New release: 0.9.1

Sun 14 May 2023 malcat team news

Today we are happy to announce the release of version 0.9.1. This release took some time but for a good reason: we rewrote, improved and completed the existing documentation, which is a lot of (not very fun) work. We also made a lot of smaller improvements to Malcat, preparing for the future 1.0 release:

  • added a proper start screen to Malcat
  • improvements to .cab and .one file parsers, and started a .sqlite parser
  • better O.S integration
  • OPSWAT MetaDefender lookup
  • wxWidgets upgraded to 3.1.2
  • .. and many quality of life improvements

Slowly but steadily Malcat is improving towards a feature-full binary analysis solution. Next update will focus on the "transforms" dialog + workflow. We also need to add a proper license management system, and afterwards, 1.0 should show its nose!

Documentation

Documentation is an important part of any software and Malcat, with its extensive features and its numerous customisation options, definitely needs a lot of it. Until now, you had to rely on a crude in-app wiki which, while very light, lacked a lot of content and most of the commodities usually found in modern user manuals.

So we have rewritten all the documentation, which is now based on Sphinx. We have added a lot of screenshots, a much needed Getting started guide, finished describing all of Malcat's User interface. The python bindings of Malcat got also a big overhaul, and thanks Sphinx you now have access to an index and can search in the doc! The only drawback is the size: because of the screenshots, Malcat's install package is about 20MB bigger, but we know offline documentation is really important to you, so we did not have lot of options there.

Malcat's new sphinx-based documentation
Figure 1: Malcat's new sphinx-based documentation

The documentation is available both offline from the software and online at the address: https://doc.malcat.fr. Note that it is not complete yet (otherwise who knows when the next release would have taken place :): the analysis core and algorithms still needs to be documented and a couple of topics still subject to change are still to be written.

File parsers

.ONE file parser

We have extended the existing .ONE file parser. A few bugs have been fixed and a lot of enum values have been added from the official documentation. Parsing has also been improved for a few document properties.

.CAB file parser

Malcat have had a .CAB archive parser for some time. But until now, it was only able to extract CAB archive members who were packed using zlib. We finally have added support for the LZX compression and are now able to unpack the vast majority of the malicious CAB files in the wild.

Note that LZX support will allow us to write a CHM file parser in the future, which is also great news since some malware families (e.g. QakBot) use .chm files in their infection chain.

Sqlite parser

We have started working on a basic sqlite parser. Currently only header and end of file are parsed, which is enough to carve sqlite databases embedded in executables. We plan to include proper table parsing in the future.

Startup screen

If you open Malcat without giving any command-line argument, you will be greeted by the startup screen. The old startup screen was merely a placeholder. The new startup screen displays way more information:

  • the list of the 10 most recently open files, along with their size and the time they were last open
  • two buttons to open a file and open the options dialog
  • shortcuts to the offline and online new documentation
  • the current version of the software and its compilation date
  • the changelog

We hope that you'll like it. If you want additional information/shortcuts to be shown on this screen, jump in our discord server and tell us!

Malcat's new startup screen
Figure 2: Malcat's new startup screen

Better system integration

O.S context menu

Malcat is a portable application and not come with an installer. In order to provide at least the bare minimum of integration, we have added a System integration button in the preferences dialog that will:

  • Add a "Open with Malcat" action to Windows explorer's context menu
  • Add a .desktop shortcut in Linux to the distribution's system menu under the categories Utility and Development

Note that if you happen to move the installation directory of the software, you will have to click again on this button in order to fix the paths.

Malcat can now be added to the OS's context menu (Windows and Linux)
Figure 3: Malcat can now be added to the OS's context menu (Windows and Linux)

Also don't worry, we do not use the Windows explorer in our analysis setup (total commander 4 ever), it was just for the screenshot :)

HiDPI fixes

In Linux, proper HiDPI support is really hard to achieve right if you use native widgets. And Malcat uses wxWidgets, which somehow makes things harder since some controls are native, and some are not. In order to solve some issues, we have:

  • updated wxWidgets to version 3.1.2
  • fixed some issues in dialogs where font size was ignored
  • made all grid-based control scale icons with their font size

These fix should fix some hi-dpi issues Linux users may have faced until now. And if it is not enough, we have added an icon scale option in the preferences dialog, where you can manually adjust the icon size used in Malcat if your distribution reports dpi scaling incorrectly (which happens in most distros if you use fractional scaling).

Icon scal options under Linux
Figure 4: Icon scal options under Linux

This should fix all dpi issues in Linux, at least it did in the configurations that we tested. If you have an issue, don't hesitate to contact us.

