Cerbero Labs aims to create a perfect multitool for low-level professionals, thus new features and improvements are essential.
As an active partner of Cerbero Labs, we are proud to provide our customers with Cerbero Suite latest releases and updates.
Feel free to contact E-SPIN regarding product and related matter (if any). The details of the latest release and updates are presented in the manner where the latest release is shown at the top of the post and then followed with the previous releases.
Cerbero Suite 6.4 (Release 1-May-2023)
Cerbero Suite 6.4 release with Cerbero Engine 3.4 include various improvements as follows:
1. Silicon Shellcode Emulator
Designed for windows shellcode, Silicon Shellcode emulator represents a lightweight x86/x64 emulator.
This is a package available to all commercial licenses of Cerbero Suite Advanced.
Launching silicon shellcode can be done after selecting an architecture and a memory profile on setting dialogue.
Launching can be done from window, through command line or an action and execution will happen within hex view.
2. IceDark Theme
Cerbero Suite 6.4 introduces one new theme for appearance that is familiar to old-school fellow.
3. DES Filter
Cerbero 6.4 release is added with DES crypto filter that supports DES, DEX and 3DES.
4. ITSF & JPEG module documentation
This release is followed by documented ITSF module or Pro.ITSF module that contains API for parsing Microsoft CHM files as well as JPEG Module, Pro.JPEGthat contains API for JPEG images.
5. Improved command line interpreter
Cerbero Suite 6.4 with better command line interpreter control enables workspace to add their own interpreter.
Cerbero Suite 6.3 (Release 27-Mar-2023)
The improvement included in Cerbero Suite 6.3 Release with Cerbero Engine 3.3 are:
1. Support for 7z and XZ archives
This Cerbero Suite 6.3 release provides is updated with 7z package that support both 7z and XZ archives.
The 7z package is available in every Cerbero Suite License and also support encrypted archives and all common compression methods.
2. Support for TAR archives
Cerbero Suite 6.3 now includes TAR format package that enable support for TAR archives. This feature is available for all Cerbero Suite license edition.
3. Powershell Beautifier 2.0
Powershell Beautifier is a tool that beautify Microsoft PowerShell scripts through various deobfuscation capabilities. Cerbero Suite 6.3 comes with the release of Powershell Beautifier Version 2.0. This new release is updated with option to remove unused variables.
4. OneNote Format for all licenses
The OneNote Format package which was previously release specifically for commercial licenses use is now available for all licenses of Cerbero suite. After installation of OneNote Format, users can directly open OneNote documents in Cerbero Suite where every embedded file is automatically extracted and ready to be inspected.
5. Crypto Module
This release includes Cerbero Labs exposing Crypto module to the SDK for documentation.
The module gives classes for hashing and encryption/decryption.
For instance, hashing data can be as simple as code snippet shown below.
from Pro.Crypto import * print(NTCryptoSHA1(b"Hello, World!").finalHexString())
6. GZ module documentation
The Cerbero Suite 6.3 also also involves documented GZ module that offers API for parsing GZip archives.
Cerbero Suite 6.2 (Release 9-Mar-2023)
Cerbero Suite 6.2 release with Cerbero Engine 3.2 involves three releases of commercial packages ;
1. OneNote Format
As Microsoft OneNote is becoming popular as a vector for malware, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store.
This package is easy to install (just with one click) which it then let users parse the OneNote format and extracts embedded files.
2. Simple Batch Emulator
Available in to all commercial licenses of Cerbero Suite Advanced, Simple Batch Emulator is a package designed to assist users in the analysis of malware that applies Windows batch scripts.
3. PowerShell Beautifier
PowerShell Beautifier focuses on helping users in analysing Powershell code that is commonly seen in malware. The package available to all commercial licenses of Cerbero Suite Advanced and features a complete parser for the PowerShell language as well as include multiple deobfuscation capabilities.
This releases emphasises the rapid update of features. Thus, Cerbero Store includes the following additional packages:
SDK documentation process is now improved and include the complete guide on how to create plugins and extensions for Cerbero Suite and Cerbero Engine.
This release also include improvements on syntax highlighting and various bug fixes.
Cerbero Suite 6.1 (Release 16-Nov-2022)
The Cerbero Suite 6.1 release with Cerbero Engine 3.1 focuses on the improvement to the PDF support.
1. New JBIG2 Library
Cerbero’s PDF Support had been there in the JBIG2 Library to decode JBIG2 streams.
