Tag: News

Suite 5.6 and Engine 2.6 are out!

Here summarized are the main news of this release of Cerbero Suite 5.6 and Cerbero Engine 2.6.

MalwareBazaar Intelligence Package

We created the MalwareBazaar Intelligence package. This package lets you access intelligence from MalwareBazaar directly from the file report.

Commercial licenses for Cerbero Suite Advanced have access to this package.

UPX Unpacker Package

We created an UPX Unpacker package available for all licenses.

From the UPX web-site: “UPX is a free, portable, extendable, high-performance executable packer for several executable formats.”

By installing the UPX Unpacker package, binaries compressed with UPX are automatically identified and unpacked as child objects.

PE, ELF and Mach-O binaries are all supported.

If for some reason a binary is not automatically unpacked, the unpacker can be invoked manually as an action.

Additionally, the unpacker can be invoked from Python.

You can read more about the topic in our dedicated post.

Internal Project Files

We introduced a new major core feature, namely the capability to generate files which do not exist on disk and store them in the analysis report.

While this feature may not appear as essential, it has countless real-world applications. For example, an unpacker may unpack a file during the scanning process and store the resulting file as an internal file. When the unpacked file is requested, the operation bypasses the unpacker and directly accesses the internal file.

Internal files can be referenced from embedded objects as well as from root entries.

You can read the details about the topic in our dedicated post.

After-Scanning Actions

We made several improvements which can be best described as ‘after-scanning actions’.

For instance, it is now possible to programmatically add scan entries to a report after the scanning has occurred.

While the user could always manually load embedded objects after scanning, it is now possible to load embedded objects programmatically after scanning.

Furthermore, we added the capability to add new root entries to a report by letting the user choose files from disk. This can also be performed programmatically.

Last but not least, we added the capability to promote the data in a hex view to a root file in the report.

You can read more about the topic in our dedicated post.

Add File To Report Action

As already mentioned this in the paragraph of the after-scanning actions, we added the capability to add new root entries to a report by letting the user choose files from disk.

If added from code, root entries can also reference internal files.

Promote Hex Data To Root File Action

As already mentioned this in the paragraph of the after-scanning actions, we added the capability to promote the data in a hex view to a root file in the report.

The data from the hex view is stored as an internal file and referenced from the root entry. The advantage over loading an embedded object from a hex view is that promoting the data to a root file isn’t limited to analysis hex views. In fact, this action can be performed from any hex view.

Added Core SDK APIs

While we routinely add new APIs to our SDK, this release comes with a larger number of new and improved APIs in the Core module.

CAB & Certificates Modules Documentation

Having already completed the SDK documentation of our core modules, we have started documenting our file format modules and just finished the first two.

We have documented the API for parsing Microsoft Cabinet files.

And we have documented our comprehensive API for parsing certificate files in both DER and PEM encodings.

We’ll continue documenting our file format modules in the upcoming months.

Improved Settings Page

We have improved our settings page. Specifically, we have switched from a tab-based interfaced to a list-based one.

The reason for this change lies in the capability of plugins to add custom pages to the settings and a tab-based interfaced may get too cramped in the future.

Fixed Python GIL Issues

We fixed a number of issues related to the Python Global Interpreter Lock. These issues would show themselves rarely but could lead to crashes under the right conditions when using scan providers implemented in Python.

VBA Extraction Code Page Support

A user reported issues with VBA extraction related to code page support. The extracted VBA now correctly shows non-ascii characters.

We have also made other minor improvements and fixed a few minor issues.

Suite 5.5 and Engine 2.5 are out!

Here summarized are the main news of this release of Cerbero Suite 5.5 and Cerbero Engine 2.5.

Cerbero Engine Editions

Cerbero Engine already supports various platforms and architectures. Now, it comes in two different editions: Classic and Metal.

While in the Classic edition all UI functions are available, the Metal edition comes without UI dependencies.

The Metal edition is designed to be run in cloud and server environments which may lack a graphical interface.

We took great care in preserving plugin compatibility.

Plugins which import graphical functions are compatible with the Metal edition: all UI functions are available, though they are provided only as stubs. A few graphical methods like msgBox fall back to console I/O.

Providing two editions of Cerbero Engine allows us to offer the perfect fit for organizations which need a powerful and flexible back-end for their services.

Microsoft Authenticode on Linux and macOS

Customers with commercial licenses for Cerbero Suite Advanced and Cerbero Engine can verify Microsoft Authenticode signatures on Linux and macOS. Our Authenticode support includes full-chain certificate and time-stamp verification.

