News – Page 5 – Cerbero Blog

Cerbero Suite 3.3 is out!

We’re happy to announce the release of Cerbero Suite 3.3!

While the most anticipated feature may have been theme support, there’s much more:

– added theme support
– added MachO Carbon loader
– added Monokai theme
– improved Ghidra native UI
– improved disassembly view
– made Windows XP compatible
– fixed some bugs

Improved Ghidra native UI

Apart from themes, most of the work went into improving the Ghidra native UI. Specifically we improved navigation, added comments in the decompiler, added support for renaming variables and parameters both in the disassembly and the decompiler, improved cross references, added make code / undefine commands, added status updates, fixed bugs.

Also, if you’d like to run Ghidra and the native UI on two different machines, just open the install.pdf in util/ghidra.zip to learn how. 🙂

Carbon: MachO loader

We also added support for x86/x64 MachO files in Carbon!

XP compatibility

Cerbero can now run on Windows XP.

Everything is working apart from the Python ssl module (we might provide support for it in the future). So if you need a malware triage tool or just a Python3 interpreter on XP, you can use Cerbero. 🙂

Happy hacking!

Cerbero Suite 3.2 is out!

This is a rather unusual release and as you can see the change-list is short:

+ added experimental native UI for Ghidra
+ improved disassembly speed
– fixed SSL on Linux

The main addition in version 3.2 is an experimental native UI for Ghidra. Here are a few screen-shots on all supported platforms.

Windows:

Linux:

OS X:

Since this experimental UI has been more of a personal project, I discussed it in more depth on my blog.

As this is a proof of concept, it will be of fundamental importance whether or not you, the user, want this project to mature. Feedback is highly appreciated and will be taken into consideration in order to prioritize this feature and decide how much time to invest into it. Even curses are considered valuable feedback! 🙂

Supporting Ghidra has already had its benefits even considering other features. In fact, in version 3.2 the disassembly view of Carbon has been made faster as a positive side-effect. More of these benefits are about to come as we’re preparing a lot of cool new additions for the upcoming releases. 🙂

Happy hacking!

Cerbero Suite 3.1 is out!

Version 3.1 is out with many improvements! The main news is the support in Carbon for ELF files and the improved deployment of the Linux edition.

This is the full list of news:

+ added ELF Carbon loader
+ added edit bytes command to Carbon
+ added write method to Carbon
+ added detection of 16-bits wide strings in Carbon
+ added open in hex editor action in Carbon
+ added filters to Carbon
+ added Carbon Monokai theme
– added single view mode (Ctrl+Alt+S)
– improved deployment on Linux
+ improved x86/x64 disassembly
– improved hex workspace
– updated capstone to 4.0.1
– fixed misidentified object crash
– fixed some bugs

Carbon: ELF loader

Here we can see an ELF x64 file in Carbon. As we can see we have an entry point with a call to __libc_start_main.

We can follow the first argument which will bring us to the main function.

.text:0x000007BA main                    proc start
.text:0x000007BA                                                                ; EXPORT
.text:0x000007BA                                                                ; DATA XREF: 0x000006CD
.text:0x000007BA   55                    push   rbp
.text:0x000007BB   48 89 E5              mov    rbp, rsp
.text:0x000007BE   8B 05 4C 08 20+       mov    eax, dword ptr [rip + 0x20084C]
.text:0x000007C4   89 C6                 mov    esi, eax
.text:0x000007C6   48 8D 3D B7 00+       lea    rdi, [rip + 0xB7]               ; "test is: %d\n"
.text:0x000007CD   B8 00 00 00 00        mov    eax, 0
.text:0x000007D2   E8 B9 FE FF FF        call   plt_002 -> printf
.text:0x000007D7   B8 00 00 00 00        mov    eax, 0
.text:0x000007DC   E8 9F FE FF FF        call   plt_001 -> libfunc
.text:0x000007E1   89 C6                 mov    esi, eax
.text:0x000007E3   48 8D 3D A7 00+       lea    rdi, [rip + 0xA7]               ; "libfunc result is: %d\n"
.text:0x000007EA   B8 00 00 00 00        mov    eax, 0
.text:0x000007EF   E8 9C FE FF FF        call   plt_002 -> printf
.text:0x000007F4   B8 00 00 00 00        mov    eax, 0
.text:0x000007F9   5D                    pop    rbp
.text:0x000007FA   C3                    ret
.text:0x000007FA
.text:0x000007FA main                    proc end

