Tag: News

We’re happy to announce the release of Cerbero Suite 5.2 and Cerbero Engine 2.2!

In this post we summarize the most important new features.

Multi-Processing

The main feature of this release is the introduction of our multi-processing technology.

Our products make use of parallel processing in terms of multi-threading whenever possible, but there are limitations to the capabilities of multi-threading.

Some of the advantages offered by multi-processing are:

• Possible process isolation
• Increased stability for 3rd party components
• Overcoming the Global Interpreter Lock (GIL) in Python

We have already detailed our multi-processing technology in two previous posts (part 1, part 2), but with this release we also fully documented the API.

Sleigh Decompiler Parallelization

We used our new multi-processing technology to parallelize the Sleigh decompiler by running it in a different process. This guarantees complete stability in case Sleigh encounters an issue and makes every decompiling operation safe to cancel.

We didn’t notice slow-downs by running the decompiler in a different process, in fact it’s still blazingly fast.

By parallelizing the decompiler we were also able to initialize it during the loading of the file/database. Thus, when the decompiler is invoked for the first time there is no initial delay.

Although the decompiler doesn’t take much time to load, the preloading makes it extra-snappy.

It is also possible to choose to run the decompiler in the same process as before from the Carbon settings.

Carbon Documentation

We have fully documented the Carbon API to disassemble and decompile native binaries.

The documentation contains numerous code examples which cover the decryption of strings, disassembling of files, decompiling of functions and the creation of custom file loaders.

ZeroMQ Module

Our multi-processing technology relies on ZeroMQ. Therefore, we exposed ZeroMQ to our Python SDK.

Rather than using the provided Python wrappers, we exposed the C interface directly. We just added a few methods to convert from and to bytes objects in Python.

This is a basic client-server example using send/recv.

The client:

from Pro.zmq import *
import ctypes

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")

for i in range(1000):
    zmq_send_bytes(socket, b"Hello, world!", 0)
print("info: sent")

zmq_close(socket)
zmq_ctx_destroy(context)

The server:

from Pro.zmq import *

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")

if rc == 0:
    while True:
        b = zmq_recv_bytes(socket, 13, 0)
        print(b)
        break
else:
    print("error: couldn't bind to port")

zmq_close(socket)
zmq_ctx_destroy(context)

And this is a basic client-server example using messages.

The client:

from Pro.zmq import *
import ctypes

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")

msg = zmq_msg_t()
zmq_msg_init_bytes(msg, b"Hello, world!")
rc = zmq_msg_send(msg, socket, 0)
print(rc)
print("info: sent")

zmq_close(socket)
zmq_ctx_destroy(context)

The server:

from Pro.zmq import *

context = zmq_ctx_new()

socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")

if rc == 0:
    msg = zmq_msg_t()
    zmq_msg_init(msg)
    while True:
        # wait until a message is received
        rc = zmq_msg_recv(msg, socket, 0)
        if rc != -1:
            print(zmq_msg_bytes(msg))
        zmq_msg_close (msg)
        break
else:
    print("error: couldn't bind to port")

zmq_close(socket)
zmq_ctx_destroy(context)

Improved Logic Providers

We optimized logic provider extensions. In particular, it is now possible to specify the type option for standalone tools:

type = tool

When this option is specified, the init function of the logic provider must return False. This causes the logic provider to be treated as a standalone tool rather than a scan logic provider and avoids creating a scan report for it.

Improved Custom Views

We added the progress bar control and idle notifications to custom views. You can find both features documented on the SDK page of the UI module.

Finally, a thank you to Insid3Code Team for reporting three of the bugs we fixed in this release.

We’re proud to announce the release of Cerbero Suite 5 and Cerbero Enterprise Engine 2!