This new release brings rewritten JBIG2 Library which security is enhanced to the already hardened JBIG2 decoding support through:
With this modification, the new JBIG2 Library is faster and most importantly having constraints on allocation and processing time by default.
2. JPEG & JPEG2000 Decoders
The Cerbero Suite 6.1 is added with support for /DCTDecode and /JPXDecode filters in PDFs which respectively represent JPEG and JPEG2000.
With this feature, users can encode a JavaScript script using a grayscale JPEG image. Additionally, this feature can be disable if users decided to not utilise this feature.
3. PDF SDK Catalog Support
This new release introduces SDK support for parsing the pages in a PDF.
objtable = obj.GetObjectTable() # computes the catalog tree cat = obj.ComputeCatalogTree(objtable) # flattens the tree into a list pages = obj.FlattenCatalogTree(cat) page_count = pages.size() print("Number of pages:", page_count) for i in range(page_count): print(" Page:", i + 1, "- Object:", obj.ObjectToString(objtable, pages.at(i))) Therefore the sample output is:
Number of pages: 12
Page: 1 - Object: 5.0
Page: 2 - Object: 71.0
Page: 3 - Object: 100.0
Page: 4 - Object: 113.0
Page: 5 - Object: 132.0
Page: 6 - Object: 154.0
Page: 7 - Object: 172.0
Page: 8 - Object: 210.0
Page: 9 - Object: 236.0
Page: 10 - Object: 277.0
Page: 11 - Object: 286.0
Page: 12 - Object: 320.0
4. DIB & GIF Modules Documentation
For Cerbero Suite 6.1, Cerbero Labs offers documented the API for parsing DIB and GIF images.
5. Fast Timer
This time, Cerbero Labs present NTTimer which is faster than the timing mechanism offered by NTTime.
Users do not need the learnt how NTTimer as it way to operate is similar to that of NTTime.
t = NTTimer()
t.start()
print("elapsed ms:", t.elapsed())
6. Zip Parsing Bug
This release include fixed for reported potential infinite loop when parsing incorrect NTFS attributes in Zip archives.
Cerbero Suite 6.0 (Release 11-Sep-2022)
Cerbero Labs is proud to present Cerbero Suite 6.0 with Cerbero Engine 3.0. The new and updated features in Cerbero Suite 6.0 include:
1. Sample Downloader Package
With Cerbero Store, the installation of package only involves a few click. After installation is completed, users can go to the settings and enter the API keys for the supported intelligence services.
While in order to download one or multiple malware samples, users only need to key in their hash. Subsequently, sample downloader will try to download every malware sample from all supported intelligence services.
Once download is complete, users can inspect them in Cerbero Suite.
Additional samples are available for download using one of the actions added by the package. More over Sample Downloader can be invoked from the command line.
2.Improved Search Dialogs
Cerbero Suite 6 has better search dialogs where all of the them supports regular expressions.
Most importantly, this release offers wrap around search as well as added text search to Carbon disassembler and native Ghidra UI.
3. Java Class and DEX Modules Documentation
This release include documented the API for parsing Java Class files and Android DEX files.
4.Writable Remote Containers
Cerbero Suite 6 introduces remote containers thanks to Cerbero Suite multi-processing technology. Essentially the remote container is writable.
5. Updated Sleigh Decompiler & AppleSilicon Support
In this release, Sleigh decompiler has been updated to the one in Ghidra 10.1.15.
Additionally, Cerbero Suite 6 include support for AppleSilicon through the generic support for ARM64 and added with specific support for AppleSilicon in the decompiler.
6. Improved Office Documents Scan
This release involves improvement for Office document Scan where external references in Microsoft Office documents are correctly detected also in .rels files as well as string support in older XLS documents.
7. Text Browser View
This latest release of Cerbero Suite comes with graphically improved text browser view, UI control used by Carbon diassembler exposed to Python.
See below the example of code from the SDK documentationon how to display custom lines provided from UI notifications and steps to to handle textual hyper-links:
from Pro.Core import *
from Pro.UI import *
class CustomView:
@staticmethod
def callback(cv, self, code, view, data):
if code == pvnInit:
t = cv.getView(1)
t.showCustomLines()
return 1
elif code == pvnTextBrowserLineCount:
vid = view.id()
if vid == 1:
data.setCount(100)
elif code == pvnTextBrowserGetLine:
vid = view.id()
if vid == 1:
b = ProTextBrowserStringBuilder()
b.setTextColor(0, 0, 180)
b.append("This is line number ")
b.setTextColor(180, 0, 0)
b.append(str(data.id + 1) + " ")
b.setTextColor(0, 180, 0)
b.beginHyperLink(1, 0)
b.append("This is a hyper-link.")
