Cerbero Labs aims to create a perfect multitool for low-level professionals, thus new features and improvements are essential.
As an active partner of Cerbero Labs, we are proud to provide our customers with Cerbero Suite latest releases and updates.
Feel free to contact E-SPIN regarding product and related matter (if any). The details of the latest release and updates are presented in the manner where the latest release is shown at the top of the post and then followed with the previous releases.
Cerbero Suite 5.6 (Release 1-Jun-2022)
Cerbero Suite 5.6 with Cerbero engine 2.6 release is here! The new features included in this release are:
1. MalwareBazaar Intelligence Package
Malware are expanding over the years. Now, as Commercial licenses for Cerbero Suite Advanced having access to the MalwareBazaar Intelligence Package, users are able to directly access intelligence from MalwareBazaar from the file report.
2. UPX Unpacker Package
Cerbero users of all licenses are able to have access to this package. The installed UPX Unpacker packer will identify and unpack binaries compressed UPX into child objects automatically. This package supports PE, ELF and Mach-O binaries.
In the case where binaries are not automatically unpacked, UPX Unpacker Package can be invoked manually for action. Additionally, UPX Unpacker Package can also be invoked from Python.
3. Internal Project Files
This Cerbero 5.6 release is added with the capability to generate files that do not exist on disk and store them in the analysis report. Significantly, this feature is helpful in various real-world applications. For instance, an unpacker can unpack a file and then store the resulting file as an internal file during the scanning process, at the same time, the operation is able to bypass the unpacker and directly access the internal file if there is request for the unpacked file.
4. After-Scanning
The after scanning feature in Cerbero 5.6 allows user to programmatically add scan entries to a report after the scanning has been performed. Thus, now users can either manually or programmatically add embedded objects after scan. More over, adding new root entries to a report where user has the ability to choose files from disk can also be done programmatically. Uses can also promote the data in a hex view to a root file in the report.
5. Add file to report action
In addition to users ability to choose files from disk to add new root entries, users can also reference from internal files if added from code.
6. Promote Hex data to root file action
As mentioned in the after-scanning feature, data from the hex view is stored as an internal file and referenced from the root entry. This feature allows users promoting the data to a root file which is not limited to analysis hex views. In addition, the action can as well be conducted from any hex view.
7. CAB & Certificates Modules Documentation
Added documentations include; API for parsing Microsoft Cabinet files, Comprehensive API for parsing certificate files in DER and PEM encodings
8. Improved setting page
Cerbero 5.6 release has shifted from tab-based interface to a list-based interface.
9. Added Core SDK APIs
10. Fixed Python GIL Issues
11. VBA Extraction Code Page Support
Cerbero Suite 5.5 (Release 18-Apr-2022)
Cerbero Suite 5.5 with Cerbero engine 2.5 release introduces the following improvements:
1. Cerbero engine editions (Classic and Metal)
These two editions let Cerbero Labs provide organisation that require a powerful and flexible back-end for their services with ideal option.
Classic edition: Include all UI functions
Metal edition: – Includes all UI functions but without UI dependencies
– Run in cloud and server environment
– Has compatibitility with plugins that import graphical functions
2. Microsoft Authenticode on Linux and macOS
Users with commercial licenses for Cerbero Suite Advanced and Cerbero Engine have the ability to verify Microsoft Authenticode signatures on Linux and macOS. This feature supports full-chain certificate and time-stamp verification.
For non-windows system, the required step to verify authenticode is only by installing ‘microsoft authenticode’ package from the cerbero store. ‘
Cerbero Labs also revealed Authenticode validation to their Python SDK.
3. Certificates Support
In addition to the cerbero suite ability to inspect certificates inside binaries, this release allows users to load them directly from disk as well as inspect each individual ASN1 object.
This version also supports DER and PEM encodings for certificates.
Users can also inspect all types of certificates which include X509, PKCS7 and PKCS12.
Cerbero Labs has revealed the code to their Python SDK to simplify programmatic parsing of certificates.
4. Command Line Improvements
Cerbero 5.5 with cerbero engine 2.5 come with various line improvements which include:
– Addition of command line I/O on Windows.
– Cerpro executable which is built as a GUI application and not attached to a terminal that leads to limitation where ‘-c’ argument results in not being able to see the stdout output is resolve by cerbero adding a launcher on Windows called “cerpro_console.exe”.
5. Command Line Scripting and Package Management SDK Documentation
Cerbero Labs has two importance announcement about their SDK documentation.
6. Bug fixes
Cerbero Suite 5.4 (Release 1-Mar-2022)
Cerbero Suite 5.4 with Cerbero engine 2.4 release introduces various improvement.
With the previous version Cerbero already support the NGen generated native images, this latest version, Cerbero Suite 5.4 ensures that the support for the ReadyToRun format is not mistaken for an NGen generated image.
Cerbero Suite 5.4 enables users to open processes in the hex editor on Linux. For windows users, they are already supported with this feature during the introduction of Cerbero’s hex workspace.
Following the release of cerbero store to ease installation of package, the cerbero store is now included with API Solver Package for all commercial licenses of Cerbero Suite Advanced. API Solver Package is helpful for shellcode analysis.
The built-in password brute-forcers is moved into Cerbero Store as Common Password package. This package is available for access for Cerbero Suite Advanced (both commercial and non-commercial) and Cerbero Engine.
Cerbero suite 5.4 includes fully documented of excel macro emulator and spreadsheet visualisation module.
