sections, we identified typical obfuscation techniques in GuLoader&#8217;s code and discussed various strategies to overcome them. In this section, we provide a brief description of a script designed to semi-automate the deobfuscation process for GuLoader&#8217;s code.<\/p>\n\n\n\n<p>We&#8217;ve developed a script that initiates from the chosen instruction, tracks calls and conditional jumps, simplifies, deobfuscates, and disassembles the resulting code. The script avoids jumping over calls with a specific operand value because not all calls result in returns. This script employs all the approaches we&#8217;ve discussed in previous chapters.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen22.png\" alt=\"\" class=\"wp-image-18218\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen22.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen22-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen22-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen22-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen22-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen22-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 23 \u2014 <em>part of the script to deobfuscate GuLoader\u2019s code<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>You can <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/GuLoader\/GuDeobfuscator.py\" target=\"_blank\" rel=\"noreferrer noopener\">download this script from our GitHub repository<\/a> and put it in Ghidra&#8217;s script folder. We recommend setting a hotkey for quick access. Simply place the cursor over an interesting position (you could start from the 0x0 offset) and press the hotkey to see the deobfuscated code.<\/p>\n\n\n\n<p>Finally, let&#8217;s take a look at the pseudo-code of Guloader before and after using the deobfuscation script and compare them:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"445\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen23.png\" alt=\"\" class=\"wp-image-18220\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen23.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen23-300x130.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen23-768x334.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen23-370x161.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen23-270x117.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen23-740x322.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 24 \u2014 <em>the 1<sup>st<\/sup> example of the code before deobfuscating<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>And here is the same code after deobfuscation:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"321\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen24.png\" alt=\"\" class=\"wp-image-18221\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen24.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen24-300x94.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen24-768x241.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen24-370x116.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen24-270x85.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen24-740x232.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 25 \u2014 <em>the same 1<sup>st<\/sup> example of the code, but after applying script<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Here is another example of GuLoader&#8217;s code before and after applying our deobfuscation script. Here&#8217;s the before:<\/p>\n\n\n\n<p>And here it is after running the script:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"535\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen25.png\" alt=\"\" class=\"wp-image-18222\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen25.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen25-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen25-768x401.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen25-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen25-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/guloader_screen25-740x387.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fig. 26 \u2014 <em>the same 2<sup>nd<\/sup> example, but after applying the script<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>As you can see, the code is now significantly more readable. The obfuscated instructions have been eliminated, making the code flow easy to trace.<\/p>\n\n\n\n<p>This greatly simplifies the task for malware analysts trying to understand the malware&#8217;s behavior, making the whole analysis process considerably more efficient.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Limitations of the approach&nbsp;<\/h2>\n\n\n\n<p>While the semi-automated deobfuscation method with Ghidra scripting is effective, there are several limitations to bear in mind.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>It&#8217;s possible that not all obfuscated code patterns in GuLoader have been identified, and new techniques may emerge in future versions of the malware.<\/li>\n\n\n\n<li>There is a chance of optimization errors, where some instructions might be wrongly identified as junk or obfuscated code, and are nulled or removed.<\/li>\n\n\n\n<li>The script may need adjustments or updates to handle different versions of GuLoader, as there might be changes in the obfuscation techniques used.<\/li>\n\n\n\n<li>The script might not be able to identify all calls and jump destinations, particularly if they&#8217;re dynamically generated or encoded.<\/li>\n\n\n\n<li>Writing and testing the script can demand a significant amount of time and effort, as it necessitates a thorough understanding of GuLoader&#8217;s code structure and obfuscation techniques.<\/li>\n<\/ol>\n\n\n\n<p>Despite these limitations, this approach remains a helpful tool for automating GuLoader code analysis and deobfuscation.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up<\/h2>\n\n\n\n<p>We&#8217;ve explored one potential approach to deobfuscating GuLoader, which entails identifying common obfuscation patterns and neutralizing them using various techniques.<\/p>\n\n\n\n<p>It&#8217;s important to note that while this approach was specifically tailored for deobfuscating GuLoader, the same general techniques could be applied to other malware samples as well. However, bear in mind that each malware sample might have unique obfuscation techniques, necessitating the development of specific optimization strategies.<\/p>\n\n\n\n<p>Want to read more content like this?<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Learn how we analyzed the <a href=\"https:\/\/any.run\/cybersecurity-blog\/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader\/\" target=\"_blank\" rel=\"noreferrer noopener\">encryption and decription algorithms of PrivateLoader<\/a><\/li>\n\n\n\n<li>Or learn <a href=\"https:\/\/any.run\/cybersecurity-blog\/limerat-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">how to extract LimeRat configuration<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In this article by ANY.RUN analysts, we&#8217;ll discuss the GuLoader malware and how to deobfuscate its code using the Ghidra scripting engine. We will: We also detailed the obfuscation techniques for junior analysts. And mid-level and senior analysts will find strategies and tools for simplifying and deobfuscating GuLoader and other malware. Without further ado, let&#8217;s [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5014,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[72,34],"class_list":["post-4972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-guloader","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>GuLoader: Deobfuscating and Automating Malware Analysis<\/title>\n<meta name=\"description\" content=\"In this dive into GuLoader obfuscation, we learn how to spot patterns and nop fake instructions. Then, automate it with Ghidra Scripting.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Electron\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\"},\"author\":{\"name\":\"Electron\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting\u00a0\",\"datePublished\":\"2023-05-17T20:05:59+00:00\",\"dateModified\":\"2026-02-03T05:37:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\"},\"wordCount\":2750,\"commentCount\":5,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"GuLoader\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\",\"name\":\"GuLoader: Deobfuscating and Automating Malware Analysis\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-05-17T20:05:59+00:00\",\"dateModified\":\"2026-02-03T05:37:37+00:00\",\"description\":\"In this dive into GuLoader obfuscation, we learn how to spot patterns and nop fake instructions. Then, automate it with Ghidra Scripting.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Electron\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744.png\",\"caption\":\"Electron\"},\"description\":\"I'm a malware analyst. I love CTF, reversing, and pwn. Off-screen, I enjoy the simplicity of biking, walking, and hiking.\",\"sameAs\":[\"https:\/\/any.run\/\"],\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GuLoader: Deobfuscating and Automating Malware Analysis","description":"In this dive into GuLoader obfuscation, we learn how to spot patterns and nop fake instructions. Then, automate it with Ghidra Scripting.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/","twitter_misc":{"Written by":"Electron","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/"},"author":{"name":"Electron","@id":"https:\/\/any.run\/"},"headline":"Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting\u00a0","datePublished":"2023-05-17T20:05:59+00:00","dateModified":"2026-02-03T05:37:37+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/"},"wordCount":2750,"commentCount":5,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["GuLoader","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/","url":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/","name":"GuLoader: Deobfuscating and Automating Malware Analysis","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-05-17T20:05:59+00:00","dateModified":"2026-02-03T05:37:37+00:00","description":"In this dive into GuLoader obfuscation, we learn how to spot patterns and nop fake instructions. Then, automate it with Ghidra Scripting.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Electron","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744.png","caption":"Electron"},"description":"I'm a malware analyst. I love CTF, reversing, and pwn. Off-screen, I enjoy the simplicity of biking, walking, and hiking.","sameAs":["https:\/\/any.run\/"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4972"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=4972"}],"version-history":[{"count":29,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4972\/revisions"}],"predecessor-version":[{"id":18223,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4972\/revisions\/18223"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/5014"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=4972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=4972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=4972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}