All of our customers can upgrade at a 50% discount their licenses for the next 3 months! We value our customers and everyone who has bought a license in August should have already received a free upgrade for Cerbero Suite 5! If you fall in that category and haven’t received a new license, please check your spam folder and in case contact us at sales@cerbero.io. Everyone who has acquired a license before August, but in the last 3 months, will get an additional discount.

Starting today we’ll be contacting all of our existing customers and provide them with a discount coupon. If you don’t get an email from us in the next two days, please contact us at sales@cerbero.io!

Speed

We introduced many core optimizations, while maintaining the same level of security.

Cerbero Suite has always been fast, so these changes may not be too apparent. They are, however, noticeable in our benchmarks!

The scanning of certain file formats like PE and the disassembly of binaries using Carbon show a decent performance boost. However, in the case of certain file formats like PDF the performance boost is massive!

Documentation

For this release we created beautiful documentation for our SDK, which can be found at: https://sdk.cerbero.io/latest/.

The documentation of each module comes with an introduction detailing essential concepts.

Other sections provide code examples with explanations.

The API documentation contains the prototype of each method and function and it comes with code examples.

Related constants, classes, methods and functions all contain references to each other.

The documentation contains notes and hints in case there are things to be aware of.

The documentation is searchable. Entering the name of a constant, class, method or function directly brings to its documentation.

The documentation of the UI module will enable you to create complex user interfaces.

It even explains how to create entire workspaces with dock views, menus and toolbars.

While there remain dozens of modules to document, the Core and UI module represent a great part of the functionality of Cerbero Suite and Cerbero Enterprise Engine. We will release the documentation of more modules and topics over the course of the 5.x series.

Python

This release comes with the latest Python 3.9.6!

We update Python only between major versions and for the release of Cerbero Suite 4 we didn’t have the time to upgrade. So the previous series remained with Python 3.6.

This series not only comes with the very latest Python version, but we also managed to keep compatibility with all our older supported systems, including Windows XP!

Scan Data Hooks

We introduced a new type of hook extension: scan data hooks.

Using this type of hooks, it’s trivial to customize the scan results of existing scan providers.

For example, adding a custom entry during the scan of a PE file and then provide the view to display it in the workspace.

The following is small example.

Add these lines to your user ‘hooks.cfg’ file.

[ExtScanDataTest_1]
label = External scan data test
file = ext_data_test.py
scanning = scanning
scandata = scandata

Create the file ‘ext_data_test.py’ in your ‘plugins/python’ directory and paste the following code into it.

from Pro.Core import *

def scanning(sp, ud):
    e = ScanEntryData()
    e.category = SEC_Info
    e.type = CT_VersionInfo
    e.otarget = "This is a test"
    sp.addHookEntry("ExtScanDataTest_1", e)
    
def scandata(sp, xml, dnode, sdata):
    sdata.setViews(SCANVIEW_TEXT)
    sdata.data.setData("Hello, world!")
    return True

Activate the extension from Extensions -> Hooks.

Now when scanning a file an additional entry will be shown in the report.

Clicking on the entry will display the data provided by the extension!

This type of extension is extremely powerful and we’ll show some real use cases soon.

What Next?

Among the many things we introduced over the course of the previous 4.x series there was:

• ARM32/ARM64 disassembly and decompiling.
• Decompiling and emulation of Excel macros.
• Support for Microsoft Office document decryption.
• Disassembly of Windows user address space.
• Disassembly of Windows DMP files.
• Support of XLSB and XLSM formats.
• Support of CAB format.
• Hex editing of processes, disk and drives on Windows.
• Updated native UI for Ghidra 10.
• Improved decompiler.
• Improved macOS support.

So in the last series we spent a lot of time focusing on Microsoft technology.

In particular, Excel malware required supporting its decryption, the various file formats used to deliver it (XLS, XLSB, XLSM) and creating a decompiler and an emulator for its macros.

Also, in June we launched our Cerbero Enterprise Engine, which detracted some of our development resources, but it gave us the opportunity to clean up and improve our SDK.

