Customisation
Because malware analysis or reverse engineering often takes us to unknown territories, Malcat has been made heavily customizable. Just by Changing options you can already tailor its analysis to suit your most basic needs. And if you want to go further, changes to the Data directory structure allows to deeply you impact the software: add new signatures, support new file types, etc. (see What can be overridden / changed).
Table of Contents
Changing options
Options which alter the behavior of Malcat can be changed using the preferences dialog: . A lot of options are available: from interface changes up to analysis customisation. Each option comes with a useful help text explaining what is does, we encourage you to have a look at what’s available. The user options are written inside a config.ini file, whose location depends on your operating system:
for Windows user, it is located at
<malcat install dir>\config.inifor Linux user, it is located at
~/.malcat/config.ini
This file is portable: you can copy it to a new system if you don’t want to reconfigure Malcat from scratch.
Malcat preferences panel
Malcat also remembers a lot of smaller changes, like the layout of the windows or your last search using the Find dialog. These changes are written to a different location: the cache file.
for Windows user, it will be written at
<malcat install dir>\cache.inifor Linux user, it will be written in
~/.malcat/cache.ini
Data directory
While Malcat’s analysis core is written in C++, a lot of its logic is located inside python scripts, templates or text files found in the data/ directory of the application.
All of these files can be changed, either in place, or better by setting up a parallel User data directory.
Note
Changes to files inside the Data directory structure or User data directory do not require to restart Malcat in order to be effective. Just reanalyse the current file or hit Ctrl+R and you will see your changes in action!
User data directory
You can freely the application’s data directory files hit Ctrl+R to see your changes in action. But keep in mind that these files may be overwritten by the next update!
If you want to make permanent changes to Malcat, you can setup a user directory in the preferences dialog (). The structure of this directory should mirror the Data directory structure. Any file put there take precedence over the original file found in the data/ directory. New files can be added there too.
Data directory structure
The <malcat instll dir>/data directory contains a lot of python and text files which are used to setup and drive all Malcat’s analyses. The structure of this directory is given below:
Directory |
Description |
|---|---|
data/anomalies |
python scripts responsible for detecting file anomalies. Refer to Anomaly scanner for more details. |
data/filetypes |
python scripts responsible for parsing file types. Refer to File parsers for more details. |
data/signatures |
yara rules directory. Refer to Yara signatures for more details. |
data/constants |
contains compiled binary patterns used for the constants highlighting. Refer to Known patterns identification for more details. |
data/scripts |
contains various python scripts to help the analyst explore the current file. Refer to Script editor for more details. |
data/strings |
contains regular expression for strings tagging. Refer to String analysis for more details. |
data/templates |
contains templates used in the Summary view. Refer to Write your own template for more details. |
data/themes |
contains color themes used in the graphical interface. Refer to Color themes for more details. |
data/transforms |
contains python functions responsible for decrypting/decompressing data from the Transform menu. See Transform dialog for more details. |
data/types |
python and pseudo-C files declaring structure types, see Apply a custom type |
What can be overridden / changed
A lot of Malcat’s analyses can be expanded or changed by overriding files in the User data directory.