Customisation
Because malware analysis or reverse engineering often takes us to unknown territories, Malcat has been made heavily customizable. Just by Changing options you can already tailor its analysis to suit your most basic needs. And if you want to go further, changes to the Data directory structure allows to deeply you impact the software: add new signatures, support new file types, etc. (see What can be overridden / changed).
Changing options
Options which alter the behavior of Malcat can be changed using the preferences dialog: . A lot of options are available: from interface changes up to analysis customisation. Each option comes with a useful help text explaining what is does, we encourage you to have a look at what’s available. The user options are written inside a config.ini file, whose location depends on your operating system:
for Windows user, it is located at
<malcat install dir>\config.inifor Linux user, it is located at
~/.malcat/config.ini
This file is portable: you can copy it to a new system if you don’t want to reconfigure Malcat from scratch.
Malcat preferences panel
Malcat also remembers a lot of smaller changes, like the layout of the windows or your last search using the Find dialog. These changes are written to a different location: the cache file.
for Windows user, it will be written at
<malcat install dir>\cache.inifor Linux user, it will be written in
~/.malcat/cache.ini
Data directories
While Malcat’s analysis core is written in C++, a lot of its logic is located inside python scripts, templates and text files found in the data/ directory of the application.
All of these files can be changed, either in place, or better by setting up a parallel User data directory.
Note
Changes to files inside the Data directory structure or User data directory do not require to restart Malcat in order to be effective. Just reanalyse the current file or hit Ctrl+R and you will see your changes in action! But make sure to have the option “General>Developer mode” set!
Data directory structure
The <malcat install dir>/data directory contains a lot of python and text files which are used to setup and drive all Malcat’s analyses. The structure of this directory is given below:
Directory |
Description |
|---|---|
data/anomalies |
python scripts responsible for detecting file anomalies. Refer to Anomaly scanner for more details. |
data/filetypes |
python scripts responsible for parsing file types. Refer to File parsers for more details. |
data/signatures |
Yara rules directory. Refer to Yara signatures for more details. |
data/constants |
contains compiled binary patterns used for the constants highlighting. Refer to Known patterns identification for more details. |
data/scripts |
contains various python scripts to help the analyst explore the current file. Refer to Script editor for more details. |
data/strings |
contains regular expression for strings tagging. Refer to String analysis for more details. |
data/templates |
contains templates used in the Summary view. Refer to Write your own summary template for more details. |
data/themes |
contains color themes used in the graphical interface. Refer to Color themes for more details. |
data/transforms |
contains python functions responsible for decrypting/decompressing data from the Transform menu. See Transforms for more details. |
data/intelligence |
contains all providers for Threat intelligence providers hash lookup, download by hash or kesakode lookups |
data/kesakode |
contains the database files for Offline Kesakode |
data/types |
python and pseudo-C files declaring structure types, see Apply a custom type |
You can freely play around and change the application’s data directory files: hit Ctrl+R in order to see your changes in action. But keep in mind that these files may be overwritten by the next update!
User data directory
If you want to make permanent changes to Malcat, you need to setup a user directory in the preferences dialog (). The structure of this directory should mirror the Data directory structure. Malcat will offer to create the initial Data directory structure for you the first time you change it anyway.
Setting up a user data directory
Any file put inside a subdirectory of the user directory will take precedence over the original file found in the data/ directory. You can add new files too, Malcat will detect them and use then appropriately. Files in your user data directory are reloaded for each analysis. If you change/add some, just hit Ctrl+R in order to see your changes in action!
What can be overridden / changed
A lot of Malcat’s analyses can be expanded or changed by overriding files in the User data directory. A non-comprehensive list of patch-points is given below:
Write your own Yara signatures