Carbon: detection of 16-bits wide strings

Simple 16-bit wide strings are now automatically detected in Carbon.

Carbon: open in hex editor action

It is now possible to open the hex editor from the disassembly. To demonstrate this feature I crafted a small executable which asks for a password and prints an error message if the password is wrong.

We can easily find the “wrong password” string in Carbon by pressing Ctrl+5.

Right before the referenced string, there’s a scanf followed by a strcmp.

We go to the jne which evaluates the result of the strcmp and we open the hex editor from the contextual menu. It will ask us to open a file (it must be a copy of the file we’re analysing).

We can just nop the two bytes representing the jne and then we save the file.

Whatever password we insert now, it will be accepted.

Carbon: filters

While filters are already accessible from hex views, it is now possible to access them from Carbon as well.

Let’s take the same sample analyzed in the previous blog post with xored strings. We select on of those xored strings and we open the filters from the contextual menu or by pressing Ctrl+T.

We can now test out a filter on the selected bytes. In this case we simply use a xor to see the string in plain.

Carbon: Monokai theme

The Monokai theme has been added to Carbon.

I have been using this theme for some development projects and wondered what it would look like in a disassembly. I don’t know about you, but I like it… 🙂

Single-view mode

While it has always been possible to trigger the full-screen mode via Ctrl+Alt+F, now there’s also single-view mode which can be triggered via Ctrl+Alt+S.

What it does is to hide all other views, leaving only the focused view open. Press the same shortcut to exit the mode and have all other views visible again.

Improved Linux deployment

The Linux edition has been drastically improved by simplifying its deployment. As a result it should now be compatible with many more versions of Linux, without having to adjust dependencies. It also comes with a built-in Python distribution, just like the Windows edition.

Carbon: improved x86/x64 disassembly

The disassembly in Carbon has been improved so that it now shows import forward calls. Let’s take this simple call to __crtTerminateProcess.

If we follow the call, we’ll see that it just calls a jumps which in turn jumps to the actual API.

These sort of calls to jumps or jumps to jumps are now automatically resolved to improve the readability of the code.

Improved hex workspace

The hex workspace comes with a number of small improvements, but mainly the initial layout doesn’t show the output view by default.

We hope you enjoy this version as we’re already working on the next one and I can’t wait to show you some of the cool things we’re working on. 🙂

Happy hacking!

Cerbero Suite 3.0 is out!

We’re proud to announce the release of the new 3.0 version of Cerbero Suite!

The main news for the advanced version is the introduction of the Carbon Interactive Disassembler and of a full-fledged hex-editor, while the standard version features only the hex-editor.

We have removed the nag-screen from our trial, making ours the most permissive trial of all time. 🙂 Truth is, I have never been a fan of software protections, as they degrade the experience for every user, including customers and limit the immediacy of application of the software when needed.

We live in a time with virtual machines and it’s often necessary to install something on the fly and use it right away. That’s also why we included a local Python distribution in our installer on Windows, so that users are no longer required to separately install Python and configure it in our software, but can use all the functionality right away after a quick installation process.

While we changed the prices of our commercial licenses, we kept basically unchanged prices for personal licenses. Also, for a week starting today all personal licenses are sold at a discount, so hurry up! 😉

All of our customers can upgrade at a 50% discount their licenses for the next 3 months. Not only that, for the same period of time, customers of the 2.x series can purchase new licenses at a 50% discount! If you want to upgrade or purchase a new license at a discount, please contact us at sales@icerbero.com.

