Cerbero Suite 6 and Cerbero Engine 3 are out!

We’re happy to announce the release of Cerbero Suite 6 and Cerbero Engine 3!

All of our customers can upgrade at a 50% discount their licenses for the next 3 months. We value our customers and everyone who has bought a license in August should have received a free upgrade for Cerbero Suite 6. Everyone who has purchased a license before August, but in the last 3 months, should have received an additional discount. Commercial customers with an active subscription plan should have already received a license for Cerbero Suite 6.

If you’re a customer of Cerbero Suite 5 and didn’t get an email from us, please contact us at sales@cerbero.io.

So what’s new?

Sample Downloader Package

While we published this package on Cerbero Store in August, it was actually planned for the 6.0 release: one of the main reasons for the introduction of Cerbero Store was the ability to offer certain types of updates as soon as they were ready.

Check out the video presentation for a quick introduction to the Sample Downloader package.

Installing the package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.

To download one or multiple malware samples, just enter their hash.

Sample Downloader will try to download the malware samples from all supported intelligence services.

Once the samples have been downloaded, you can directly inspect them in Cerbero Suite.

You can download additional samples using one of the actions added by the package. Additionally, Sample Downloader can also be invoked from the command line.

Improved Search Dialogs

We improved all the search dialogs in Cerbero Suite and we made sure that all of them support regular expressions.

However, the main improvement is that we introduced wrap around search.

We also added text search to our Carbon disassembler and native Ghidra UI.

Java Class & DEX Modules Documentation

We have documented the API for parsing Java Class files and Android DEX files.

Writable Remote Containers

With our multi-processing technology we introduced remote containers. One of the limitations of remote containers was that they were read-only. Now we also support writable remote containers.

Updated Sleigh Decompiler & AppleSilicon Support

We updated the Sleigh decompiler to the one in Ghidra 10.1.15.

While support for AppleSilicon was provided through the generic support for ARM64, we now have added specific support for AppleSilicon in the decompiler.

Improved Office Documents Scan

Following a tweet on Twitter, we made sure that external references in Microsoft Office documents are correctly detected also in .rels files.

We have also improved string support in older XLS documents.

Text Browser View

We have graphically improved our text browser view, the UI control used by our Carbon disassembler, and we have exposed it to Python.

Here’s a code example from the SDK documentation showing how to display custom lines provided from UI notifications and how to handle textual hyper-links:

from Pro.Core import *
from Pro.UI import *

class CustomView:

    @staticmethod
    def callback(cv, self, code, view, data):
        if code == pvnInit:
            t = cv.getView(1)
            t.showCustomLines()
            return 1
        elif code == pvnTextBrowserLineCount:
            vid = view.id()
            if vid == 1:
                data.setCount(100)
        elif code == pvnTextBrowserGetLine:
            vid = view.id()
            if vid == 1:
                b = ProTextBrowserStringBuilder()
                b.setTextColor(0, 0, 180)
                b.append("This is line number ")
                b.setTextColor(180, 0, 0)
                b.append(str(data.id + 1) + " ")
                b.setTextColor(0, 180, 0)
                b.beginHyperLink(1, 0)
                b.append("This is a hyper-link.")
                b.endHyperLink()
                data.setLine(b.buffer)
        elif code == pvnTextBrowserHyperLinkActivated:
            vid = view.id()
            if vid == 1:
                proContext().msgBox(MBIconInfo, "Hyper-link activated!")
        return 0

    def show(self):
        ctx = proContext()
        v = ctx.createView(ProView.Type_Custom, "Text Browser Demo")
        v.setup("<ui><vl margin='0'><textbr id='1'/></vl></ui>", self.callback, self)
        ctx.addView(v)

cv = CustomView()
cv.show()

Exposed ProTheme

We have exposed UI themes to Python, which is going to be useful to plugins which need to query colors for a specific theme.

Introduced ProWebRequest

Our API for web requests was somewhat limited. We have therefore introduced ProWebRequest.

Fixed Bugs

We have fixed a few major bugs and regressions. Specifically we fixed:

  • a wrong Windows Memory Analysis package dependency for Windows crash dump files
  • a regression causing a crash when changing a function prototype in the decompiler
  • a regression resulting in a missing refresh when loading embedded files

We have also made other various improvements and fixed a few minor issues.

What’s Next?

These are some of the things we introduced over the course of the 5.x series:

During the 6.x series we expect to finish the SDK documentation and, even more importantly, introduce many exciting new features.

We expect this series to be more feature-focused, since a considerable amount of the development time of the previous series has been devoted to laying the groundwork for Cerbero Store.