The only required step to verify Authenticode signatures on non-Windows systems is to install our “Microsoft Authenticode” package from Cerbero Store.

Cerbero Suite has been using its own implementation of Microsoft Authenticode for performance reasons since the very beginning, back in 2012. However, thanks to the recently introduced Cerbero Store we can now offer this feature on systems other than Windows.

We have also exposed Authenticode validation to our Python SDK. You can read more about the topic in our dedicated post.

Certificates Support

While Cerbero Suite already lets you inspect certificates inside binaries, now it can load them directly from disk and also lets you inspect each individual ASN1 object.

Both DER and PEM encodings for certificates are supported.

You can inspect all types of certificates, including X509, PKCS7 and PKCS12.

We have also exposed the code to our Python SDK in order to make the programmatic parsing of certificates a simple task.

You can read more about the topic in our dedicated post.

Command Line Improvements

We’ve made various improvements to command line support, the most interesting among them is the addition of command line I/O on Windows.

On Windows running scripts with the ‘-c’ argument results in not being able to see the stdout output. The reason for this is that the cerpro executable is built as a GUI application and therefore is not attached to a terminal.

To overcome this limitation we have added a launcher on Windows called “cerpro_console.exe”.

For example:

cerpro_console.exe -e "t=input('Input a string: ');print(t)"

The code asks the user to input a string and prints it back.

Of course, the cerpro_console executable can be used to launch any functionality of Cerbero Suite which supports console mode (‘-c’).

For example the following command prints out the command-line help to stdout:

cerpro_console.exe -h

You can read about all the improvements we’ve made in our dedicated post.

Command Line Scripting & Package Management SDK Documentation

We have released the official SDK documentation for command line scripting and package management.

Improved SDK Documentation

We have improved the visualization of the SDK documentation by adding tables which sum up the contents of modules and classes.

This makes it quicker to grasp the contents of an object.

We have also made other minor improvements and fixed a few bugs.

Suite 5.4 and Engine 2.4 are out!

Here summarized are the main news of this release of Cerbero Suite 5.4 and Cerbero Engine 2.4.

.NET ReadyToRun Format Support

Thanks to one of our customers who reported it to us we have introduced support for the .NET ReadyToRun format.

We already support NGen generated native images and our support for the ReadyToRun format makes sure that it is not mistaken for an NGen generated image.

Hex Editing Processes on Linux

This release of Cerbero Suite introduces the capability to open processes in the hex editor on Linux. Windows has already supported this feature since the introduction of our hex workspace.

You can read more about the topic in our dedicated post.

We have also exposed our process API in the Core module to Python and documented it.

API Solver Package

We have released our API Solver package on Cerbero Store for all commercial licenses of Cerbero Suite Advanced. This package is especially useful when analyzing shellcode.

You can read more about the topic in our dedicated post.

Common Passwords Package

We moved our built-in password brute-forcers to an external package on Cerbero Store called “Common Passwords”. Cerbero Suite Advanced (both commercial and non-commercial) and Cerbero Engine have access to the package.

You can read more about the topic in our dedicated post.

Silicon Spreadsheet Documentation

We have fully documented our Excel macro emulator and spreadsheet visualization module.

Improved ITSF (CHM) Format Support

We have improved our support for Microsoft’s ITSF (also known as CHM) format and we have exposed the format to our Python SDK.

You can read more about the topic in our dedicated post.

Improved Hex Editor

We made it very easy to select contiguous ASCII, Hex and Base64 strings in the hex editor. This comes very handy when loading embedded files or decoding data.

We have also made other minor improvements and fixed a few bugs.

Improved ITSF (CHM) Format Support

The upcoming 5.4 version of Cerbero Suite and 2.4 of Cerbero Engine come with improved support for Microsoft’s ITSF (also known as CHM) format.

We also exposed the format to our Python SDK.

The following sample enumerates files in a CHM. The commented out line of code extracts the file data.

from Pro.Core import *
from Pro.ITSF import *

def parseCHM(chm_name):
    c = createContainerFromFile(chm_name)
    obj = ITSFObject()
    if not obj.Load(c):
        return
    if not obj.LoadHeaders() or not obj.DecompressSections():
        return
    n = obj.GetListingEntryCount()
    entry = ITSFDirectoryListingEntry()
    for i in range(n):
        if obj.GetDirectoryListingEntry(i, entry):
            print("name:", entry.name, "- size:", entry.size)
            #content = obj.GetFile(entry)

Suite 5.3 and Engine 2.3 are out!

We’re happy to announce the release of Cerbero Suite 5.3 and Cerbero Engine 2.3!

The main addition to this release is the introduction of our latest milestone: Cerbero Store.