As usual our licenses will be valid for the whole duration of the 3.x series. Because of this licensing scheme we offer even bigger discounts to anyone who bought a license in the last two months. Please contact us at sales@icerbero.com to get a precise renewal quote.

This is the full list of news for the 3.0 version:

+ added Carbon interactive disassembler
– added hex editing workspace
– added command line workspace
+ added Windows DMP format support
+ added Windows Hibernation files format support
– added undo capability in hex views
– exposed workspaces to Python
– improved appearance on high resolution displays
– improved support for SQLite files
+ improved support for EML files
– included local python on Windows

(Note: entries with the ‘+’ sign apply only to the advanced edition.)

As we want to share our road-map with our users, in the next releases we’ll:

– Improve some of the rough edges still present in Carbon.
– Continue working on our x86/x64 analysis.
– Add loaders for ELF and Mach-O.
– Start working on creating signatures for library functions.
– Improve code analysis for memory images.
– Further improve memory analysis.
– Start working on analysis for ARM. This, however, may take a while.

Have a great day and happy hacking! 😉

Windows DMP and Hibernation Files

As we’re closing in on the release date of version 3.0, it’s time to announce some more new features: the advanced edition will come with support for Windows DMP and Windows Hibernation files.

There are many internal formats of Windows DMP files and Cerbero now supports all of the most common ones. Here are for instance some screen-shots showing information contained in minidumps.

Of course, when the full memory snapshot is available, it is possible to explore it as if it was a raw memory image. Here we can see address space inspection performed on a DMP file.

Hibernation files are also supported for all Windows version from XP to Win10. Here we can see memory analysis performed on Hibernation files.

Stay tuned as there’s more to come also regarding memory analysis.

Profiler 2.9

Profiler 2.9.1 is out with the following news (entries with the plus sign apply only to the advanced edition):

+ added parsing of Windows heap
+ added file detection in memory regions and heap
+ added file detection in memory regions and heap via libmagic
– added CCITTFax decoder for PDFs
– added detection of DDE field codes
– added support for 64-bit shellcode to executable
+ added display of page flags in hex views
– added actions for text modification
– added action to dump mapped PEs to disk
+ added signature for automatic recognition of EML files
+ improved identification speed of raw Windows memory images
+ improved loading speed of raw Windows memory images
+ improved scanning speed of memory images
+ improved global address space hex view
+ improved user address space view
– improved fault tolerance of the XML parser
– improved CFBF support
– improved support of embedded OLE objects
– improved extraction of VBA code
– improved PDF decryption
– updated SQLite to 3.21.0
– updated libmagic to 5.32
– fixed XML to text action
– fixed Python multithreading issues
– fixed many small issues
– removed PasteBin action

We’ve waited for the official announcement of the new release, because we wanted to pack some more features inside 2.9.1!

After this edition, we will continue to release minor versions, while preparing a major 3.0 edition scheduled for the second half of this year.

Windows memory image identification speed

One of the main things we improved in 2.9 is the speed of opening memory images. The user has now the option whether or not to scan files in memory. Most of the times scanning files in memory is not needed and makes the opening of a memory image unnecessarily slow.

Version 2.9.1 comes with an additional very important speed improvement: the options dialog will pop up at the first occurrence of a valid KDBG structure. The user can still opt to look for additional KDBG structures as highlighted in the screenshot below.

Memory file detection via libmagic

The main addition in version 2.9.1 versus 2.9.0 is the capability to increase the file detection rate of files in memory using libmagic.

We can dump all files detected to disk as well.

While libmagic increases the detection rate, it also adds many false positive. A nice effect of using libmagic is the detection of text files and scripts.

Memory page flags

Page flags are now visible in the hex view for memory images. Not only when viewing the main address space of a process, but also when opening a mapped file.

Or the structures of a mapped file.

Or any children or resource of a mapped file.

Improved user space view

The user space view for every process now shows also the list of mapped modules.

