Customisation

Because malware analysis or reverse engineering often takes us to unknown territories, Malcat has been made heavily customizable. Just by Changing options you can already tailor its analysis to suit your most basic needs. And if you want to go further, changes to the Data directory structure allows to deeply you impact the software: add new signatures, support new file types, etc. (see What can be overridden / changed).

Changing options

Options which alter the behavior of Malcat can be changed using the preferences dialog: Edit ‣ Preferences. A lot of options are available: from interface changes up to analysis customisation. Each option comes with a useful help text explaining what is does, we encourage you to have a look at what’s available. The user options are written inside a config.ini file, whose location depends on your operating system:

  • for Windows user, it is located at <malcat install dir>\config.ini

  • for Linux user, it is located at ~/.malcat/config.ini

This file is portable: you can copy it to a new system if you don’t want to reconfigure Malcat from scratch.

../_images/options.png

Malcat preferences panel

Malcat also remembers a lot of smaller changes, like the layout of the windows or your last search using the Find dialog. These changes are written to a different location: the cache file.

  • for Windows user, it will be written at <malcat install dir>\cache.ini

  • for Linux user, it will be written in ~/.malcat/cache.ini

Data directory

While Malcat’s analysis core is written in C++, a lot of its logic is located inside python scripts, templates or text files found in the data/ directory of the application. All of these files can be changed, either in place, or better by setting up a parallel User data directory.

Note

Changes to files inside the Data directory structure or User data directory do not require to restart Malcat in order to be effective. Just reanalyse the current file or hit Ctrl+R and you will see your changes in action!

User data directory

You can freely the application’s data directory files hit Ctrl+R to see your changes in action. But keep in mind that these files may be overwritten by the next update!

If you want to make permanent changes to Malcat, you can setup a user directory in the preferences dialog (Edit ‣ Preferences ‣ General ‣ User data directory). The structure of this directory should mirror the Data directory structure. Any file put there take precedence over the original file found in the data/ directory. New files can be added there too.

Data directory structure

The <malcat instll dir>/data directory contains a lot of python and text files which are used to setup and drive all Malcat’s analyses. The structure of this directory is given below:

Directory

Description

data/anomalies

python scripts responsible for detecting file anomalies. Refer to Anomaly scanner for more details.

data/filetypes

python scripts responsible for parsing file types. Refer to File parsers for more details.

data/signatures

yara rules directory. Refer to Yara signatures for more details.

data/constants

contains compiled binary patterns used for the constants highlighting. Refer to Known patterns identification for more details.

data/scripts

contains various python scripts to help the analyst explore the current file. Refer to Script editor for more details.

data/strings

contains regular expression for strings tagging. Refer to String analysis for more details.

data/templates

contains templates used in the Summary view. Refer to Write your own template for more details.

data/themes

contains color themes used in the graphical interface. Refer to Color themes for more details.

data/transforms

contains python functions responsible for decrypting/decompressing data from the Transform menu. See Transform dialog for more details.

data/types

python and pseudo-C files declaring structure types, see Apply a custom type

What can be overridden / changed

A lot of Malcat’s analyses can be expanded or changed by overriding files in the User data directory.