Suite 5.5 and Engine 2.5 are out!

Here summarized are the main news of this release of Cerbero Suite 5.5 and Cerbero Engine 2.5.

Cerbero Engine Editions

Cerbero Engine already supports various platforms and architectures. Now, it comes in two different editions: Classic and Metal.

While in the Classic edition all UI functions are available, the Metal edition comes without UI dependencies.

The Metal edition is designed to be run in cloud and server environments which may lack a graphical interface.

We took great care in preserving plugin compatibility.

Plugins which import graphical functions are compatible with the Metal edition: all UI functions are available, though they are provided only as stubs. A few graphical methods like msgBox fall back to console I/O.

Providing two editions of Cerbero Engine allows us to offer the perfect fit for organizations which need a powerful and flexible back-end for their services.

Microsoft Authenticode on Linux and macOS

Customers with commercial licenses for Cerbero Suite Advanced and Cerbero Engine can verify Microsoft Authenticode signatures on Linux and macOS. Our Authenticode support includes full-chain certificate and time-stamp verification.

The only required step to verify Authenticode signatures on non-Windows systems is to install our “Microsoft Authenticode” package from Cerbero Store.

Cerbero Suite has been using its own implementation of Microsoft Authenticode for performance reasons since the very beginning, back in 2012. However, thanks to the recently introduced Cerbero Store we can now offer this feature on systems other than Windows.

We have also exposed Authenticode validation to our Python SDK. You can read more about the topic in our dedicated post.

Certificates Support

While Cerbero Suite already lets you inspect certificates inside binaries, now it can load them directly from disk and also lets you inspect each individual ASN1 object.

Both DER and PEM encodings for certificates are supported.

You can inspect all types of certificates, including X509, PKCS7 and PKCS12.

We have also exposed the code to our Python SDK in order to make the programmatic parsing of certificates a simple task.

You can read more about the topic in our dedicated post.

Command Line Improvements

We’ve made various improvements to command line support, the most interesting among them is the addition of command line I/O on Windows.

On Windows running scripts with the ‘-c’ argument results in not being able to see the stdout output. The reason for this is that the cerpro executable is built as a GUI application and therefore is not attached to a terminal.

To overcome this limitation we have added a launcher on Windows called “cerpro_console.exe”.

For example:

cerpro_console.exe -e "t=input('Input a string: ');print(t)"

The code asks the user to input a string and prints it back.

Of course, the cerpro_console executable can be used to launch any functionality of Cerbero Suite which supports console mode (‘-c’).

For example the following command prints out the command-line help to stdout:

cerpro_console.exe -h

You can read about all the improvements we’ve made in our dedicated post.

Command Line Scripting & Package Management SDK Documentation

We have released the official SDK documentation for command line scripting and package management.

Improved SDK Documentation

We have improved the visualization of the SDK documentation by adding tables which sum up the contents of modules and classes.

This makes it quicker to grasp the contents of an object.

We have also made other minor improvements and fixed a few bugs.

Microsoft Authenticode on Linux and macOS

With the upcoming releases customers with commercial licenses for Cerbero Suite Advanced and Cerbero Engine can verify Microsoft Authenticode signatures on Linux and macOS. Our Authenticode support includes full-chain certificate and time-stamp verification.

In conjunction with our recently extended support for certificate file formats, this provides complete support for inspecting signed Portable Executable binaries.

The only required step to verify Authenticode signatures on non-Windows systems is to install our “Microsoft Authenticode” package from Cerbero Store.

Cerbero Suite has been using its own implementation of Microsoft Authenticode for performance reasons since the very beginning, back in 2012. However, thanks to the recently introduced Cerbero Store we can now offer this feature on systems other than Windows.

We have also exposed Authenticode validation to our Python SDK.

from Pro.PE import *

print(PE_VerifyAuthenticode(obj))

Alternatively, scan hooking extensions can check the generated report for the validation scan entries.

Certificates Support

In the upcoming 5.5 version of Cerbero Suite and the 2.5 version of Cerbero Engine we support certificate formats. While Cerbero Suite already lets you inspect certificates inside binaries, now it can load them directly from disk and also lets you inspect each individual ASN1 object.

Both DER and PEM encodings for certificates are supported.

You can inspect all types of certificates, including X509, PKCS7 and PKCS12.

We have also exposed the code to our Python SDK in order to make the programmatic parsing of certificates a simple task.

For example, enumerating every ASN1 object in a certificate takes just a few lines of code:

from Pro.Core import *
from Pro.Certificates import *

def main():
    obj = proCoreContext().currentScanProvider().getObject()
    class Visitor(DERObjectVisitor):
        def Visit(self, obj, oi):
            print(oi.offset, oi.content_size)
            return 0
    v = Visitor()
    obj.VisitObjects(v)

main()

We’ll be fully documenting the Pro.Certificates module this year.

Command Line Improvements

In this post we’ll be talking about the improvements we’ve made to the command line in Cerbero Suite.

If you’re familiar with command-line scripting in Cerbero Suite, you might know that by running a script without the “-c” argument all output is redirected to the output view in the main window.

In certain cases, however, it might be desirable to avoid the creation of a main window.

For this purpose we have introduced the ‘-g’ argument.

For example:

cerpro.exe -g -r foo.py

If the script doesn’t create an output view, then the output of the ‘print’ function isn’t visible.

Furthermore, in the upcoming 5.5 version of Cerbero Suite we have added terminal support on Windows.

On Windows running scripts with the ‘-c’ argument results in not being able to see the stdout output. The reason for this is that the cerpro executable is built as a GUI application and therefore is not attached to a terminal.

To overcome this limitation we have added a launcher on Windows called “cerpro_console.exe”.

For example:

cerpro_console.exe -e "t=input('Input a string: ');print(t)"

The code asks the user to input a string and prints it back.

Of course, the cerpro_console executable can be used to launch any functionality of Cerbero Suite which supports console mode (‘-c’).

For example the following command prints out the command-line help to stdout:

cerpro_console.exe -h

Soon we’ll publish a complete tutorial about command-line scripting on our SDK page.

Cerbero Engine Editions

Cerbero Engine already supports various platforms and architectures. Now, it comes in two different editions: Classic and Metal.

While in the Classic edition all UI functions are available, the Metal edition comes without UI dependencies.

The Metal edition is designed to be run in cloud and server environments which may lack a graphical interface.

We took great care in preserving plugin compatibility.

Plugins which import graphical functions are compatible with the Metal edition: all UI functions are available, though they are provided only as stubs. A few graphical methods like msgBox fall back to console I/O.

Providing two editions of Cerbero Engine allows us to offer the perfect fit for organizations which need a powerful and flexible back-end for their services.

String Decrypter Package

We have just released our String Decrypter package on Cerbero Store for all licenses of Cerbero Suite. The String Decrypter package is very useful for reversing malware and during CTFs.

This utility can be invoked as an action from a hex view or a Carbon disassembly. It can be used to brute-force the decryption of strings and byte-arrays.

String Decrypter supports various types of string encodings combined with endianness and it can filter decoded strings with the following options:

– Don’t filter (include raw byte-arrays)
– Include only decoded strings
– Include only strings with ASCII characters
– Include only string matching a regular expression provided by the user

The plugin supports parallel execution, which will make the difference if more algorithms are added to the list. Also, for every decryption method the number of combinations is displayed.

For every decrypted entry, String Decrypter shows the performed operation along with the string encoding (if available).

Suite 5.4 and Engine 2.4 are out!

Here summarized are the main news of this release of Cerbero Suite 5.4 and Cerbero Engine 2.4.

.NET ReadyToRun Format Support

Thanks to one of our customers who reported it to us we have introduced support for the .NET ReadyToRun format.

We already support NGen generated native images and our support for the ReadyToRun format makes sure that it is not mistaken for an NGen generated image.

Hex Editing Processes on Linux

This release of Cerbero Suite introduces the capability to open processes in the hex editor on Linux. Windows has already supported this feature since the introduction of our hex workspace.

You can read more about the topic in our dedicated post.

We have also exposed our process API in the Core module to Python and documented it.

API Solver Package

We have released our API Solver package on Cerbero Store for all commercial licenses of Cerbero Suite Advanced. This package is especially useful when analyzing shellcode.

You can read more about the topic in our dedicated post.

Common Passwords Package

We moved our built-in password brute-forcers to an external package on Cerbero Store called “Common Passwords”. Cerbero Suite Advanced (both commercial and non-commercial) and Cerbero Engine have access to the package.

You can read more about the topic in our dedicated post.

Silicon Spreadsheet Documentation

We have fully documented our Excel macro emulator and spreadsheet visualization module.

Improved ITSF (CHM) Format Support

We have improved our support for Microsoft’s ITSF (also known as CHM) format and we have exposed the format to our Python SDK.

You can read more about the topic in our dedicated post.

Improved Hex Editor

We made it very easy to select contiguous ASCII, Hex and Base64 strings in the hex editor. This comes very handy when loading embedded files or decoding data.

We have also made other minor improvements and fixed a few bugs.

API Solver Package

We have just released our API Solver package on Cerbero Store for all commercial licenses of Cerbero Suite Advanced.

You can click on the image for a video introduction.

API Solver comes very handy to analyze shellcode and it can also be used programmatically:

from Pkg.APISolver import APISolver

solver = APISolver("win32", ("kernel32", "urlmon"))
for hash in (0xEC0E4E8E, 0x702F1A36, 0xE8AFE98, 0x73E2D87E):
    print(solver.solve(hash))

Output:

['KERNEL32.LoadLibraryA' (ror13_add_32)]
['URLMON.URLDownloadToFileA' (ror13_add_32)]
['KERNEL32.WinExec' (ror13_add_32)]
['KERNEL32.ExitProcess' (ror13_add_32)]

Stay tuned as we’ll soon be releasing more packages for all types of licenses on Cerbero Store!

Hex Editing of Processes on Linux

The upcoming 5.4 version of Cerbero Suite introduces the capability to open processes in the hex editor on Linux. Windows has already supported this feature since the introduction of our hex workspace.

Just like on Windows, it is not only possible to edit the entire address space, but also to edit individual modules.

If opening a process fails, most probably it is because root privileges are required to perform the operation. To avoid having the application create application files with different access rights, it is recommended to create a portable copy of Cerbero Suite and run that copy as root.

Creating a portable copy can be achieved from Settings -> Portable.

Common Passwords Package

We moved our built-in password brute-forcers to an external package on Cerbero Store called “Common Passwords”. The upcoming version 5.4 Cerbero Suite Advanced (both commercial and non-commercial) and the version 2.4 of Cerbero Engine will have access to the package.

There are two reasons why we created a standalone package:

1) We wanted to provide the same functionality to Cerbero Engine.

2) We intend to expand on the functionality of this package in the future, so making it easy to update was essential.

To obtain the package just open Cerbero Store and install it from there.

Only the default passwords key provider is enabled by default. Other key providers must be enabled manually.

This is a very practical package if you want to avoid typing usual passwords like “password” or “infected”. These are considered default passwords and just installing the package will have you covered.