Welcome to Malcat’s documentation!
Malcat is a binary file dissection tool. It can parse 40+ file formats (cf. Supported file formats) using dissectors written in python and display their annotated contents in an intuitive user interface. It is also able to edit files, using either the graphical Usage or the embedded python Scripting engine. While Malcat can be used as a general-purpose hexadecimal editor, it also embeds high-value components useful to malware analysts and/or reverse engineers:
a disassembler and a decompiler, with support for different CPU architectures (cf. Supported architectures)
a files extractor and carver (extract files from archives, discover embedded files of known type)
a few static analyses (function discovery, constants highlighting, strings scanner, FLIRT signatures, etc.)
a well-integrated yara scanner + a yara rule editor
a tight capa integration with custom bindings for Malcat
a binary diff engine, to compare files side by side
… and much more
This help document will introduce you to Malcat’s Usage, its Analysis engine (doc in progress) and its Scripting capabilities. If you’re new to the software, this document can also help you Getting started.
Please note that Malcat is currently in beta phase. It means that while the core of the software is finished and polished, it has not been tested extensively by its user base and documentation is somewhat sparse.
- Getting started
- Working with files
- Searching in Malcat
- Color themes
- Analysis engine (doc in progress)
- Analysis object (analysis)
- File object (analysis.file)
- Address mapping (analysis.map)
- File structures (analysis.struct)
- File entropy (analysis.entropy)
- Strings (analysis.strings)
- Cross References (analysis.xref)
- Disassembly (analysis.asm)
- Control Flow Graph (analysis.cfg)
- Strongly Connected Components (analysis.loops)
- Functions (analysis.fns)
- Symbols (analysis.syms)
- Cross References (analysis.xref)
- Carved files (analysis.carved)
- Virtual files (analysis.vfiles)
- Yara signatures (analysis.sigs)
- Anomalies (analysis.anomalies)
- User comments (analysis.comments)
- User highlighted regions (analysis.highlights)
Reverse engineers have a lot of options nowadays when it comes to analysing known software: IDA, Binary Ninja, Ghidra and many more. So one may ask: was another binary analysis software really needed?
IDA-like tools are basically made to answer one big question: how does a given binary software work? And they are really good at it, provided you plan to spend several hours digging in the same binary.
Malware analysts, incident responders and SOC analysts on the other hand have to analyse and triage large amounts of unknown binaries in a short time span. When opening a file, they do not care as much for the how as for the what. They want to know what is the file they are looking at and what it contains. And because malware are tricky, they have to answer this question for a lot of different file types (installers, archives, office documents, programs, …) and architectures (NSIS, AutoIT, .NET, python, x86/64, …). And this is a different problematic, different engough to justify the need for another class of tool.
Until now, malware analysts had to rely on either outdated tools (like the excellent Hiew) or on a lot of different utilities, each addressing a small subset of the problem. Malcat tries to combine all the features of these utilities in a single, powerful user interface. So yes, Malcat also embeds a disassembler and a decompiler like IDA, but the similarity ends there: they are two different types of tool which play in different categories.
We always appreciate feedback, positive or negative (as long as it is constructive), so don’t hesitate to contact us! There are currently several ways to reach us: