We analyse the polymorphic virus Virut. In part 1 we write an API resolver for Ghidra, deal with self-modifying code, custom calling conventions and unpack the main virus body. Sample: API resolver: Malware analysis courses: Buy me a coffee: Follow me on Twitter: 00:00 Intro 02:03 Triage: strings and DiE 05:08 Ghidra, API resolve markup 11:50 Hash resolver in Python 15:59 API resolver as Ghidra script 22:22 Trying to find the decryption code 24:46 Patch Virut to execute on Win 10 28:29 Debugging until host file execution 33:48 Forcing Virut into unpacking 43:20 Self-modifying code 45:55 Decryption function markup 50:34 Patching Ghidra DB with unpacked code 52:36 Virus body triage #malware #malwareanalysis #reverseengineering