Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Matrix ThePornDude
Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Live Stream VOD: Danabot Core Triage Part 2 - Delphi Structs and IDA (Patreon)

Published:
2023-12-20 01:21:49
Imported:
Tags:

Content

In this stream we continue our analysis of Danabot with a focus on the core component. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.

Building on our use of  IDR in the last stream, we extract the "record" metadata (struct) and use it to identify key information in the binary. We also demonstrate how to diff an older version of the malware records with a new version to quickly identify changes and updates!

Samples

Notes

DanaBot Core - Taking a look at a new version of the DanaBot Core 

Files

Live Stream VOD: Danabot Core Triage Part 2 - Delphi Structs and IDA

Comments

m4n0w4r

This stream is awesome ... nice trick with IDR for creating struct! Thanks so much Sergei!!! Here is the sum up when analyzing Delphi binary: - Load binary into IDA and turn off options related to auto analysis feature. - Go to Options > Compiler...set Delphi and fastcall. - Shift+F5 and add IDA's sig related to Delphi then re-enable IDA's auto analysis feature. - Use IDR to analyze binary, create map & idc files. Using Zscaler_tools (idr_idc_to_idapy.py & idr_map_to_idapy.py) to extract the information from the generated IDC and MAP files and use the output scripts to import the naming information.