Dissecting the new shellcode-based variant of GuLoader (CloudEyE)

GuLoader leverages Windows vectored exception handlers (VEH) to change execution flow at runtime: it verifies the CONTEXT_RECORD for debug registers, checks for a 0xCC breakpoint at the exception EIP, XORs the following byte with 0xCB to compute the next EIP, and fills the bytes between with junk instructions to thwart static analysis.