The upcoming 5.4 version of Cerbero Suite and 2.4 of Cerbero Engine come with improved support for Microsoft’s ITSF (also known as CHM) format.
We also exposed the format to our Python SDK.
The following sample enumerates files in a CHM. The commented out line of code extracts the file data.
from Pro.Core import *
from Pro.ITSF import *
c = createContainerFromFile(chm_name)
obj = ITSFObject()
if not obj.Load(c):
if not obj.LoadHeaders() or not obj.DecompressSections():
n = obj.GetListingEntryCount()
entry = ITSFDirectoryListingEntry()
for i in range(n):
if obj.GetDirectoryListingEntry(i, entry):
print("name:", entry.name, "- size:", entry.size)
#content = obj.GetFile(entry)
From a Twitter post by InQuest, we analyzed an interesting malware:
Encrypted MS Office Document, VBA, Windows Link File (LNK), OLE objects, Windows Help Files (CHM), PNG steganography and Powershell.
The analysis should take about 15-20 minutes in Cerbero Suite.
SPOILER ALERT: The images below show all the steps of our analysis.
The Info-Tech Storage Format (ITSF) is the primary format that has been adopted by Microsoft for online help files since Windows 98. Due to its popularity, it has been used (and exploited) by many other third parties, mostly because of the support provided by documentation utilities like Doxygen.
With the upcoming 0.8.0 release, the Profiler comes with full compatibility for the following file extensions: CHM, CHI, CHQ, CHW, KPD.
Despite the name (Microsoft Compiled HTML Files), the image above shows the Profiler analyzing a CHM containing not only HTML, but also fonts and PDF documents. These files tend to contain a lot of information, and may require you to increase the unpack limit from the settings.