At the beginning of the May here in Poland we have couple of free days. 3rd May is Constitution Day, and May 1st is Labour Day. Most of us use those days to unwind after winter, but some malware authors apparently didn’t: a few weeks ago, our friends started …

Some weeks ago we stumbled on a packer that our tools could not break. Surprisingly, this is actually not that common since most of the malware in the wild uses some sort of RunPE technique which is relatively trivial to break using simple memory tracing. MadProtect is not any different …

Recently we ran across a quite an interesting sample, which used an interesting obfuscation technique that was beautiful in its simplicity. But before we dive in, let us provide some background for it. One of the easier and most common techniques for automatic unpacking is to hook kernel32!WriteProcessMemory and …