Category: Uncategorized

Full-fledged Hex-Editor

The upcoming standard and advanced edition of Cerbero Suite 3.0 will feature a full-fledged hex-editor with undo functionality and all the other common goodies.

In the past it was quite cumbersome to edit a file with Cerbero Suite and undo wasn’t available. This is no longer the case as the hex-editor functionality comes now in its own workspace and can be accessed even from the shell context menu on Windows or by specifying the “-hex” argument.

The hex-editor shares much of the functionality also found in the analysis workspace, such as layouts and scripting.

Of course, filters are available as well.

And, as cherry on top, every hex-view in the analysis workspace will be editable, but without ever writing to the original file. To save the modified content access the “Copy” menu and click on “Copy into new file”.

Coming soon!

Profiler 2.8 – Windows Memory Forensics

Windows memory forensics on OSX.

Profiler 2.8 is out with the following news:

+ added support for Windows raw memory images
added unhandled exception debug tools on Windows
added unhandled exception notification for Python
– exposed tree control to the Python SDK
– improved CFBF support
– improved PDF parsing against new malware samples
– fixed PDB issue with zero-sized streams
– fixed issues in JBIG2 decoder
– fixed display of PE timestamps in UTC

The biggest news is undoubtedly the introduction of Windows memory forensics support in the Advanced version of Profiler.

And here’s the same screenshot as above taken on Linux.

Improved Exception Handling

We have also drastically improved exception handling for both Python and native code, especially on Windows.

Whenever Python raises an unhandled exception a message box pops up on Windows and on other systems the exception is printed out to the terminal if it happens outside of the UI thread.

When the issue is more serious and results in a crash the user will be presented with the following message box on Windows.

If the crash happened from Python code, the user is given the possibility to retrieve a backtrace of the last executed Python methods.

If the crash happened in the native code, it’s now possible to create a dump file.

Enjoy!

Profiler 2.7

Profiler 2.7 is out with the following news:

+ added experimental support for Windows raw memory images
+ added support for EML files
+ added TOR-based URL download action
added JBIG2 decoder for PDFs
– improved PDF parsing against new malware samples
– improved search in hex view
– updated OpenSSL to 1.0.2
– updated Python to 3.6
– reduced dependencies on Linux
– fixed possible division by zero in PEObject::RvaToOffset
– fixed filter preview crash
– fixed Python multi-threading issue
– fixed PasteBin plugin
– fixed recognition of newer DEX files
– default to SHA-2/256 instead of SHA-1
– various bug fixes and improvements

With this version we also start to release the Advanced edition of Profiler. News entries marked by the ‘+’ sign are exclusive to the Advanced edition.

Experimental support for Windows raw memory images

Quite some time has passed since we published a post demonstrating some basic memory forensics capabilities in Profiler.

In this release of the Advanced edition we decided to publish that code, although barely functional. We didn’t want to additionally delay this long due release by working more on the memory forensic part. We will try to clean it up and make it more useful for the next release. 🙂

Enjoy!

PE Insider

It is always nice to give something back to the community and although this is unfortunately not always possible, we’re happy to announce the release of PE Insider, a free PE viewer which shares the same codebase for inspection as Cerbero Profiler and hence supports the entire PE specification and is incredibly fast and stable. We’re always very busy, but I was finally convinced by Ange Albertini to create this utility. 😉

PE Insider

The utility clearly stands light-years away in terms of functionality compared to the Profiler, but it does have some things which go beyond the simple format inspection including MSIL disassembly, navigation, ranges and resource preview.

Of course there’s room for improvement, but in the meantime here’s a first version. Enjoy!

P.S. To keep up-to-date with news regarding this utility either subscribe to our twitter account or follow the blog.

DEX support

Support for Android’s DEX format is the last major feature of the upcoming 0.9.0 release of the Profiler. The support includes format, layout ranges and a Dalvik disassembler. Support for APK is implicit, since support for Zip archives has been added long ago.

All sections of the format are accessible. The central point for parsing a DEX file is the Classes view. Hence it’s also the most complex view of the format.

Also accurate layout ranges can help to analyze the format.

And finally a disassembler to quickly inspect the Dalvik bytecode.

Here’s a disassembled function from the Android SDK NotePad sample:

  private final void cancelNote()
  {
    const/4 v3, #int 0 // #0
    iget-object v1, v4, android.database.Cursor mCursor
    if-eqz v1, loc_74 // +34
    iget v1, v4, int mState
    if-nez v1, loc_90 // +38
    iget-object v1, v4, android.database.Cursor mCursor
    invoke-interface {v1}, void android.database.Cursor.close()
    iput-object v3, v4, android.database.Cursor mCursor
    new-instance v0, android.content.ContentValues
    invoke-direct {v0}, void android.content.ContentValues.()
    const-string v1, "note"
    iget-object v2, v4, java.lang.String mOriginalContent
    invoke-virtual {v0, v1, v2}, void android.content.ContentValues.put(java.lang.String, java.lang.String)
    invoke-virtual {v4}, android.content.ContentResolver getContentResolver()
    move-result-object v1
    iget-object v2, v4, android.net.Uri mUri
    invoke-virtual {v1, v2, v0, v3, v3}, int android.content.ContentResolver.update(android.net.Uri, android.content.ContentValues, java.lang.String, java.lang.String[])
loc_74:
    const/4 v1, #int 0 // #0
    invoke-virtual {v4, v1}, void setResult(int)
    invoke-virtual {v4}, void finish()
    return-void
loc_90:
    iget v1, v4, int mState
    const/4 v2, #int 1 // #1
    if-ne v1, v2, loc_74 // -11
    invoke-direct {v4}, void deleteNote()
    goto loc_74 // -16
  }

And the original source for comparison:

    private final void cancelNote() {
        if (mCursor != null) {
            if (mState == STATE_EDIT) {
                // Put the original note text back into the database
                mCursor.close();
                mCursor = null;
                ContentValues values = new ContentValues();
                values.put(NotePad.Notes.COLUMN_NAME_NOTE, mOriginalContent);
                getContentResolver().update(mUri, values, null, null);
            } else if (mState == STATE_INSERT) {
                // We inserted an empty note, make sure to delete it
                deleteNote();
            }
        }
        setResult(RESULT_CANCELED);
        finish();
    }

Next week will be dedicated to fixing reported bugs and adding some small improvements. After that and some testing the new version should be ready, so keep tuned as the new version should be deployed soon!

Zip archives support

Among other additions, the new 0.7.8 version of the Profiler features support for Zip archives and an improved interface for displaying the file hierarchy.

Zip Archive

The supported decompression methods are Deflate and BZIP2 (more will be added). All popular encryption technologies are supported: ZipCrypto and WinZip AES. Support for the undocumented and proprietary PKWare encryption technology is still missing.

One of the handy UI improvements is the in depth risk report.

Risk tooltip

In this case the global risk signals that the calculated risk is 45% but could be more because some files could not be analyzed, since their format is not supported. This risk reporting is available both for the global risk and individual files.

Risk tooltip 2

In this case the main file “nested_crypto.zip” was decrypted but the decryption of the embedded file “test.zip” failed, because I didn’t enter the password for it. We can see that “test.zip” has not been decrypted (nor the files it contains) because of the e character next to the risk percentage. The meaning of these kind of characters is explained by the tooltip.

The Zip format covers an enourmous amount of extensions and hugely increases the usefulness of the Profiler. Enjoy! 😉