Dump PE to disk

When inspecting a memory mapped executable, we can now dump the file to disk and Profiler will take care of adjusting the PE header in order to be able to inspect the file using external tools as well.

XML fault tolerance

The XML parser has been improved to handle incorrect XML files. This is especially important when handling PDF malware which contains malformed XDP data.

CCITTFax decoder

Yet another decoder has been added to our PDF support. Here we can see a malware sample using this codec to conceal some JavaScript code.

64-bit shellcode to executable

It is now possible to convert x64 shellcode to executable. In the past this feature was limited to x86 shellcode.

To handle x64 shellcode it is necessary to specify “AMD x64” as Machine.

Text modification actions

When being in the context of a text editor, we can now use text actions to do some basic text operations like converting text to lowercase or uppercase or removing spaces.

Enjoy!

Profiler 2.8 – Windows Memory Forensics

Windows memory forensics on OSX.

Profiler 2.8 is out with the following news:

+ added support for Windows raw memory images
– added unhandled exception debug tools on Windows
– added unhandled exception notification for Python
– exposed tree control to the Python SDK
– improved CFBF support
– improved PDF parsing against new malware samples
– fixed PDB issue with zero-sized streams
– fixed issues in JBIG2 decoder
– fixed display of PE timestamps in UTC

The biggest news is undoubtedly the introduction of Windows memory forensics support in the Advanced version of Profiler.

And here’s the same screenshot as above taken on Linux.

Improved Exception Handling

We have also drastically improved exception handling for both Python and native code, especially on Windows.

Whenever Python raises an unhandled exception a message box pops up on Windows and on other systems the exception is printed out to the terminal if it happens outside of the UI thread.

When the issue is more serious and results in a crash the user will be presented with the following message box on Windows.

If the crash happened from Python code, the user is given the possibility to retrieve a backtrace of the last executed Python methods.

If the crash happened in the native code, it’s now possible to create a dump file.

Enjoy!

Profiler 2.7

Profiler 2.7 is out with the following news:

+ added experimental support for Windows raw memory images
+ added support for EML files
+ added TOR-based URL download action
– added JBIG2 decoder for PDFs
– improved PDF parsing against new malware samples
– improved search in hex view
– updated OpenSSL to 1.0.2
– updated Python to 3.6
– reduced dependencies on Linux
– fixed possible division by zero in PEObject::RvaToOffset
– fixed filter preview crash
– fixed Python multi-threading issue
– fixed PasteBin plugin
– fixed recognition of newer DEX files
– default to SHA-2/256 instead of SHA-1
– various bug fixes and improvements

With this version we also start to release the Advanced edition of Profiler. News entries marked by the ‘+’ sign are exclusive to the Advanced edition.

Experimental support for Windows raw memory images

Quite some time has passed since we published a post demonstrating some basic memory forensics capabilities in Profiler.

In this release of the Advanced edition we decided to publish that code, although barely functional. We didn’t want to additionally delay this long due release by working more on the memory forensic part. We will try to clean it up and make it more useful for the next release. 🙂

Enjoy!

Profiler Advanced

With the upcoming 2.7 version of Profiler, we will start releasing an Advanced edition alongside the Standard one. All our users who have bought a license until this point in time will automatically have their license work with the Advanced edition for free. This is our way to thank you for your trust!

Apart from support for Torrent files, all features which had been in the Standard edition until now will be kept there. The Advanced edition comes with new features and is especially designed for experts in the forensic and security field.

Each new version of Profiler will come with new features both in the Standard and Advanced edition. We will launch the Advanced edition with an early-adoption price.

Profiler 2.6

Profiler 2.6 is out with the following news:

– added initial support for XML files
– added support for XDP files (extraction of embedded PDFs)
– exposed the ABC format
– improved the parsing of malformed PDF streams
– fixed the code signing on OS X to meet El Capitan requirements
– fixed the JS debugger on Linux
– various bug fixes and improvements

Enjoy!