Support of Microsoft’s ITSF or CHM) format in Cerbero Suite 5.4 has been updated and the format is exposed to Cerbero’s Python SDK.
Users can now easily select contiguous ASCII, Hex and Base64 strings in the hex editor which is very helpful during loading embedded files or decoding data.
Cerbero Suite 5.3 (Release 1-Feb-2022)
Cerbero Suite 5.3 with Cerbero engine 2.3 release introduces Cerbero Store.
With Cerbero Store,
The transfer of Windows memory analysis functionality to a package on Cerbero Store simplifies the software package (lighter software package).
Native UI for Ghidra component is now transferred to a package on Cerbero Store. This way, Cerbero plugin code will not be affected by the change of Ghidra’s API that occurs between releases.
Cerbero Store is also secured as every package in Cerbero is digitally signed thus altered packages will not be installed as they are not featured with valid signature.
Cerbero Suite 5.2 (Release 30-Nov-2021)
Cerbero Suite 5.2 with Cerbero engine 2.2 release introduces the Cerbero’s multi-processing technology that offers the ability to process isolation, increase stability for third party components and resolve the Global Interpreter Lock (GIL) in Python.
With multi-processing technology in Cerbero Suite 5.2, API is both flexible and easy to use.
The Multi-processing API is built on top of ZeroMQ which is an established ultra-fast messaging library and also work as clustered solutions.
Parallelisation of sleigh decompiler is run on different processes with the new multi-processing technology. This ensures complete stability if there is issue in Sleigh as well as safe cancellation of decompiling operation.
Parallelisation of decompiler allows it to be initialised during file or database loading. This disimisses the initial delay when a decompiler is invoked.
Cerbero Suite 5.2 allows users to run decompiler using previous process being used from the Carbon setting.
Cerbero Labs provide a fully documented API Carbon API to disassemble and decompile native binaries.
Carbon documentation for Cerbero Suite 5.2 includes many code examples which comprises of decryption of strings, disassembling of files, decompiling of functions and the creation of custom file loaders.
The new multi-processing technology in Cerbero Suite 5.2, depends on ZeroMQ, thus it is exposed to Cerbero’s Python SDK. Therefore, Cerbero Labs exposes C interface directly. In addition, a few methods is added to convert from and to bytes objects in Python.
Example 1: Basic client-server using send/recv.
The client
from Pro.zmq import *
import ctypes
context = zmq_ctx_new()
socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")
for i in range(1000):
zmq_send_bytes(socket, b"Hello, world!", 0)
print("info: sent")
zmq_close(socket)
zmq_ctx_destroy(context)
The server
from Pro.zmq import *
context = zmq_ctx_new()
socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")
if rc == 0:
while True:
b = zmq_recv_bytes(socket, 13, 0)
print(b)
break
else:
print("error: couldn't bind to port")
zmq_close(socket)
zmq_ctx_destroy(context)
Example 2: Basic client-server using messages
The client
from Pro.zmq import *
import ctypes
context = zmq_ctx_new() socket = zmq_socket(context, ZMQ_REQ)
zmq_connect(socket, "tcp://localhost:5555")
msg = zmq_msg_t()
zmq_msg_init_bytes(msg, b"Hello, world!")
rc = zmq_msg_send(msg, socket, 0)
print(rc)
print("info: sent")
zmq_close(socket)
zmq_ctx_destroy(context)
The server
from Pro.zmq import *
context = zmq_ctx_new()
socket = zmq_socket(context, ZMQ_REP)
rc = zmq_bind(socket, "tcp://127.0.0.1:5555")
if rc == 0:
msg = zmq_msg_t()
zmq_msg_init(msg)
while True:
# wait until a message is received
rc = zmq_msg_recv(msg, socket, 0)
if rc != -1:
print(zmq_msg_bytes(msg))
zmq_msg_close (msg)
break
else:
print("error: couldn't bind to port")
zmq_close(socket)
zmq_ctx_destroy(context)
Cerbero Suite 5.2 allows to define the type option for standalone tools.
Once defined, the init function of the logic provider must return False thus letting the logic provider to be served as a standalone tool instead of being a scan logic provider and prevents the creating a scan report.
Cerbero Suite 5.2 is updated with progress bar control and idle notifications to custom views.
Cerbero Suite 5.1. (Release 13-Oct-2021)
Packed with features and improvement, Cerbero Suite 5.1 and Cerbero Engine 2.1 will improve users experience in security and forensic field, as well as enterprise solutions for cloud file analysis.
Cerbero Suite Advanced 5.1 come with improved decompiler output.
The improvement includes detection and display of indirect string literal references which are now properly handled by carbon disassembler.
With Cerbero Suite 5.1, every assembly in a project can now have its own local structures which is make the import of data structures from PDB files convenient.
Cerbero Suite 5.1 also support shared structures.
Users can now use the format view the analysis Microsoft Office legacy documents with text controls by previewing their name.
Watch the Cerbero Labs’ 150-seconds video analysis of an Emotet sample for part of its obfuscation strategy on how to make use of text controls.
Cerbero Suite 5.1 has better support in Microsoft Excel XLSB format.
Cerbero Suite 5.1 is added with Formula Array support.
Now, users can easily prioritize their embedded files as the hierarchy view also display the size of file.
With the preview of actual file icons in all file dialogs is now disabled, thousands of folders can be opened more quickly and in secure manner.
