Features & Roadmap

Supported files formats + architectures and roadmap for next versions

Features

CPU architectures

Malcat is not IDA: it does not try to handle all CPU architectures, but only to support the ones that are used by most malware. For performance reason, the disassemblers are currently written in CPP and users cannot add new architectures, but python-based dissasembler support may be added in the future. You can find below the current list of supported architectures:

CPU Disassembler Decompiler Strings identification Function discovery Notes
x86 Yes Yes scan (+heuristics for Golang) linear + recursive + pattern matching disssembler based on Zydis, decompiler on Sleigh
x64 Yes Yes scan (+heuristics for Golang) linear + recursive + pattern matching disssembler based on Zydis, decompiler on Sleigh
.NET Yes No Yes (metadata) Yes (metadata) custom disassembler
PY 2.7 Yes No Yes (metadata) Yes (metadata) custom disassembler
PY 3.6+ Yes No Yes (metadata) Yes (metadata) custom disassembler
NSIS Yes No Yes (metadata) linear + recursive
AutoIT 3.26+ No Yes No No simple detokenization of AutoIT scripts
VB Pcode Partial No Yes (reference scan) Yes
VBA (office) No Yes No No
Excel macros (office) No Yes Yes (metadata) - Biff8 and Biff12 support
Disassembler:
can machine code be analyzed
Decompiler:
can source code be recovered
Strings identification:
if and how does Malcat identify the strings of the program. scan means that a standard linear sweep string search algorithm is used, the one you can find in most tools.
Function discovery:
if program methods/fucntions are identified.

File formats

Malcat supports a large amount of file formats, using its python-based file parsers. Anyone can easily add support for a new file format by adding new scripts to Malcat's data directory.

Programs

Here you can find the current list of supported executable formats:

File Format Structures parsing Debug informations Resources Notes
AutoIt 3.26+ only - - Scripts can be decompiled (hit F4)
COFF Yes symbols and CV13 debug symbols - relocations, symbols, imports
ELF Yes symbols, no DWARF - relocations, symbols, imports, big and little endian
LNK Yes - - while not a program format per se, it can be used to run commands
MDMP Partial No - Windows minidumps, partial support
NSIS Yes Yes - setup script can be disassembled, most sections parsed
OLE Yes - - VBA macros can be displayed (hit F4)
PE/PE+ Yes Only debug directory, no PDB Yes exports, imports (+ bound/delay), relocations, tls, debug, load config, certificates, version informations
PE::DotNet Yes Types and methods Yes types, methods, resources, exceptions, strings
PE::Golang Yes pclntable and filetable -
PE::Visual Basic Yes types and events VB forms native and PCode support, project infos, objects array, forms and events
PYC Yes Yes - support for python 2.7+ and 3.6+
VBE Yes - - Malcat supports unpacking the original VBS script
XLS Yes - - The /Workbook stream inside OLE containers. Cell informations (including formulas) can be recovered (hit F4)
XLSB Yes - - The .bin files inside OpenXML .xlsb containers. Cell informations (including formulas) can be recovered (hit F4)
Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
Debug informations:
if debug informations are parsed
Resources:
if the program embbeds resource, can Malcat identfy and extract them?

Archives / File Systems

While Malcat has no pretention of beeing a full-fledged archive opener, it supports most archive types used by malware. Some file format parsers are more advanced than others and even allow the user to open archive member directly inside malcat. Here is a list of supported file formats:

File Format Structures parsing In-application unpacking Summary Notes
7Z EncodedHeader only No No
ACE Yes Yes Yes
AutoIt 3.26+ only 3.26+ only Yes Scripts can be decompiled (hit F4)
CAB Yes zlib encoding only Yes
CFB/OLE2 Yes Yes Yes VBA macros can be displayed (hit F4)
GZIP Yes Yes Yes
NSIS Yes zlib and lzma, no bz2 support Yes
PYINST Yes Yes Yes Extracted python scripts get their python header restored
PYZ Yes Yes Yes Extracted python scripts get their python header restored
RAR4 Yes No Yes Archives comments are shown for easy SFX analysis
RAR5 Yes No Yes Archives comments are shown for easy SFX analysis
SquashFS Partial Not yet No
ZIP Yes Yes Yes
ZLIB stream Yes Yes Yes
Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
In-application unpacking:
if the file format parser can directly extract and open archive members. Inside Malcat, one can then open a file by double-clicking them inside the Virtual File System tab.
Summary:
if Malcat displays a summary report in the Summary view

Multimedia / Documents

Document/pictures identification is very useful for malware analysis. A lot of obfuscators love to disguise their payloads as multimedia files. Or hide it inside a multimedia file, in some unused space.

File Format Structures parsing Metadata Notes
BMP Yes - Both BMP and DIB (i.e BMP without FileHeader) are supported
DOC Partial (FCB) Yes The /WordDocument stream inside OLE containers
ICO Yes -
JPG Yes Tiff
OOXML No No Well it's a ZIP, so you can browse it inside Malcat
PDF Minimal (PDF dictionnary) No Very minimal support since not really a binary format
PNG Yes Yes Pixel information can be extracted using scripts
WAV Basic No No
XLS Yes Yes
XLSB Yes Yes
Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
Metadata:
if most metadata (author, comments, time, etc.) are extracted

Roadmap

Development of Malcat just started and you can expect its features list to grow. So beside the regular bug fixes, QOL improvements and signatures updates, here is a list of the big improvements that are planned so far. Note that this list may change in the future, depending on the user feedback and the state of sales.

Short term

Serialisation:
load and save user comments and labels from/to an external file (most likely in JSON). This should allow the import of external analyses (IDA, Binary Ninja, Ghidra) into Malcat.
FLIRT signatures:
Scan for FLIRT signatures and label matching functions accordingly.
RTTI analysis:
extract type information for MSVC and GCC

Mid term

SVG export:
Export content views into an SVG file for online publication
Java support:
Add a Java .class file parser and a JVM bytecode disassembler.
PDB files:
Support loading external PDB debug information into Malcat.
Function parameters analysis:
Identify function parameters at call sites. For know APIs, label them using a knowledge base.
Keystone integration:
Allows user to assemble code using the keyston assembler

Long term

Collaborative function signatures:
We would like to introduce a new function signature format that would allow fuzzy matching and collaboration between users based on an online databse. This obiously requires a lot of work to build the initial database, and to design mechanism able to handle conflicts between users.
Debugging:
We would like to conduct experiments on debugging using Malcat's UI.
Type analysis:
That would be nice. The question is how much it would slow the analysis down.
ARM support:
We have to find a nice disasm library which does not weight 5MB (hi capstone)