Analysis object (malcat)
- malcat: Analysis
The
malcat
object is aAnalysis
instance and the entry point of Malcat’s scripting interface. It contains the analysis results for a single file/project. While most of Malcat’s analysis is performed in C++, python bindings are available to the user via themalcat
object. Using this object, you have access to all of the specialized analyses as well as to the raw file using the File object (malcat.file).
Table of Contents
The Analysis object
- class bindings.Analysis
- architecture: bindings.FileType.Architecture
The main CPU architecture of the file (only set for programs).
- category: bindings.FileType.Category
The category of the identified file type
- files: List[bindings.VirtualFile]
The list of virtual files identified by the File parsers.
- imagebase: int
The virtual address at which the file should be loaded
- metadata: Dict[str, Dict[str, str]]
The file metadata, as extracted from the File parsers. This is what you see in the Summary view. Metadata are str->str associations sorted into categories (the first dictionnary keys).
- type: str
The file type as a short string, e.g. “PE”
Access to analyses
- file: bindings.File
A pointer to the File object (malcat.file).
- entropy: bindings.Entropy
A pointer to the File entropy (malcat.entropy).
- map: bindings.MappingAnnotation
A pointer to the Address mapping (malcat.map).
- struct: bindings.FileStructure
A pointer to the File structures (malcat.struct).
- asm: bindings.Asm
A pointer to the Disassembly (malcat.asm).
- cfg: bindings.CFG
A pointer to the Control Flow Graph (malcat.cfg).
- loops: bindings.Loops
A pointer to the Strongly Connected Components (malcat.loops).
- fns: bindings.Functions
A pointer to the Functions (malcat.fns).
- strings: bindings.Strings
A pointer to the Strings (malcat.strings).
- xref: bindings.CrossReferences
A pointer to the Cross References (malcat.xref).
- syms: bindings.Symbols
A pointer to the Symbols (malcat.syms).
- sigs: bindings.Signatures
A pointer to the Yara signatures (malcat.sigs).
- carved: bindings.SubFiles
A pointer to the Carved files (malcat.carved).
- anomalies: bindings.Anomalies
A pointer to the Anomalies (malcat.anomalies).
Category enum
The bindings.Analysis.category
attribute is an enum which can take the following values:
- class bindings.FileType.Category
This enum describes the type/category of the analyzed file. I can has one of the following values:
- UNKNOWN
No file type could be infered, i.e the file was rejected by all parsers
- PROGRAM
The file a an executable program (PE, ELF, NSIS script, etc.)
- IMAGE
The file is an image
- SOUND
The file is a sound file format
- DOCUMENT
The file is a document, e.g. an Excel stylesheet
- ARCHIVE
The file is an archive, e.g. zip or rar
- FILESYSTEM
The file is a filesystem, e.g. a SquashFS container or a FAT32 image
CPU architectures enum
The bindings.Analysis.architecture
attribute is an enum which can take the following values:
- class bindings.FileType.Architecture
This enum describes the main CPU architecture that should be used to interpret the code portion of the file (if any). Note that some file types main contain code for more than one architecture, e.g. Visual Basic Pcode + x86.
- NONE
- X86
- X64
- DOTNET
- PCODE
Visual Basic Pcode
- AU3
AutoIt tokens
- BIFF
Biff8 or Biff12 Excel stylsheet. These can contain bytcode formulas, thus the architecture.
- PY36
- PY37
- PY38
- PY39
- PY310
Virtual files
- class bindings.VirtualFile
A Virtual file that can be extracted from the current file’s file system using the current file parser.
- property path: str
The virtual file’s absolute path. For an archive, this would be the file’s stored path for instance.
- property size: int
The virtual file’s unpacked size. Note that this field is not accurate. For some file system, the real size of the file can only be computed after extraction. So take it as an approximation.
- property filetype: str
The type of the virtual file as a short string, e.g. “PE”