Follow @cprofiler

Subscribe to our Newsletter!

Our Newsletter is primarily directed to users of the Profiler who want to learn more about the product, use cases, discover tips & tricks, be kept up-to-date with future improvements and participate to polls.

Subscribe

Testimonials

I really recommend Cerbero Profiler from @cprofiler it's an awesome tool. I won a lot of time on an analysis this week. Thanks guys!

- Paul Rascagnères via Twitter

I freaking love Profiler. It is totally worth the money. It's the best file format parser in existence. Amazing PE, font, Flash, etc. parsing / disassembly. - It is totally worth the money.

- Matt Graeber via Twitter

Profiler: SDK

Profiler exposes a very powerful Python SDK, which gives access to core, UI and file format classes.


A single file format module can be as extensive as the following:

class PEObject
    : CFFObject

    ReqExecLevel_AsAdministrator
    ReqExecLevel_AsInvoker
    ReqExecLevel_Error
    ReqExecLevel_HighestAvailable
    ReqExecLevel_Unknown

    AttributeCertificateTable() -> CFFStruct
    BoundImportDescriptors() -> CFFStruct
    BoundImportDirectory() -> CFFStruct
    ComputeCheckSum() -> UInt32
    CountThunks(NTNumber const & offset, int max_count=-1) -> int
    CountThunks(NTNumber const & offset) -> int
    DataDirectories() -> CFFStruct
    DataDirectories2() -> CFFStruct
    DebugDirectory() -> CFFStruct
    DebugDirectoryData(CFFStruct dbg) -> MaxUInt, MaxUInt
    DelayImportBoundIATThunks(int nDescr) -> CFFStruct
    DelayImportDescriptors() -> CFFStruct
    DelayImportDirectory() -> CFFStruct
    DelayImportIATThunks(int nDescr) -> CFFStruct
    DelayImportNameThunks(int nDescr) -> CFFStruct
    DelayImportUnloadIATThunks(int nDescr) -> CFFStruct
    DisassembleMSIL(NTTextStream out, UInt32 token, CFFStructList tables=DotNETTables(), NTString const & stream_name=NTString(),
        NTNumber const & mdoffs=INVALID_STREAM_OFFSET)
    DisassembleMSIL(NTTextStream out, UInt32 token, CFFStructList tables=DotNETTables(), NTString const & stream_name=NTString())
    DisassembleMSIL(NTTextStream out, UInt32 token, CFFStructList tables=DotNETTables())
    DisassembleMSIL(NTTextStream out, UInt32 token)
    DosHeader() -> CFFStruct
    DotNETDirectory() -> CFFStruct
    DumpRichSignature(NTTextStream out)
    DumpSectionContent(UInt16 i, NTTextStream out)
    DumpVersionInfo(NTTextStream out, NTNumber const & offset, NTNumber const & size)
    EntryPoint() -> MaxUInt
    ExceptionDirectory() -> CFFStruct
    ExportDirectory() -> CFFStruct
    ExportDirectoryFunctions() -> CFFStruct
    ExportDirectoryNameOrdinals() -> CFFStruct
    ExportDirectoryNames() -> CFFStruct
    FileHeader() -> CFFStruct
    FindMDStream(NTString const & names, NTNumber const & mdoffs) -> CFFStruct, MaxUInt, MaxUInt
    GetDataDirectory(int nEntry, bool to_offset=True) -> MaxUInt, MaxUInt
    GetDataDirectory(int nEntry) -> MaxUInt, MaxUInt
    GetDebugDirectoryData(CFFStruct dbg) -> NTContainer, MaxUInt, MaxUInt
    GetDescriptors(CFFStruct descr, int i, int i2=-1) -> CFFStruct
    GetDescriptors(CFFStruct descr, int i) -> CFFStruct
    static GetKnownResourceIdName(UInt32 id, bool plural=True) -> NTString
    static GetKnownResourceIdName(UInt32 id) -> NTString
    GetRealPESize() -> UInt32