b.endHyperLink()
data.setLine(b.buffer)
elif code == pvnTextBrowserHyperLinkActivated:
vid = view.id()
if vid == 1:
proContext().msgBox(MBIconInfo, "Hyper-link activated!")
return 0
def show(self):
ctx = proContext()
v = ctx.createView(ProView.Type_Custom, "Text Browser Demo")
v.setup("<ui><vl margin='0'><textbr id='1'/></vl></ui>", self.callback, self)
ctx.addView(v)
cv = CustomView()
cv.show()
Other improvements include:
Exposed ProTheme – where exposed UI themes to Python this feature will be helpful to plugins that require to query colours for a certain theme.
ProWebRequest – The introduced feature will expand the API for web request in Cerbero suite
Bugs fixes – A few major fixes include: correcting Windows Memory Analysis package dependency for Windows crash dump files, regression that lead to a crash when changing a function prototype in the decompiler and regression that causes a missing refresh when loading embedded files.
Cerbero Suite 5.7 (Release 18-July-2022)
Cerbero Suite 5.7 with Cerbero engine 2.7 has been released! The new release includes:
1. Expanded AbuseCH Intelligence Package
In this release, the Malware bazaar intelligence commercial package had been renamed to AbuseCH Intelligence Package. Aligned with this renaming, the AbuseCH Intelligence introduces extended functionalities.
AbuseCH Intelligence Package only involve a few clicks for installation and then you are ready to perform search in the malware bazaar using all supported parameters as well as include the most recent uploaded samples.
Cerbero Suite 5.7 allows users to download and analyze malwares immediately without the need to leave Cerbero Suite user interface.
2. CFBF Module Documentation
This release is included with documented API for parsing Microsoft legacy Office documents which covers guide to enumerate CFBF directories, decrypt documents, extract VBA code and decompile macros.
3. Augmented JBIG2 Decoding Security
In Cerbero Suite 5.7, the already hardened JBIG2 decoding support is relegated to a different process and constrained to a time threshold to enhance security.
With this improvement memory exhaustion and stalling issues are solved -In case of decoding process does not complete within a given time, the decoding fails while the issue is reported to the user.
4. Human Hash
This new release offers integrated human hashes into the analysis workspace letting users to view humanized version of the hash as a tool-tip when the cursor rest on the cryptographic hash.
Additionally, the humanized hash can be copied to the clipboard using the drop-down menu next to the cryptographic hash edit box.
5. Deflate64 Support
This releases is included with support for proprietary deflate64 decompression method. The decompression is integrated in Zip format support and filters technology.
6. New Python APIs
New APIs are added into this release, significantly the logicProviderArguments method that is important in retrieving their command line arguments by logic providers such that they were invoked from the command line.
For example : Small code of a logic provider init function
def customLogicProviderInit():
ctx = proCoreContext()
args = ctx.logicProviderArguments()
if not args.isEmpty():
# has arguments...
6. Extensions Load Errors
In this release, debug message which shows only once for each extension which failed to load is enabled to easily debug load errors of extensions. This improvement mainly directed at developers of extensions.
Cerbero Suite 5.6 (Release 1-Jun-2022)
Cerbero Suite 5.6 with Cerbero engine 2.6 release is here! The new features included in this release are:
1. MalwareBazaar Intelligence Package
Malware are expanding over the years. Now, as Commercial licenses for Cerbero Suite Advanced having access to the MalwareBazaar Intelligence Package, users are able to directly access intelligence from MalwareBazaar from the file report.
2. UPX Unpacker Package
Cerbero users of all licenses are able to have access to this package. The installed UPX Unpacker packer will identify and unpack binaries compressed UPX into child objects automatically. This package supports PE, ELF and Mach-O binaries.
In the case where binaries are not automatically unpacked, UPX Unpacker Package can be invoked manually for action. Additionally, UPX Unpacker Package can also be invoked from Python.
3. Internal Project Files
This Cerbero 5.6 release is added with the capability to generate files that do not exist on disk and store them in the analysis report. Significantly, this feature is helpful in various real-world applications. For instance, an unpacker can unpack a file and then store the resulting file as an internal file during the scanning process, at the same time, the operation is able to bypass the unpacker and directly access the internal file if there is request for the unpacked file.