We have covered Cerbero Store in depth in our previous post.

TL;DR: Cerbero Store modularizes our setup process, so that updates can be blazingly fast and experimental features can be introduced on a rolling basis. The only thing you need to access Cerbero Store is a current license for either Cerbero Suite or Cerbero Engine. Updating packages from Cerbero Store is equally comfortable.

We also moved our native UI for Ghidra plugin and our Windows memory analysis to packages on Cerbero Store.

In the next months we’ll be releasing new features not only in Cerbero Suite and Cerbero Engine, but also as packages on Cerbero Store, so make sure to follow us on our blog, Twitter or LinkedIn to stay up to date with the latest news!

Introducing Cerbero Store

We’re proud to present Cerbero Store which will be released with the upcoming 5.3 version of Cerbero Suite and 2.3 version of Cerbero Engine.

A few months ago we released our package technology to comfortably install plugins in Cerbero Suite and Cerbero Engine. Cerbero Store is what we had planned from the beginning when we started working on packages.

But how comfortable is it really to install a package from Cerbero Store you might ask?

It is really that simple.

We had various reasons to create Cerbero Store. Chief among these reason was the necessity to release faster updates. It didn’t make sense to update the whole application just to update a limited part. Also, our software runs on multiple platforms, which means that each update requires us to create multiple software packages. This problem is solved by Cerbero Store, since all platforms share the same package code.

Another advantage of Cerbero Store is that some components which are used by a minority of users can now be decoupled from the main application. In fact, we moved our Windows memory analysis functionality to a package on Cerbero Store. That way all our software packages are sensibly lighter. For instance, our macOS DMG archive dropped from 72 MBs to 60 MBs just for this reason.

We’ve made the update of packages equally comfortable.

Yet another component we have moved to a package on Cerbero Store is our native UI for Ghidra.

The reason for this is that Ghidra sometimes changes its API between releases and breaks our plugin code. So it happened in the past that we had to update our whole application just to update the plugin for Ghidra. This issue has now been solved by having the plugin for Ghidra as a separate package.

Installing and updating packages in Cerbero Engine is done by using the ProManage.py script inside the local ‘python’ directory. E.g.:

./python.sh ProManage.py -store --install "Windows Memory Analysis"

or

./python.sh ProManage.py -store --update "Windows Memory Analysis"

or

./python.sh ProManage.py -store --update-all

The same command line options are also available in Cerbero Suite.

We took great care in making Cerbero Store not only easy and comfortable to use, but also secure. All our packages are digitally signed and if someone managed to tamper with our packages online, the installer would refuse to install them, because they would no longer feature a valid signature.

The only thing you need to access Cerbero Store is a current license for either Cerbero Suite or Cerbero Engine. Not all packages available to Cerbero Suite are also available to Cerbero Engine and vice-versa. Certain packages may only be available to the advanced edition of Cerbero Suite, while others may be reserved to commercial licenses.

In the next months we’ll be releasing new features not only in our applications, but also as packages on Cerbero Store, so make sure to follow us on our blog, Twitter or LinkedIn to stay up to date with the latest news!

Cerbero Suite 5.2 is out!

We’re happy to announce the release of Cerbero Suite 5.2 and Cerbero Engine 2.2!

In this post we summarize the most important new features.

Multi-Processing

The main feature of this release is the introduction of our multi-processing technology.

Our products make use of parallel processing in terms of multi-threading whenever possible, but there are limitations to the capabilities of multi-threading.

Some of the advantages offered by multi-processing are:

  • Possible process isolation
  • Increased stability for 3rd party components
  • Overcoming the Global Interpreter Lock (GIL) in Python

We have already detailed our multi-processing technology in two previous posts (part 1, part 2), but with this release we also fully documented the API.

Sleigh Decompiler Parallelization

We used our new multi-processing technology to parallelize the Sleigh decompiler by running it in a different process. This guarantees complete stability in case Sleigh encounters an issue and makes every decompiling operation safe to cancel.

We didn’t notice slow-downs by running the decompiler in a different process, in fact it’s still blazingly fast.

By parallelizing the decompiler we were also able to initialize it during the loading of the file/database. Thus, when the decompiler is invoked for the first time there is no initial delay.

Although the decompiler doesn’t take much time to load, the preloading makes it extra-snappy.

It is also possible to choose to run the decompiler in the same process as before from the Carbon settings.

Carbon Documentation

We have fully documented the Carbon API to disassemble and decompile native binaries.

The documentation contains numerous code examples which cover the decryption of strings, disassembling of files, decompiling of functions and the creation of custom file loaders.