    static GetRelocTypeName(UInt8 type, UInt16 machine) -> char const *
    GetResourceEntryName(NTNumber const & resbase, NTNumber const & nameval) -> int, NTString
    GetResourceEntryName(NTNumber const & resbase, CFFStruct entry) -> int, NTString
    GetTLSData() -> NTContainer, MaxUInt, MaxUInt
    GetThunks(CFFStruct s, int i) -> CFFStruct
    ImportDescriptors() -> CFFStruct
    ImportDirectory() -> CFFStruct
    ImportFThunkCount(int i, int max_count=-1) -> int
    ImportFThunkCount(int i) -> int
    ImportFThunks(int nDescr) -> CFFStruct
    ImportOFThunkCount(int i, int max_count=-1) -> int
    ImportOFThunkCount(int i) -> int
    ImportOFThunks(int nDescr) -> CFFStruct
    ImportOrdinalFlag() -> NTNumber
    ImportThunks(int nDescr) -> CFFStruct
    static IsMIPSMachine(UInt16 machine) -> bool
    IsPE64() -> bool
    IsRvaValid(NTNumber const & Rva) -> bool
    IsValidPE() -> bool
    LoadConfigDirectory() -> CFFStruct
    LoadConfigGuardCFFunctions(CFFStruct lc) -> CFFStruct
    LoadConfigGuardCFFunctions() -> CFFStruct
    LoadConfigSEHandlers(CFFStruct lc) -> CFFStruct
    LoadConfigSEHandlers() -> CFFStruct
    MDHeader(NTNumber const & mdoffs=INVALID_STREAM_OFFSET) -> CFFStruct
    MDHeader() -> CFFStruct
    MDStreams(NTNumber const & mdoffs=INVALID_STREAM_OFFSET) -> CFFStruct
    MDStreams() -> CFFStruct
    MDTables(NTString const & stream_name, NTNumber const & mdoffs=INVALID_STREAM_OFFSET) -> CFFStructList
    MDTables(NTString const & stream_name) -> CFFStructList
    MDTablesHeader(NTString const & stream_name, NTNumber const & mdoffs=INVALID_STREAM_OFFSET) -> CFFStruct
    MDTablesHeader(NTString const & stream_name) -> CFFStruct
    ManagedNativeHeader() -> CFFStruct
    NtHeaders() -> CFFStruct
    OffsetToRva(NTNumber const & offset) -> MaxUInt
    OffsetToVa(NTNumber const & offset) -> MaxUInt
    OptionalHeader() -> CFFStruct
    RemoveDataDirectory(int nEntry) -> bool
    ReqExecLevelFromConfigFile(NTNumber const & offset, NTNumber const & size) -> int
    ResourceDataEntry(NTNumber const & offset) -> CFFStruct
    ResourceDirectory(NTNumber const & offset) -> CFFStruct
    ResourceDirectoryEntry(NTNumber const & offset) -> CFFStruct
    ResourceIterator() -> PEResourceIterator
    RichSignature() -> MaxUInt, MaxUInt
    RichSignatureData() -> NTByteArray
    RvaToOffset(NTNumber const & RVA) -> MaxUInt
    RvaToVa(NTNumber const & RVA) -> MaxUInt
    ScopeTables(CFFStruct unw) -> CFFStruct
    SectionData(UInt16 i) -> NTContainer, MaxUInt, MaxUInt
    SectionFromRva(NTNumber const & RVA) -> int
    SectionHeaders() -> CFFStruct
    SectionInfo(UInt16 i) -> bool, MaxUInt, MaxUInt
    TLSCallbacks() -> CFFStruct
    TLSData() -> MaxUInt, MaxUInt
    TLSDirectory() -> CFFStruct
    UnwindInfo(CFFStruct runfunc) -> CFFStruct
    VaToOffset(NTNumber const & VA) -> MaxUInt
    VaToRva(NTNumber const & VA) -> MaxUInt
    VersionInfo(NTNumber const & offset) -> CFFStruct

class PEResourceIterator

    Data() -> CFFStruct
    IsNull() -> bool
    IsValid() -> bool
    MoveToResource(UInt32 name) -> bool
    MoveToResource(NTString const & name) -> bool
    MoveToRoot(UInt32 name) -> bool
    MoveToRoot(NTString const & name) -> bool
    Name() -> NTVariant
    Next() -> bool
    Reset()
    RootName() -> NTVariant