As during the previous series, we’ll release some of the packages on Cerbero Store exclusively to commercial licenses. The current ratio of commercial packages on Cerbero Store is 50%.

We try to limit the amount of commercial packages to those which fulfill a strictly commercial purpose and release more generic packages for all licenses. That having been said, we are planning some extremely useful commercial packages for this series which you don’t want to miss!

Suite 5.7 and Engine 2.7 are out!

Here summarized are the main news of this release of Cerbero Suite 5.7 and Cerbero Engine 2.7.

Expanded AbuseCH Intelligence Package

We have released an improved version of the originally named ‘MalwareBazaar Intelligence’ commercial package. We have renamed the package to ‘AbuseCH Intelligence’ and greatly expanded its functionality.

Check out the video presentation to quickly learn about its features.

If you want to learn more about the new features, you can read our dedicated post.

CFBF Module Documentation

We have documented the API for parsing Microsoft legacy Office documents.

The documentation includes examples that show how to enumerate CFBF directories, decrypt documents, extract VBA code and decompile macros.

Augmented JBIG2 Decoding Security

Our PDF support has been featuring the capability to decode JBIG2 streams for many years.

In this release we have made our already hardened JBIG2 decoding support even more secure by relegating it to a different process and constraining it to a time threshold.

JBIG2 is an imperative file format which has been demonstrated can be Turing complete. In fact, one of the most sophisticated exploits has been created exploiting a JBIG2 library in iOS. The exploit mentioned in the article creates over 70,000 segments to create a small virtual machine in logical operations defined by JBIG2.

Our changes perfectly prevent memory exhaustion and stalling issues: if the decoding process doesn’t complete within a given time, the decoding fails and the issue is reported to the user.

Human Hash

We have integrated human hashes in our analysis workspace. When you rest the cursor on the cryptographic hash of the current object, it displays the humanized version of the hash as a tool-tip.

The humanized hash can also be copied to the clipboard from the drop-down menu next to the cryptographic hash edit box.

While a human hash with a uniqueness of 1 in 4 billions defeats the security of cryptographic hashes, it may be useful when comparing hashes at a glance.

Deflate64 Support

We have added support for the proprietary deflate64 decompression method. The decompression is integrated both in our Zip format support and in our filters technology.

New Python APIs

We added a few new APIs to our SDK. The most important addition is the logicProviderArguments method, which can be used by logic providers to retrieve their command line arguments (in case they were invoked from the command line).

This is a small code example of a logic provider init function:

def customLogicProviderInit():
    ctx = proCoreContext()
    args = ctx.logicProviderArguments()
    if not args.isEmpty():
        # has arguments...

Extensions Load Errors

To more easily debug load errors of extensions, we have enabled a debug message which shows only once for each extension which failed to load. This change is mainly directed at developers of extensions.

We have also made other various improvements and fixed a few issues.

Suite 5.6 and Engine 2.6 are out!

Here summarized are the main news of this release of Cerbero Suite 5.6 and Cerbero Engine 2.6.

MalwareBazaar Intelligence Package

We created the MalwareBazaar Intelligence package. This package lets you access intelligence from MalwareBazaar directly from the file report.

Commercial licenses for Cerbero Suite Advanced have access to this package.

UPX Unpacker Package

We created an UPX Unpacker package available for all licenses.

From the UPX web-site: “UPX is a free, portable, extendable, high-performance executable packer for several executable formats.”

By installing the UPX Unpacker package, binaries compressed with UPX are automatically identified and unpacked as child objects.

PE, ELF and Mach-O binaries are all supported.

If for some reason a binary is not automatically unpacked, the unpacker can be invoked manually as an action.

Additionally, the unpacker can be invoked from Python.

You can read more about the topic in our dedicated post.

Internal Project Files

We introduced a new major core feature, namely the capability to generate files which do not exist on disk and store them in the analysis report.

While this feature may not appear as essential, it has countless real-world applications. For example, an unpacker may unpack a file during the scanning process and store the resulting file as an internal file. When the unpacked file is requested, the operation bypasses the unpacker and directly accesses the internal file.

Internal files can be referenced from embedded objects as well as from root entries.

You can read the details about the topic in our dedicated post.

After-Scanning Actions

We made several improvements which can be best described as ‘after-scanning actions’.

For instance, it is now possible to programmatically add scan entries to a report after the scanning has occurred.

While the user could always manually load embedded objects after scanning, it is now possible to load embedded objects programmatically after scanning.

Furthermore, we added the capability to add new root entries to a report by letting the user choose files from disk. This can also be performed programmatically.