This series will be focused mostly on non-Microsoft specific technology and hence will appeal to a broader audience.

We can’t wait to show you some of the things we have planned and we hope you enjoy this new release!

Happy hacking!

This time it took a bit longer, because we were busy with the release of our Cerbero Engine.

The main news of this release is that we rewrote our Rich-Text Format (RTF) parser to handle more anti-malware tricks and we exposed the entire parser to Python.

We have also updated the YARA engine to its latest version and fixed a bug in the ELF Carbon loader.

This is the complete list of news:

– improved RTF parsing
– improved JBIG2 decoding
– various improvements
– exposed RTF classes to Python
– updated YARA to 4.1.1
– fixed bug in Carbon ELF loader
– fixed some bugs

Happy hacking!

This version of Cerbero Suite comes with a variety of improvements:

• We have greatly improved macOS support and squashed all the bugs we could find.
• We have improved the hex editor: it can now open folders and on Windows it can edit logical drives, physical disks and the memory of processes.
• We have further improved the native UI for Ghidra.
• We have improved the ARM64 support in our Carbon disassembler.
• We have improved the entropy view.
• We have improved system integration on Windows and macOS and theme support.

This is the full list of news for version 4.7:

– added open folder to hex editor
– added open drive/disk to hex editor on Windows
– added open process to hex editor on Windows
– added system settings
– improved native Ghidra UI
– improved ARM64 disassembly
– improved entropy view
– small improvements to the GZ format support
– improved theme support
– fixed Ghidra Native UI execution on macOS
– fixed UI glitches on macOS
– fixed some bugs

Hex Editor

It is now possible to open an entire folder in the hex editor, either by context menu, command line or UI.

Furthermore, on Windows it is also possible to edit logical drives, physical disks and the memory of processes.

Logical drives:

Physical disks:

Processes:

Improved native UI for Ghidra

Now, when launching the native UI for Ghidra, the Java UI is automatically minimized (configurable from the settings). You can create and delete functions, and we try to keep the function list view updated without having to do a manual refresh. You can switch back to the Java UI from the native UI and you can also launch an additional native UI directly from the native UI.

Improved Carbon ARM64 support

We have improved ARM64 support in our Carbon disassembler in order to recognize additional multi-instruction jump patterns.

Improved entropy view

We have improved our entropy view making it dependent from the parent view and enabling clicks on it. When you click somewhere on the plot it will bring you to the point in the hex editor of the entropy you want to inspect.

System Settings

On both Windows and macOS it’s now possible to configure the integration of Cerbero Suite with the Explorer/Finder context menu.

Up until now, on Windows it was possible to configure the integration with Explorer only during the setup and not at a granular level.

Windows:

macOS:

You can now access the tools of Cerbero Suite directly from the context menu of Finder:

Improved theme support

Since on macOS the native system style may result in cluttered UIs, we have introduced an additional theme called “Fusion”. It comes with the same colors as the default theme, but with a different style for widgets.

Default theme on macOS:

Fusion theme:

If we see that our users prefer this theme, we might make it the default one on macOS.

Improved macOS support

Apart from adding system integration and improving theme support for macOS, we have also squashed all the macOS bugs we could find. We fixed some UI glitches and a bug which affected the launch of the native Ghidra UI on macOS. The UI experience on macOS should be a smooth one now!

Because of some bureaucratic slowdowns this release took longer than usual. On the upside, it comes packed with news!

We have added support for the XLSB format (via pyxlsb2), so that now Cerbero Suite decompiles both XLS and XLSB formulas. Not only that, Cerbero Suite now previews spreadsheets even better than Microsoft Excel does!

But even more exciting, we have introduced the Silicon Excel Emulator to emulate Microsoft Excel formulas.

In order to emulate a formula, it’s enough to select it in the spreadsheet and to press “Ctrl+E” (or using the context menu).