Quality of life changes

We fixed a lot of small user ionterface issues and improved menus and basic interaction in the structure/text view and the hexadecimal view:

  • Library functions (matching a FLIRT signature) now gets a different highlight color
  • Yara string hits are now highlighted and get a proper context menu
  • Right-clicking an unselected byte in data views now selects the byte before showing context menu
  • Right-clicking a field value in structure view now gives you the field's context menu instead of the structure's context menu
  • Copying atomic field values (numbers, strings) now possible from context menu in structure view
  • Structure quickview now popups field context menu on right click instead of address context menu
  • ... and more smaller changes

We have also started to add a Scripting context menu to some of Malcat's objects. This context menu should assist you when writing scripts in the script editor. For instance, if you right-click on a field of structure, the Scripting context menu will offer you to:

  • copy the code responsible for accessible this field in python into the script editor
  • open the documentation for this object

Currently, we have added it for structure fields and functions, but we'll add support for more scriptable objects in future releases.

The scripting menu for a structure field
Figure 5: The scripting menu for a structure field

OPSWAT MetaDefender integration

OPSWAT MetaDefender is a VirusTotal-like multi-AV scanner which focuses on scan speed. Its scan resuls are now available in Malcat's threat intelligence lookup screen. Note that you need a paid version to do hash lookups in Malcat.

FileScanIO present in intelligence report
Figure 6: FileScanIO present in intelligence report

Please note that MetaDefender requires an API key to work, but you can query one for free on their website.

Full changelog

Here is the complete changelog of this release:

● .One parser:
    - Fixed early exit when encountering null-sized embedded files
    - Added more detailed parsing for some of the documented properties 
    - Added lots of enum values
● CAB parser:
    - Added support for LZX decompression!
● Added SQLITE format parser
    - Not many info for now, mostly header, pages and end of file to help carving
● Documentation:
    - Removed the old in-app help wiki
    - Added a new online and offline html documentation (sphinx-based, much better-looking, with search and index)
    - Completed some documentation topics
● Added OPSWAT MetaDefender to the list of threat intelligence sources
● Strings & Yara:
    - Strings part of a matching or non-matching YARA rules get better scores
    - Highlights matching YARA strings in string view (same as for anomalies but with a different color)
    - Yara string hits are now highlighted in hexa and struct views and get a proper context menu
● User interface:
    - Updated wxWidgets to 3.1.2 (should fix some hidpi text issues under linux)
    - Added a proper start screen (shown when no file is open)
    - Better-looking summary view
    - Library functions (matching a FLIRT signature) now gets a different highlight color
    - Right-clicking an unselected byte in data views now selects the byte before showing context menu
    - Right-clicking a field value in structure view now gives you the field's context menu instead of the structure's context menu
    - Copying atomic field values (numbers, strings) now possible from context menu in structure view 
    - Font settings should now apply to the whole GUI (before some widgets and dialogs were ignoring the setting)
    - Icon size now properly scales with font size for data views
    - Structure quickview now popups field context menu on right click instead of address context menu
    - Added "Icon Scale Factor" option for linux distros which report HiDPI scale factor incorrectly (i.e. almost all distros)
    - Redesigned the "data" quick view window
    - Redesigned the "function" quick view window, now displays exactly like the disassembly view
    - Left pane is hidden by default when comparing 2 files
    - Added icon in toolbar to hide/show left pane
    - In structures, ascii strings and unicode strings are now escaped the same way (c-style)
    - Carved files can now be opened in a new tab, like virtual files
    - Added new shortcut to display the call graph in proximity view
● Installation:
    - [WINDOWS] user preferences cache is now stored in the application's install dir alongside the config. This makes the software truely portable.
    - [WINDOWS] added a button in Options > General > Add to explorer to add Malcat to the Windows explorer's context menu
    - [LINUX] added a button in Options > General > Add to distribution menus to add Malcat to the Distribution's system menu (.desktop file)
● Scripting:
    - Most objects now display a "Scripting" context menu to easily add the object to the current script 
    - Iterating over structures and arrays now always yield StructAccess instances and not the field's value for atomic fields
    - Better documentation
    - malcat.subfiles object was renamed malcat.carved
    - improved url download script
● Bug fixing:
    - Right-clicking an address field inside a structure now display the context menu for the target address instead of the source address
    - Fixed word wrapping of script output window (F8) again
    - Fixed "corrupted double-linked list detected" console warnings on Linux
    - Scroll bar hints would not be updated when the window is resized vertically
    - Fixed grid view headers not readables on OS with dark theme
    - Fixed an old issue where Yara strings matches locations would be off if the Yara scanner finishes before the file parser
    - Fixed unicode strings in structure view would not be properly escaped
    - Fixed an issue for autoit script where CPU architecture was not correctly set
    - Fixed layout issues in Find dialog under Linux
    - Fixed bogus text search for unicode strings in find dialog
    - Fixed requirements.txt now excludes pyasn1>=0.5.0