Last but not least, we added the capability to promote the data in a hex view to a root file in the report.

You can read more about the topic in our dedicated post.

Add File To Report Action

As already mentioned this in the paragraph of the after-scanning actions, we added the capability to add new root entries to a report by letting the user choose files from disk.

If added from code, root entries can also reference internal files.

Promote Hex Data To Root File Action

As already mentioned this in the paragraph of the after-scanning actions, we added the capability to promote the data in a hex view to a root file in the report.

The data from the hex view is stored as an internal file and referenced from the root entry. The advantage over loading an embedded object from a hex view is that promoting the data to a root file isn’t limited to analysis hex views. In fact, this action can be performed from any hex view.

Added Core SDK APIs

While we routinely add new APIs to our SDK, this release comes with a larger number of new and improved APIs in the Core module.

CAB & Certificates Modules Documentation

Having already completed the SDK documentation of our core modules, we have started documenting our file format modules and just finished the first two.

We have documented the API for parsing Microsoft Cabinet files.

And we have documented our comprehensive API for parsing certificate files in both DER and PEM encodings.

We’ll continue documenting our file format modules in the upcoming months.

Improved Settings Page

We have improved our settings page. Specifically, we have switched from a tab-based interfaced to a list-based one.

The reason for this change lies in the capability of plugins to add custom pages to the settings and a tab-based interfaced may get too cramped in the future.

Fixed Python GIL Issues

We fixed a number of issues related to the Python Global Interpreter Lock. These issues would show themselves rarely but could lead to crashes under the right conditions when using scan providers implemented in Python.

VBA Extraction Code Page Support

A user reported issues with VBA extraction related to code page support. The extracted VBA now correctly shows non-ascii characters.

We have also made other minor improvements and fixed a few minor issues.

CAB & Certificates SDK Documentation

Having already completed the SDK documentation of our core modules, we have started documenting our file format modules and just finished the first two.

Namely, we have documented the API for parsing Microsoft Cabinet files.

And we have documented our comprehensive API for parsing certificate files in both DER and PEM encodings.

We’ll continue documenting our file format modules in the upcoming months.

Suite 5.5 and Engine 2.5 are out!

Here summarized are the main news of this release of Cerbero Suite 5.5 and Cerbero Engine 2.5.

Cerbero Engine Editions

Cerbero Engine already supports various platforms and architectures. Now, it comes in two different editions: Classic and Metal.

While in the Classic edition all UI functions are available, the Metal edition comes without UI dependencies.

The Metal edition is designed to be run in cloud and server environments which may lack a graphical interface.

We took great care in preserving plugin compatibility.

Plugins which import graphical functions are compatible with the Metal edition: all UI functions are available, though they are provided only as stubs. A few graphical methods like msgBox fall back to console I/O.

Providing two editions of Cerbero Engine allows us to offer the perfect fit for organizations which need a powerful and flexible back-end for their services.

Microsoft Authenticode on Linux and macOS

Customers with commercial licenses for Cerbero Suite Advanced and Cerbero Engine can verify Microsoft Authenticode signatures on Linux and macOS. Our Authenticode support includes full-chain certificate and time-stamp verification.

The only required step to verify Authenticode signatures on non-Windows systems is to install our “Microsoft Authenticode” package from Cerbero Store.

Cerbero Suite has been using its own implementation of Microsoft Authenticode for performance reasons since the very beginning, back in 2012. However, thanks to the recently introduced Cerbero Store we can now offer this feature on systems other than Windows.

We have also exposed Authenticode validation to our Python SDK. You can read more about the topic in our dedicated post.

Certificates Support

While Cerbero Suite already lets you inspect certificates inside binaries, now it can load them directly from disk and also lets you inspect each individual ASN1 object.

Both DER and PEM encodings for certificates are supported.

You can inspect all types of certificates, including X509, PKCS7 and PKCS12.

We have also exposed the code to our Python SDK in order to make the programmatic parsing of certificates a simple task.

You can read more about the topic in our dedicated post.

Command Line Improvements

We’ve made various improvements to command line support, the most interesting among them is the addition of command line I/O on Windows.

On Windows running scripts with the ‘-c’ argument results in not being able to see the stdout output. The reason for this is that the cerpro executable is built as a GUI application and therefore is not attached to a terminal.

To overcome this limitation we have added a launcher on Windows called “cerpro_console.exe”.

For example:

cerpro_console.exe -e "t=input('Input a string: ');print(t)"

The code asks the user to input a string and prints it back.

Of course, the cerpro_console executable can be used to launch any functionality of Cerbero Suite which supports console mode (‘-c’).

