Features
CPU architectures
Malcat is not IDA: it does not try to handle all CPU architectures, but only to support the ones that are used by most malware. For performance reason, the disassemblers are currently written in CPP and users cannot add new architectures, but python-based disassembler support may be added in the future. You can find below the current list of supported architectures:
| CPU | Disassembler | Decompiler | Strings identification | Function discovery | Notes |
|---|---|---|---|---|---|
| x86 | Yes | Yes | scan (+heuristics for Golang/Rust) | linear + recursive + pattern matching | disssembler based on Zydis, decompiler on Sleigh |
| x64 | Yes | Yes | scan (+heuristics for Golang/Rust) | linear + recursive + pattern matching | disssembler based on Zydis, decompiler on Sleigh |
| .NET | Yes | No | Yes (metadata) | Yes (metadata) | custom disassembler |
| PY 2.7 | Yes | No | Yes (metadata) | Yes (metadata) | custom disassembler |
| PY 3.6 .. 3.11 | Yes | No | Yes (metadata) | Yes (metadata) | custom disassembler |
| NSIS | Yes | No | Yes (metadata) | linear + recursive | custom disassembler |
| InnoSetup/PascalScript | Yes | No | No | linear + recursive | custom disassembler |
| AutoIT 3.26+ | No | Yes | No | No | detokenization of AutoIT scripts |
| VB Pcode | Partial | No | Yes (reference scan) | Yes | incomplete because of lack of doc |
| VBA (office) | No | Yes | No | No | can also display orphan scripts |
| Excel macros (office) | No | Yes | Yes (metadata) | - | Biff8 and Biff12 support |
- Disassembler:
- can machine code be analyzed
- Decompiler:
- can source code be recovered
- Strings identification:
- if and how does Malcat identify the strings of the program. scan means that a standard linear sweep string search algorithm is used, the one you can find in most tools.
- Function discovery:
- if program methods/functions are identified.
File formats
Malcat supports a large amount of file formats, using its python-based file parsers. When a format is supported, it means that you will be able to see its internal structures and also identify it when embeded inside larger files (aka file carving). And for archives/file systems, in-app unpacking is also often supported.
Note that anyone can easily add support for a new file format by adding new scripts to Malcat's data directories.
Programs
Here you can find the current list of supported executable formats:
| File Format | Structures parsing | Debug informations | Resources | Notes |
|---|---|---|---|---|
| AutoIt | 3.26+ only | - | - | Scripts can be decompiled (hit F4) |
| COFF | Yes | symbols and CV13 debug symbols | - | relocations, symbols, imports |
| ELF | Yes | symbols, no DWARF | - | relocations, symbols, imports, big and little endian |
| INNO SETUP | Yes | - | - | setup script can be disassembled |
| LNK | Yes | - | - | while not a program format per se, it can be used to run commands |
| MDMP | Partial | No | - | Windows minidumps, partial support |
| NSIS | Yes | Yes | - | setup script can be disassembled, most sections parsed |
| OLE | Yes | - | - | VBA macros can be displayed (hit F4) |
| PE/PE+ | Yes | Only debug directory, no PDB | Yes | exports, imports (+ bound/delay), relocations, tls, debug, load config, certificates, version informations |
| PE::DotNet | Yes | Types and methods | Yes | types, methods, resources, exceptions, strings |
| PE::Golang | Yes | pclntable and filetable | - | |
| PE::Visual Basic | Yes | types and events | VB forms | native and PCode support, project infos, objects array, forms and events |
| PYC | Yes | Yes | - | support for python 2.7+ and 3.6+, can handle PY2EXE and PYINST scripts |
| VBE | Yes | - | - | Malcat supports unpacking the original VBS script |
| XLS | Yes | - | - | The /Workbook stream inside OLE containers. Cell informations (including formulas) can be recovered (hit F4) |
| XLSB | Yes | - | - | The .bin files inside OpenXML .xlsb containers. Cell informations (including formulas) can be recovered (hit F4) |
- Structures parsing:
- if the file format parser identifies (most of) the binary structures of the file format
- Debug informations:
- if debug informations are parsed
- Resources:
- if the program embeds resource, can Malcat identify and extract them?