4. After-Scanning
The after scanning feature in Cerbero 5.6 allows user to programmatically add scan entries to a report after the scanning has been performed. Thus, now users can either manually or programmatically add embedded objects after scan. More over, adding new root entries to a report where user has the ability to choose files from disk can also be done programmatically. Uses can also promote the data in a hex view to a root file in the report.
5. Add file to report action
In addition to users ability to choose files from disk to add new root entries, users can also reference from internal files if added from code.
6. Promote Hex data to root file action
As mentioned in the after-scanning feature, data from the hex view is stored as an internal file and referenced from the root entry. This feature allows users promoting the data to a root file which is not limited to analysis hex views. In addition, the action can as well be conducted from any hex view.
7. CAB & Certificates Modules Documentation
Added documentations include; API for parsing Microsoft Cabinet files, Comprehensive API for parsing certificate files in DER and PEM encodings
8. Improved setting page
Cerbero 5.6 release has shifted from tab-based interface to a list-based interface.
9. Added Core SDK APIs
10. Fixed Python GIL Issues
11. VBA Extraction Code Page Support
Cerbero Suite 5.5 (Release 18-Apr-2022)
Cerbero Suite 5.5 with Cerbero engine 2.5 release introduces the following improvements:
1. Cerbero engine editions (Classic and Metal)
These two editions let Cerbero Labs provide organisation that require a powerful and flexible back-end for their services with ideal option.
Classic edition: Include all UI functions
Metal edition: – Includes all UI functions but without UI dependencies
– Run in cloud and server environment
– Has compatibitility with plugins that import graphical functions
2. Microsoft Authenticode on Linux and macOS
Users with commercial licenses for Cerbero Suite Advanced and Cerbero Engine have the ability to verify Microsoft Authenticode signatures on Linux and macOS. This feature supports full-chain certificate and time-stamp verification.
For non-windows system, the required step to verify authenticode is only by installing ‘microsoft authenticode’ package from the cerbero store. ‘
Cerbero Labs also revealed Authenticode validation to their Python SDK.
3. Certificates Support
In addition to the cerbero suite ability to inspect certificates inside binaries, this release allows users to load them directly from disk as well as inspect each individual ASN1 object.
This version also supports DER and PEM encodings for certificates.
Users can also inspect all types of certificates which include X509, PKCS7 and PKCS12.
Cerbero Labs has revealed the code to their Python SDK to simplify programmatic parsing of certificates.
4. Command Line Improvements
Cerbero 5.5 with cerbero engine 2.5 come with various line improvements which include:
– Addition of command line I/O on Windows.
– Cerpro executable which is built as a GUI application and not attached to a terminal that leads to limitation where ‘-c’ argument results in not being able to see the stdout output is resolve by cerbero adding a launcher on Windows called “cerpro_console.exe”.
5. Command Line Scripting and Package Management SDK Documentation
Cerbero Labs has two importance announcement about their SDK documentation.
6. Bug fixes
Cerbero Suite 5.4 (Release 1-Mar-2022)
Cerbero Suite 5.4 with Cerbero engine 2.4 release introduces various improvement.
With the previous version Cerbero already support the NGen generated native images, this latest version, Cerbero Suite 5.4 ensures that the support for the ReadyToRun format is not mistaken for an NGen generated image.
Cerbero Suite 5.4 enables users to open processes in the hex editor on Linux. For windows users, they are already supported with this feature during the introduction of Cerbero’s hex workspace.
Following the release of cerbero store to ease installation of package, the cerbero store is now included with API Solver Package for all commercial licenses of Cerbero Suite Advanced. API Solver Package is helpful for shellcode analysis.
The built-in password brute-forcers is moved into Cerbero Store as Common Password package. This package is available for access for Cerbero Suite Advanced (both commercial and non-commercial) and Cerbero Engine.
Cerbero suite 5.4 includes fully documented of excel macro emulator and spreadsheet visualisation module.
Support of Microsoft’s ITSF or CHM) format in Cerbero Suite 5.4 has been updated and the format is exposed to Cerbero’s Python SDK.
Users can now easily select contiguous ASCII, Hex and Base64 strings in the hex editor which is very helpful during loading embedded files or decoding data.
Cerbero Suite 5.3 (Release 1-Feb-2022)
Cerbero Suite 5.3 with Cerbero engine 2.3 release introduces Cerbero Store.
With Cerbero Store,
The transfer of Windows memory analysis functionality to a package on Cerbero Store simplifies the software package (lighter software package).
Native UI for Ghidra component is now transferred to a package on Cerbero Store. This way, Cerbero plugin code will not be affected by the change of Ghidra’s API that occurs between releases.