For example the following command prints out the command-line help to stdout:

cerpro_console.exe -h

You can read about all the improvements we’ve made in our dedicated post.

Command Line Scripting & Package Management SDK Documentation

We have released the official SDK documentation for command line scripting and package management.

Improved SDK Documentation

We have improved the visualization of the SDK documentation by adding tables which sum up the contents of modules and classes.

This makes it quicker to grasp the contents of an object.

We have also made other minor improvements and fixed a few bugs.

Microsoft Authenticode on Linux and macOS

With the upcoming releases customers with commercial licenses for Cerbero Suite Advanced and Cerbero Engine can verify Microsoft Authenticode signatures on Linux and macOS. Our Authenticode support includes full-chain certificate and time-stamp verification.

In conjunction with our recently extended support for certificate file formats, this provides complete support for inspecting signed Portable Executable binaries.

The only required step to verify Authenticode signatures on non-Windows systems is to install our “Microsoft Authenticode” package from Cerbero Store.

Cerbero Suite has been using its own implementation of Microsoft Authenticode for performance reasons since the very beginning, back in 2012. However, thanks to the recently introduced Cerbero Store we can now offer this feature on systems other than Windows.

We have also exposed Authenticode validation to our Python SDK.

from Pro.PE import *

print(PE_VerifyAuthenticode(obj))

Alternatively, scan hooking extensions can check the generated report for the validation scan entries.

Certificates Support

In the upcoming 5.5 version of Cerbero Suite and the 2.5 version of Cerbero Engine we support certificate formats. While Cerbero Suite already lets you inspect certificates inside binaries, now it can load them directly from disk and also lets you inspect each individual ASN1 object.

Both DER and PEM encodings for certificates are supported.

You can inspect all types of certificates, including X509, PKCS7 and PKCS12.

We have also exposed the code to our Python SDK in order to make the programmatic parsing of certificates a simple task.

For example, enumerating every ASN1 object in a certificate takes just a few lines of code:

from Pro.Core import *
from Pro.Certificates import *

def main():
    obj = proCoreContext().currentScanProvider().getObject()
    class Visitor(DERObjectVisitor):
        def Visit(self, obj, oi):
            print(oi.offset, oi.content_size)
            return 0
    v = Visitor()
    obj.VisitObjects(v)

main()

We’ll be fully documenting the Pro.Certificates module this year.

Cerbero Engine Editions

Cerbero Engine already supports various platforms and architectures. Now, it comes in two different editions: Classic and Metal.

While in the Classic edition all UI functions are available, the Metal edition comes without UI dependencies.

The Metal edition is designed to be run in cloud and server environments which may lack a graphical interface.

We took great care in preserving plugin compatibility.

Plugins which import graphical functions are compatible with the Metal edition: all UI functions are available, though they are provided only as stubs. A few graphical methods like msgBox fall back to console I/O.

Providing two editions of Cerbero Engine allows us to offer the perfect fit for organizations which need a powerful and flexible back-end for their services.

Suite 5.4 and Engine 2.4 are out!

Here summarized are the main news of this release of Cerbero Suite 5.4 and Cerbero Engine 2.4.

.NET ReadyToRun Format Support

Thanks to one of our customers who reported it to us we have introduced support for the .NET ReadyToRun format.

We already support NGen generated native images and our support for the ReadyToRun format makes sure that it is not mistaken for an NGen generated image.

Hex Editing Processes on Linux

This release of Cerbero Suite introduces the capability to open processes in the hex editor on Linux. Windows has already supported this feature since the introduction of our hex workspace.

You can read more about the topic in our dedicated post.

We have also exposed our process API in the Core module to Python and documented it.

API Solver Package

We have released our API Solver package on Cerbero Store for all commercial licenses of Cerbero Suite Advanced. This package is especially useful when analyzing shellcode.

You can read more about the topic in our dedicated post.

Common Passwords Package

We moved our built-in password brute-forcers to an external package on Cerbero Store called “Common Passwords”. Cerbero Suite Advanced (both commercial and non-commercial) and Cerbero Engine have access to the package.

You can read more about the topic in our dedicated post.

Silicon Spreadsheet Documentation

We have fully documented our Excel macro emulator and spreadsheet visualization module.

Improved ITSF (CHM) Format Support

We have improved our support for Microsoft’s ITSF (also known as CHM) format and we have exposed the format to our Python SDK.

You can read more about the topic in our dedicated post.

Improved Hex Editor

We made it very easy to select contiguous ASCII, Hex and Base64 strings in the hex editor. This comes very handy when loading embedded files or decoding data.

We have also made other minor improvements and fixed a few bugs.