ZeroMQ Module

Our multi-processing technology relies on ZeroMQ. Therefore, we exposed ZeroMQ to our Python SDK.

Rather than using the provided Python wrappers, we exposed the C interface directly. We just added a few methods to convert from and to bytes objects in Python.

This is a basic client-server example using send/recv.

The client:

from Pro.zmq import *
import ctypes

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")

for i in range(1000):
    zmq_send_bytes(socket, b"Hello, world!", 0)
print("info: sent")

zmq_close(socket)
zmq_ctx_destroy(context)

The server:

from Pro.zmq import *

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")

if rc == 0:
    while True:
        b = zmq_recv_bytes(socket, 13, 0)
        print(b)
        break
else:
    print("error: couldn't bind to port")

zmq_close(socket)
zmq_ctx_destroy(context)

And this is a basic client-server example using messages.

The client:

from Pro.zmq import *
import ctypes

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")

msg = zmq_msg_t()
zmq_msg_init_bytes(msg, b"Hello, world!")
rc = zmq_msg_send(msg, socket, 0)
print(rc)
print("info: sent")

zmq_close(socket)
zmq_ctx_destroy(context)

The server:

from Pro.zmq import *

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")

if rc == 0:
    msg = zmq_msg_t()
    zmq_msg_init(msg)
    while True:
        # wait until a message is received
        rc = zmq_msg_recv(msg, socket, 0)
        if rc != -1:
            print(zmq_msg_bytes(msg))
        zmq_msg_close (msg)
        break
else:
    print("error: couldn't bind to port")

zmq_close(socket)
zmq_ctx_destroy(context)

Improved Logic Providers

We optimized logic provider extensions. In particular, it is now possible to specify the type option for standalone tools:

type = tool

When this option is specified, the init function of the logic provider must return False. This causes the logic provider to be treated as a standalone tool rather than a scan logic provider and avoids creating a scan report for it.

Improved Custom Views

We added the progress bar control and idle notifications to custom views. You can find both features documented on the SDK page of the UI module.

Finally, a thank you to Insid3Code Team for reporting three of the bugs we fixed in this release.

Cerbero Suite 5.1 is out!

We’re happy to announce the release of Cerbero Suite 5.1 and Cerbero Engine 2.1!

This release comes packed with features and improvements. In this post we summarized the most important ones.

Installable Packages

While there are many interesting new features in this release, we consider the most important one to be the introduction of installable packages.

Packages enable developers to create plugins that can be easily installed by the user with just a few clicks. Not only that, but the same package is compatible with both Cerbero Suite and Cerbero Engine.

Packages can be encrypted and signed. When a package is not signed or the signature cannot be trusted, it is shown by the installation dialog.

We wrote an in-depth article about packages if you’re interested in learning more.

Improved Decompiler

We have introduced some improvements in the decompiler output. The most interesting of these improvements is the support of indirect string literal references.

We wrote a post about this topic for more information.

Local Carbon Structures

Previously, imported structures were shared among Carbon disassemblies in the same project. In Cerbero Suite 5.1 every disassembly in a project can have its own local structures.

This is especially useful when importing data structures from PDB files.

Of course, shared structures are also supported.

Improved CFBF Format View

We have simplified the analysis of Microsoft Office legacy documents that contain text controls by previewing their name in the format view.

We have published a 150-seconds video analysis of an Emotet sample which as part of its obfuscation strategy makes use of text controls.

Improved XLSB Support

We have improved support for the Microsoft Excel XLSB format.

We’ll soon publish malware analysis to showcase these improvements.

Improved Silicon Excel Emulator

We have added support for the FORMULA.ARRAY macro, since this macro is often used by malicious Excel documents.

Hierarchy View Size Column

We received this feature request on Twitter: now the hierarchy view also shows the size of files.

This can be useful when prioritizing the analysis of embedded files.

Improved File Dialogs

We disabled the preview of actual file icons in all file dialogs. This makes opening folders with thousands of files blazingly fast and it’s also better for security.

This may seem like a minor problem, but the devil is in the details…

Grid Layouts in Custom Views

We have added a new type of layout in custom views: grid layouts. This new layout type is already documented in our latest official SDK documentation.

Additionally, this new version comes with minor speed optimizations and bug fixes.

Cerbero Suite 5 is out!

We’re proud to announce the release of Cerbero Suite 5 and Cerbero Enterprise Engine 2!

All of our customers can upgrade at a 50% discount their licenses for the next 3 months! We value our customers and everyone who has bought a license in August should have already received a free upgrade for Cerbero Suite 5! If you fall in that category and haven’t received a new license, please check your spam folder and in case contact us at sales@cerbero.io. Everyone who has acquired a license before August, but in the last 3 months, will get an additional discount.