Archives / File Systems / Databases
While Malcat has no pretension of being a full-fledged archive opener, it supports most archive types used by malware. Some file format parsers are more advanced than others and even allow the user to open archive member directly inside Malcat. Here is a list of supported file formats:
| File Format | Structures parsing | In-application unpacking | Summary | Notes |
|---|---|---|---|---|
| 7Z | EncodedHeader only | No | No | |
| ACE | Yes | Yes | Yes | |
| AR | Yes | Yes | Yes | Old file format also used for .lib files. Supports MS and Unix libraries |
| AutoIt | 3.26+ only | 3.26+ only | Yes | Scripts can be decompiled (hit F4) |
| CAB | Yes | Yes | Yes | |
| CFB/OLE2 | Yes | Yes | Yes | VBA macros can be displayed (hit F4) |
| FAT12/16/32 | Yes | Yes | Yes | Currently limited to small to medium files trees |
| GZIP | Yes | Yes | Yes | |
| INNO SETUP | Yes | Yes | Yes | Support Inno Setup installers starting from 4.0.0 up to 6.2.0 |
| ISO | Yes | Yes | Yes | |
| JFFS2 | Yes | lzo/lzma/rtime/zlib only | Yes | Used in firmwares |
| MSI | Yes | Yes | Yes | MSI tables can be displayed (hit F4) |
| NSIS | Yes | zlib and lzma, no bz2 support | Yes | |
| PYINST | Yes | Yes | Yes | Extracted python scripts get their python header restored |
| PYZ | Yes | Yes | Yes | Extracted python scripts get their python header restored |
| RAR4 | Yes | No | Yes | Archives comments are shown for easy SFX analysis |
| RAR5 | Yes | No | Yes | Archives comments are shown for easy SFX analysis |
| SquashFS | Yes | lzo/lzma/xz only | Yes | Used in firmwares |
| Sqlite | Partial | Not yet | No | Work in progress |
| TAR | Yes | Yes | Yes | |
| UDF | Yes | Yes | Yes | |
| UImage | Yes | lzo/lzma/gzip/bzip2 only | Yes | Used in firmwares |
| VHD | Yes | Yes | Yes | Support for dynamic disks |
| ZIP | Yes | Yes | Yes | |
| ZLIB stream | Yes | Yes | Yes |
- Structures parsing:
- if the file format parser identifies (most of) the binary structures of the file format
- In-application unpacking:
- if the file format parser can directly extract and open archive members. Inside Malcat, one can then open a file by double-clicking them inside the Virtual File System tab.
- Summary:
- if Malcat displays a summary report in the Summary view
Multimedia / Documents
Document/pictures identification is very useful for malware analysis. A lot of obfuscators love to disguise their payloads as multimedia files. Or hide it inside a multimedia file, in some unused space.
| File Format | Structures parsing | Metadata | Notes |
|---|---|---|---|
| BMP | Yes | - | Both BMP and DIB (i.e BMP without FileHeader) are supported |
| DOC | Partial (FCB) | Yes | The /WordDocument stream inside OLE containers |
| EMF | Yes | Yes | Used in office documents |
| GIF | Yes | Yes | |
| ICO | Yes | - | |
| JPEG | Yes | Tiff | |
| ONE | Yes | No | You can list and open embedded file objects |
| OOXML | No | No | Well it's a ZIP, so you can browse it inside Malcat |
| Minimal (PDF dictionnary) | No | Very minimal support since not really a binary format | |
| PNG | Yes | Yes | Pixel information can be extracted using scripts |
| WAV | Basic | No | No |
| XLS | Yes | Yes | Cell content + formula can be displayed (hit F4) |
| XLSB | Yes | Yes | Cell content + formula can be displayed (hit F4) |
- Structures parsing:
- if the file format parser identifies (most of) the binary structures of the file format
- Metadata:
- if most metadata (author, comments, time, etc.) are extracted
Roadmap
Development of Malcat just started and you can expect its features list to grow. So beside the regular bug fixes, QOL improvements and signatures updates, here is a list of the big improvements that are planned so far. Note that this list may change in the future, depending on the user feedback and the state of sales.
Short term
- FLIRT signatures:
Scan for FLIRT signatures and label matching functions accordingly(done)- RTTI analysis:
- Extract type information for
MSVC(done) and GCC
Mid term
- SVG export:
- Export content views into an SVG file for online publication
- PDB files:
- Support loading external PDB debug information into Malcat.
- .NET and .PYC decompilers:
- That would be a lot of work, but having a native decompiler for those language would definitely be nice (even if it's unlikely to be on par with the .NET-based ones)
- Function parameters analysis:
- Identify function parameters at call sites. For known APIs, label them using a knowledge base.
- ARM support:
- If a nice disasm library which does not weight 5MB (hi capstone) can be found.
Long term
- Collaborative function signatures:
- Malcat could benefit from a function signature format that allows fuzzy matching and collaboration between users based on an online database. This obviously requires a lot of work and careful thinking to handle conflicts between users.
- Type analysis:
- That would be nice. The question is how much would it slow down the analysis.
- Keystone integration:
- Allows users to assemble code using the keystone assembler