Cerbero Store is also secured as every package in Cerbero is digitally signed thus altered packages will not be installed as they are not featured with valid signature.
Cerbero Suite 5.2 (Release 30-Nov-2021)
Cerbero Suite 5.2 with Cerbero engine 2.2 release introduces the Cerbero’s multi-processing technology that offers the ability to process isolation, increase stability for third party components and resolve the Global Interpreter Lock (GIL) in Python.
With multi-processing technology in Cerbero Suite 5.2, API is both flexible and easy to use.
The Multi-processing API is built on top of ZeroMQ which is an established ultra-fast messaging library and also work as clustered solutions.
Parallelisation of sleigh decompiler is run on different processes with the new multi-processing technology. This ensures complete stability if there is issue in Sleigh as well as safe cancellation of decompiling operation.
Parallelisation of decompiler allows it to be initialised during file or database loading. This disimisses the initial delay when a decompiler is invoked.
Cerbero Suite 5.2 allows users to run decompiler using previous process being used from the Carbon setting.
Cerbero Labs provide a fully documented API Carbon API to disassemble and decompile native binaries.
Carbon documentation for Cerbero Suite 5.2 includes many code examples which comprises of decryption of strings, disassembling of files, decompiling of functions and the creation of custom file loaders.
The new multi-processing technology in Cerbero Suite 5.2, depends on ZeroMQ, thus it is exposed to Cerbero’s Python SDK. Therefore, Cerbero Labs exposes C interface directly. In addition, a few methods is added to convert from and to bytes objects in Python.
Example 1: Basic client-server using send/recv.
The client
from Pro.zmq import *
import ctypes
context = zmq_ctx_new()
socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")
for i in range(1000):
zmq_send_bytes(socket, b"Hello, world!", 0)
print("info: sent")
zmq_close(socket)
zmq_ctx_destroy(context)
The server
from Pro.zmq import *
context = zmq_ctx_new()
socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")
if rc == 0:
while True:
b = zmq_recv_bytes(socket, 13, 0)
print(b)
break
else:
print("error: couldn't bind to port")
zmq_close(socket)
zmq_ctx_destroy(context)
Example 2: Basic client-server using messages
The client
from Pro.zmq import *
import ctypes
context = zmq_ctx_new() socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")
msg = zmq_msg_t()
zmq_msg_init_bytes(msg, b"Hello, world!")
rc = zmq_msg_send(msg, socket, 0)
print(rc)
print("info: sent")
zmq_close(socket)
zmq_ctx_destroy(context)
The server
from Pro.zmq import *
context = zmq_ctx_new()
socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")
if rc == 0:
msg = zmq_msg_t()
zmq_msg_init(msg)
while True:
# wait until a message is received
rc = zmq_msg_recv(msg, socket, 0)
if rc != -1:
print(zmq_msg_bytes(msg))
zmq_msg_close (msg)
break
else:
print("error: couldn't bind to port")
zmq_close(socket)
zmq_ctx_destroy(context)
Cerbero Suite 5.2 allows to define the type option for standalone tools.
Once defined, the init function of the logic provider must return False thus letting the logic provider to be served as a standalone tool instead of being a scan logic provider and prevents the creating a scan report.
Cerbero Suite 5.2 is updated with progress bar control and idle notifications to custom views.
Cerbero Suite 5.1. (Release 13-Oct-2021)
Packed with features and improvement, Cerbero Suite 5.1 and Cerbero Engine 2.1 will improve users experience in security and forensic field, as well as enterprise solutions for cloud file analysis.
Cerbero Suite Advanced 5.1 come with improved decompiler output.
The improvement includes detection and display of indirect string literal references which are now properly handled by carbon disassembler.
With Cerbero Suite 5.1, every assembly in a project can now have its own local structures which is make the import of data structures from PDB files convenient.
Cerbero Suite 5.1 also support shared structures.
Users can now use the format view the analysis Microsoft Office legacy documents with text controls by previewing their name.
Watch the Cerbero Labs’ 150-seconds video analysis of an Emotet sample for part of its obfuscation strategy on how to make use of text controls.
Cerbero Suite 5.1 has better support in Microsoft Excel XLSB format.
Cerbero Suite 5.1 is added with Formula Array support.
Now, users can easily prioritize their embedded files as the hierarchy view also display the size of file.
With the preview of actual file icons in all file dialogs is now disabled, thousands of folders can be opened more quickly and in secure manner.