While the emulator doesn’t support all the functions available in Excel, we made it extremely simple to extend it from Python. When a function is not supported, the emulator simply prints out its arguments:

warning: unimplemented function 'CALL'
    arg_0: "Shell32"
    arg_1: "ShellExecuteA"
    arg_2: "JJCCCCJ"
    arg_3: 0
    arg_4: "Open"
    arg_5: "C:\ProgramData\nCjBmqQ.exe"
    arg_6: 
    arg_7: 0
    arg_8: 0

In most cases, this is enough to understand what’s happening. When it isn’t and we need something more, we can easily hook into the emulator engine via Python and extend it:

from Pro.SiliconSpreadsheet import *
from Pro.UI import proContext

class EmulatorHelper(SiliconExcelEmulatorHelper):

    def __init__(self):
        super(EmulatorHelper, self).__init__()
        
    def evaluateFunction(self, emu, ctx, opts, depth, e):
        function_name = e.toString()
        print(function_name)
        return SiliconExcelEmulatorValue()

v = proContext().findView("Analysis [file name]")
if v.isValid():
    view = SiliconSpreadsheetWorkspaceView(v)
    helper = EmulatorHelper()
    emu = view.getExcelEmulator()
    emu.setHelper(helper)
else:
    print("error: couldn't find view")

This little snippet of Python code does nothing else than to hook the Silicon Excel Emulator being used in a spreadsheet preview and to log every function being called. We can, however, just as easily modify the behavior of a function or implement its functionality by returning a valid value. We’ll show you how to do this in future articles and videos.

The new version of Cerbero Suite comes also with other improvements. For instance, it is now possible to edit the prototype of functions in the decompiler by pressing “Y”.

And you can now edit the prototype of a function in the same way also in the native UI for Ghidra.

This is the complete list of news for version 4.5:

– added spreadsheet preview for XLS and XLSB files
– added XLSB format support
+ added Microsoft Excel macro emulator
+ added editing of function prototypes in the decompiler
+ added editing of function prototypes in the native UI for Ghidra
+ improved Ghidra native UI
– improved XLS macro decompiler
– improved XLS format support
– exposed XLS classes to Python
– exposed new cell table view to Python
– minor improvements

We’ll soon publish material to demonstrate how to reverse engineer malicious Excel documents.

Happy hacking!

This time it took a bit longer for the release as we’re undergoing some organizational changes, but we’ll make up for it in the upcoming months!

This is the list of news for version 4.4:

– added Excel macro decompiler
– added word highlighting to text editor
– added password brute-forcers
+ improved C++ support in the decompiler
+ improved disassembly view
– improved detection of Excel malware

Excel Macro Decompiler

The major news of this release is the addition of a decompiler for Excel macros. We’ll continue to build and improve upon this feature in the upcoming releases!

C++ Decompiler Improvements

We have improved C++ support in the decompiler. A small improvement makes the code much easier to read!

Text Editor: Word Highlighting

Cerbero Suite now provides the word highlighting feature available in the disassembly/decompiler also in the text editor. This makes the analysis of VBA macros, JavaScript and other managed languages much easier.

Password Brute-Forcers

“infected” is such an ubiquitous password for sharing Zip archives containing malware that starting with this release you don’t even have to enter it when opening a file.

We’ve also added optional common passwords dictionary-based brute-forcers as a bonus. You can activate them from the extensions page.

More is coming soon…

Happy hacking!

Cerbero Suite 4.3 is out and it comes with Decryption of Microsoft Office Documents!

– added Microsoft Office document decryption
– improved CFBF support
– minor improvements
– fixed bugs

More is coming soon…

Happy hacking!

The new version of Cerbero Suite is out with the following news:

– added CAB format support
– added convert/from_array and convert/to_array filters
– added detection of external resources in Office documents
+ improved renaming of variables in the decompiler
– improved dev/array filter
– included OpenSSL executable
– fixed bugs

We’ll be soon publishing videos detailing some of these additions!