MW-Blog

Yoda’s Crypter (yC) was released 2004, but never seemed to gain popularity amongst malware writers. But still, it isn’t uncommon to run into a sample protected by it. yC utilizes a polymorphic stub to hide better, but the packer can be easily fingerprinted.

I switched on every possible option in the packer, and packed a testfile with it. I’ll try to go through all the options and display them in the code. At the same time, we’ll walk through the unpacking process.

(more…)

Increasing numbers of malware are injecting code into other processes whether to stay better hidden or to hook some vital functionalities. When debugging these for analysis things get tricky when you might have to be debugging two different processes. On top of that, if you’ve ever debugged something that injects into lsass.exe or other critical processes and the code sucks so much it bluescreens your whole computer you feel the sting when you lose valuable time due to reboot and redebugging. (more…)