Getting started
If you are a first-time user, welcome! While Malcat’s sheer amount of features makes it a tool more adapted to tech-savy users (it has been mainly designed towards infosec professionals), we did invest time in making it somewhat beginner-friendly (with the addition of the Summary view for instance). This chapter should guide beginners and newcomers through the first steps of using the software and its user interface.
Installing the software
Malcat comes as a portable program: you can extract the archive wherever you want and run it from there. Subsequent updates should also be installed the same way: just unpack the archive to the initial install directory. If you are using the paid version of Malcat, you will also need to Activate the software the first time you run it.
Windows
Malcat can run on Windows 10 64 bits. It should also run fine on Windows 7 64 bits (with the latest updates installed) and Windows 11 64 bits, but no testing is performed for these platforms. If you have a doubt, test with the lite edition first. Note that you will need to have the VS2015 64 bits redistributables installed on your system. You can download them on the Microsoft Download Center if needed.
On Windows, Malcat comes bundled with a python 3 interpreter. You may chose to use your python system installation instead, but you will have to make sure to have the same version installed (python 3.8 x64). If you want to integrate Malcat tighter into your operating system, you can go to Open with Malcat
to the explorer’s context menu.
Linux
On Linux, Malcat has been built for some of the most widely spread Linux distributions out there. After unzipping the archive, you will need to install the following packages from your distribution repository:
GTK 3
Python 3
A few python packages (see INSTALL.txt)
Afterwards, you’re good to go! If you want to integrate Malcat tighter into your operating system, you can go to Changing options) and click on the button: it will add a .desktop
entry to ~/.local/share/applications
. Malcat will then appear in your distribution’s system menu under the two categories Utility and Development.
Python environment
Malcat relies heavily on python scripts. On Windows, Malcat comes bundled with a python 3.8 x64 interpreter in static/python64
, you have nothing to do post-installation. By setting the option (cf. Changing options), you may override this and use your already-installed python environment (make sure it is python 3.8 x64 though).
On Linux, Malcat will make use of the OS’s python distribution. If you have downloaded the right Malcat Linux version, everything should be compatible, just make sure you perform a pip install -i requirements.txt
prior to running Malcat.
You may run Malcat from within a python virtual environment if you wish so, just make sure to install all needed packages listed in requirements.txt
. You may install additional packages and use them from within Malcat’s Scripting environment too.
Note
Since version 0.9.3 we have bundled Malcat’s binary analysis into a python module. It means you can directly analyse files using Malcat from within your python interpreter. Refer to Run Malcat from your python interpreter for more information. Please also note that there are Legal restrictions when using the python module.
Opening files
You have installed Malcat on your system, congratulations! Now it is time to analyse your first file. There are several way to open files in Malcat. Malcat can even work with multiple files in parallel, Compare two files side by side or open files from a script (cf. Working with files). But the three most common ways to load a file into the UI are:
Drag and drop a file
Open using the
menu or Ctrl+O shortcutUsing the command line:
malcat <path/to/file>
And that’s not all! Once a file has been loaded inside Malcat, you can explore and Open sub-files and objects easily. Indeed Malcat will automatically perform two analyses:
The current File parsers will parse the structures of the current file and interpret their content, looking for descriptions or links to stored / packed files. These can be archive members in a ZIP file, files in an ISO image or resource items defined in a PE program for instance. These are listed inside the Virtual File System tab.
Malcat will run a File carving algorithm and scan the entire file range for embedded files of known types (like binwalk, but with less file types supported and less false positives). This pass can identify files even in raw dumps. These are listed inside the Carved files tab.
Double-clicking any of these identified files will open them either in the current project or in a new project. You can then at anytime Switch between files easily using the project drop-down list.
User interface
Once a file is open in Malcat, you are greeted with the main user interface. The interface has been kept relatively simple and can be divided in 4 zones:
the top header contains the project switcher (7) to Switch between files, and a toolbar (10) to switch between Views
top left you will find an accordion control that allows you to navigate and open most of the identified objects:
Files extracted by Malcat’s File parsers are listed under the Virtual File System category (1)
Files found by Malcat’s File carving algorithm are listed under the Carved files category (2)
Structures identified by Malcat’s File parsers are listed under the Structures category (3)
Constants found by Malcat’s Known patterns identification are listed under the Constants category (4)
Functions identified by Malcat’s CFG reconstruction are listed under the Functions category (5)
the bottom left panel is known as the quickview panel (6) and allows you to quickly preview things
the main surface is covered by the current view screen (8). Malcat offers 10+ different Views, each one focused on a different aspect of the file.
Some of the Views also feature an Augmented navigation bar (11) which allow you to locate and quickly jump to the most interesting parts of a file.
Finally, a rich statusbar is present at the bottom of the screen. It gives information about the current selection (9), the file type of the current file (12) (which you can override), the currently used CPU architecture (13) (you can also override it) and the status of the analysis (14).
Note
Hovering over the status icon and text (14) will give you additional information about the current analysis. In case of an error, a red exclamation mark will be displayed. More information can be then seen inside the Console window (F8).
Most of the views in Malcat can be customized simply by Changing options. And most of them support the usual GUI operations:
Copy via Ctrl+C, and for editable views: paste via Ctrl+V
Navigation via the usual navigation keys
Selecting things with the mouse
Editing for the Hexadecimal view and Structure/text view via DoubleClick or via Insert
For more detailed information about the user interface, refer to Usage.
Going further
So, where to go next? You can have a deeper look at the Usage of Malcat, its Analysis engine (doc in progress) or play with its Scripting capabilities. Keep in mind that Malcat is very flexible program with a lot of Customisation options for you to experiment with.
And finally, if you are convinced by the capabilities of the tools, you can always support its development through the purchase of Full & Pro versions. And don’t hesitate to Contact us with any feedback / remark you have, we always like to hear from our users!
Happy reversing,
Malcat development team