File parsers
Malcat makes use of the 40+ python files parsers located in data/filetypes in order to recognize the current file type and highlight all of its internal structures. Using python reduces the attack surface for bad parsing (file formats are tricky) and significantly speeds up the development of new file parsers (you can test everything live, just hit Ctrl+R ). This comes with a small performance penalty of course, but in practice it is negligible, provided some basic guideline are followed.
How parsing is done
Coming soon
File carving
Coming soon
Supported file formats
Malcat focuses mainly on file formats used directly or indirectly by malware authors. Adding a new filetype is easy. Please refer to Adding support for new file types. If you wish to make your new file format official, please refer to Contributing.
Programs
Here you can find the current list of supported executable formats:
Name |
Structure parsing |
Debug infos |
Resources |
Notes |
|---|---|---|---|---|
AutoIT |
3.26+ only |
Scripts can be decompiled using F4 |
||
COFF |
Yes |
symbols and cv13 |
relocations, symbols, imports |
|
ELF |
Yes |
symbols, no DWARF |
relocations, symbols, imports, big and little endian |
|
InnoSetup |
Yes |
Yes |
setup script can be disassembled |
|
LNK |
Yes |
while not a program format per se, it can be used to run commands |
||
MDMP |
Partial |
No |
Windows minidumps, partial support |
|
NSIS |
Yes |
Yes |
setup script can be disassembled, most sections parsed |
|
OLE |
Yes |
VBA macros can be displayed using F4 |
||
PE/PE+ |
Yes |
debug dir, no PDB |
Yes |
exports, imports (+ bound/delay), relocations, tls, debug, load config, certificates, version informations |
PE::DotNet |
Yes |
Yes |
Yes |
types, methods, resources, exceptions, strings |
PE::Golang |
Yes |
pcln + file tables |
||
PE::VB |
Yes |
types and events |
VB forms |
native and PCode support, project infos, objects array, forms and events |
PYC |
Yes |
Yes |
support for python 2.7+ and 3.6+, can handle PY2EXE and PYINST scripts |
|
VBE |
Yes |
Malcat supports unpacking the original VBS script |
||
XLS |
Yes |
The /Workbook stream inside OLE containers. Cell informations (including formulas) can be recovered using F4 |
||
XLSB |
Yes |
The .bin files inside OpenXML .xlsb containers. Cell informations (including formulas) can be recovered using F4 |
- Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
- Debug informations:
if debug informations are parsed
- Resources:
if the program embeds resource, can Malcat identify and extract them?
Archives / file systems / databases
While Malcat has no pretension of being a full-fledged archive opener, it supports most archive types used by malware. Some file format parsers are more advanced than others and even allow the user to open archive member directly inside Malcat. Here is a list of supported file formats:
Name |
Structure parsing |
In-app unpacking |
Summary |
Notes |
|---|---|---|---|---|
7Z |
EncodedHeader only |
No |
No |
|
ACE |
Yes |
Yes |
Yes |
|
AR |
Yes |
Yes |
Yes |
Used in static libraries (.lib, .a) |
AutoIt |
3.26+ only |
3.26+ only |
Yes |
Scripts can be decompiled using F4 |
CAB |
Yes |
zlib encoding only |
Yes |
|
CFB/OLE2 |
Yes |
Yes |
Yes |
VBA macros can be displayed using F4 |
FAT12/16/32 |
Yes |
Yes |
Yes |
Currently limited to small to medium files trees |
GZIP |
Yes |
Yes |
Yes |
|
InnoSetup |
Yes |
Yes |
Yes |
Support from InnoSetup 4.1.0 and onward, encryption support |
ISO |
Yes |
Yes |
Yes |
No Juliet/RockRidge extensions support |
JFFS2 |
Yes |
lzo/lzma/rtime/zlib only |
Yes |
|
MSI |
Yes |
Yes |
Yes |
MSI tables can be displayed using F4 |
NSIS |
Yes |
zlib and lzma, no bz2 |
Yes |
|
PYINST |
Yes |
Yes |
Yes |
Extracted python scripts get their python header restored |
PYZ |
Yes |
Yes |
Yes |
Extracted python scripts get their python header restored |
RAR4 |
Yes |
No |
Yes |
Archives comments are shown for easy SFX analysis |
RAR5 |
Yes |
No |
Yes |
Archives comments are shown for easy SFX analysis |
SquashFS |
Yes |
lzo/lzma/xz only |
Yes |
Can also display meta streams |
Sqlite |
Partial |
Not yet |
No |
Work in progress |
TAR |
Yes |
Yes |
Yes |
|
UDF |
Yes |
Yes |
Yes |
|
UImage |
Yes |
lzo/lzma/gzip/bzip2 only |
Yes |
|
VHD |
Yes |
Yes |
Yes |
Support for dynamic disks |
ZIP |
Yes |
Yes |
Yes |
|
ZLIB stream |
Yes |
Yes |
Yes |
- Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
- In-application unpacking:
if the file format parser can directly extract and open archive members. Inside Malcat, one can then open a file by double-clicking them inside the Virtual File System tab.
- Summary:
if Malcat displays a summary report in the Summary view
Multimedia / documents
Document/pictures identification is very useful for malware analysis. A lot of obfuscators love to disguise their payloads as multimedia files. Or hide it inside a multimedia file, in some unused space.
Name |
Structure parsing |
Metadata |
Notes |
|---|---|---|---|
BMP |
Yes |
Both BMP and DIB (i.e BMP without FileHeader) are supported |
|
DOC |
Partial (FCB) |
Yes |
The /WordDocument stream inside OLE containers |
EMF |
Yes |
Yes |
Used in office documents |
GIF |
Yes |
Yes |
|
ICO |
Yes |
||
JPEG |
Yes |
Tiff |
|
ONE |
Yes |
No |
Microsoft OneNote files. You can list and open embedded file objects |
OOXML |
No |
No |
Well it’s a ZIP, so you can browse it inside Malcat |
Minimal |
No |
Very minimal support since not really a binary format |
|
PNG |
Yes |
Yes |
Pixel information can be extracted using scripts |
WAV |
Basic |
No |
|
XLS |
Yes |
Yes |
Cell content + formula can be displayed using F4 |
XLSB |
Yes |
Yes |
Cell content + formula can be displayed using F4 |
- Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
- Metadata:
if most metadata (author, comments, time, etc.) are extracted
Adding support for new file types
Coming soon