Starting today we’ll be contacting all of our existing customers and provide them with a discount coupon. If you don’t get an email from us in the next two days, please contact us at sales@cerbero.io!

Speed

We introduced many core optimizations, while maintaining the same level of security.

Cerbero Suite has always been fast, so these changes may not be too apparent. They are, however, noticeable in our benchmarks!

The scanning of certain file formats like PE and the disassembly of binaries using Carbon show a decent performance boost. However, in the case of certain file formats like PDF the performance boost is massive!

Documentation

For this release we created beautiful documentation for our SDK, which can be found at: https://sdk.cerbero.io/latest/.

The documentation of each module comes with an introduction detailing essential concepts.

Other sections provide code examples with explanations.

The API documentation contains the prototype of each method and function and it comes with code examples.

Related constants, classes, methods and functions all contain references to each other.

The documentation contains notes and hints in case there are things to be aware of.

The documentation is searchable. Entering the name of a constant, class, method or function directly brings to its documentation.

The documentation of the UI module will enable you to create complex user interfaces.

It even explains how to create entire workspaces with dock views, menus and toolbars.

While there remain dozens of modules to document, the Core and UI module represent a great part of the functionality of Cerbero Suite and Cerbero Enterprise Engine. We will release the documentation of more modules and topics over the course of the 5.x series.

Python

This release comes with the latest Python 3.9.6!

We update Python only between major versions and for the release of Cerbero Suite 4 we didn’t have the time to upgrade. So the previous series remained with Python 3.6.

This series not only comes with the very latest Python version, but we also managed to keep compatibility with all our older supported systems, including Windows XP!

Scan Data Hooks

We introduced a new type of hook extension: scan data hooks.

Using this type of hooks, it’s trivial to customize the scan results of existing scan providers.

For example, adding a custom entry during the scan of a PE file and then provide the view to display it in the workspace.

The following is small example.

Add these lines to your user ‘hooks.cfg’ file.

[ExtScanDataTest_1]
label = External scan data test
file = ext_data_test.py
scanning = scanning
scandata = scandata

Create the file ‘ext_data_test.py’ in your ‘plugins/python’ directory and paste the following code into it.

from Pro.Core import *

def scanning(sp, ud):
    e = ScanEntryData()
    e.category = SEC_Info
    e.type = CT_VersionInfo
    e.otarget = "This is a test"
    sp.addHookEntry("ExtScanDataTest_1", e)
    
def scandata(sp, xml, dnode, sdata):
    sdata.setViews(SCANVIEW_TEXT)
    sdata.data.setData("Hello, world!")
    return True

Activate the extension from Extensions -> Hooks.

Now when scanning a file an additional entry will be shown in the report.

Clicking on the entry will display the data provided by the extension!

This type of extension is extremely powerful and we’ll show some real use cases soon.

What Next?

Among the many things we introduced over the course of the previous 4.x series there was:

  • ARM32/ARM64 disassembly and decompiling.
  • Decompiling and emulation of Excel macros.
  • Support for Microsoft Office document decryption.
  • Disassembly of Windows user address space.
  • Disassembly of Windows DMP files.
  • Support of XLSB and XLSM formats.
  • Support of CAB format.
  • Hex editing of processes, disk and drives on Windows.
  • Updated native UI for Ghidra 10.
  • Improved decompiler.
  • Improved macOS support.

So in the last series we spent a lot of time focusing on Microsoft technology.

In particular, Excel malware required supporting its decryption, the various file formats used to deliver it (XLS, XLSB, XLSM) and creating a decompiler and an emulator for its macros.

Also, in June we launched our Cerbero Enterprise Engine, which detracted some of our development resources, but it gave us the opportunity to clean up and improve our SDK.

This series will be focused mostly on non-Microsoft specific technology and hence will appeal to a broader audience.

We can’t wait to show you some of the things we have planned and we hope you enjoy this new release!

Happy hacking!

Cerbero Suite 4.8 is out!

This time it took a bit longer, because we were busy with the release of our Cerbero Engine.

The main news of this release is that we rewrote our Rich-Text Format (RTF) parser to handle more anti-malware tricks and we exposed the entire parser to Python.

We have also updated the YARA engine to its latest version and fixed a bug in the ELF Carbon loader.

This is the complete list of news:

– improved RTF parsing
– improved JBIG2 decoding
– various improvements
– exposed RTF classes to Python
– updated YARA to 4.1.1
– fixed bug in Carbon ELF loader
– fixed some bugs

Happy hacking!