MW-Blog

NakedPacker is somewhat commonly seen in malware. Though its only a compressor I guess the name and the easy GUI make the teenage mutant wannabe-ninja herders come flocking to it. (more…)

As I mentioned in the previous blog post I’ve been working on a binary that contains various anti-debug/tracing/emulation/virtualization tricks. Even though there’d be an eternal list of tricks to be added to it I’m pretty satisfied with the ones it has currently. (more…)

Yoda’s Crypter (yC) was released 2004, but never seemed to gain popularity amongst malware writers. But still, it isn’t uncommon to run into a sample protected by it. yC utilizes a polymorphic stub to hide better, but the packer can be easily fingerprinted.

I switched on every possible option in the packer, and packed a testfile with it. I’ll try to go through all the options and display them in the code. At the same time, we’ll walk through the unpacking process.

(more…)

Increasing numbers of malware are injecting code into other processes whether to stay better hidden or to hook some vital functionalities. When debugging these for analysis things get tricky when you might have to be debugging two different processes. On top of that, if you’ve ever debugged something that injects into lsass.exe or other critical processes and the code sucks so much it bluescreens your whole computer you feel the sting when you lose valuable time due to reboot and redebugging. (more…)