Analysis object (malcat)

malcat: Analysis

The malcat object is a Analysis instance and the entry point of Malcat’s scripting interface. It contains the analysis results for a single file/project. While most of Malcat’s analysis is performed in C++, python bindings are available to the user via the malcat object. Using this object, you have access to all of the specialized analyses as well as to the raw file using the File object (malcat.file).

The Analysis object

class bindings.Analysis
architecture: bindings.FileType.Architecture

The main CPU architecture of the file (only set for programs).

category: bindings.FileType.Category

The category of the identified file type

files: List[bindings.VirtualFile]

The list of virtual files identified by the File parsers.

imagebase: int

The virtual address at which the file should be loaded

metadata: Dict[str, Dict[str, str]]

The file metadata, as extracted from the File parsers. This is what you see in the Summary view. Metadata are str->str associations sorted into categories (the first dictionnary keys).

type: str

The file type as a short string, e.g. “PE”

Access to analyses

file: bindings.File

A pointer to the File object (malcat.file).

entropy: bindings.Entropy

A pointer to the File entropy (malcat.entropy).

map: bindings.MappingAnnotation

A pointer to the Address mapping (malcat.map).

struct: bindings.FileStructure

A pointer to the File structures (malcat.struct).

asm: bindings.Asm

A pointer to the Disassembly (malcat.asm).

cfg: bindings.CFG

A pointer to the Control Flow Graph (malcat.cfg).

loops: bindings.Loops

A pointer to the Strongly Connected Components (malcat.loops).

fns: bindings.Functions

A pointer to the Functions (malcat.fns).

strings: bindings.Strings

A pointer to the Strings (malcat.strings).

xref: bindings.CrossReferences

A pointer to the Cross References (malcat.xref).

syms: bindings.Symbols

A pointer to the Symbols (malcat.syms).

sigs: bindings.Signatures

A pointer to the Yara signatures (malcat.sigs).

carved: bindings.SubFiles

A pointer to the Carved files (malcat.carved).

anomalies: bindings.Anomalies

A pointer to the Anomalies (malcat.anomalies).

Category enum

The bindings.Analysis.category attribute is an enum which can take the following values:

class bindings.FileType.Category

This enum describes the type/category of the analyzed file. I can has one of the following values:

UNKNOWN

No file type could be infered, i.e the file was rejected by all parsers

PROGRAM

The file a an executable program (PE, ELF, NSIS script, etc.)

IMAGE

The file is an image

SOUND

The file is a sound file format

DOCUMENT

The file is a document, e.g. an Excel stylesheet

ARCHIVE

The file is an archive, e.g. zip or rar

FILESYSTEM

The file is a filesystem, e.g. a SquashFS container or a FAT32 image

CPU architectures enum

The bindings.Analysis.architecture attribute is an enum which can take the following values:

class bindings.FileType.Architecture

This enum describes the main CPU architecture that should be used to interpret the code portion of the file (if any). Note that some file types main contain code for more than one architecture, e.g. Visual Basic Pcode + x86.

NONE
X86
X64
DOTNET
PCODE

Visual Basic Pcode

AU3

AutoIt tokens

BIFF

Biff8 or Biff12 Excel stylsheet. These can contain bytcode formulas, thus the architecture.

PY36
PY37
PY38
PY39
PY310

Virtual files

class bindings.VirtualFile

A Virtual file that can be extracted from the current file’s file system using the current file parser.

property path: str

The virtual file’s absolute path. For an archive, this would be the file’s stored path for instance.

property size: int

The virtual file’s unpacked size. Note that this field is not accurate. For some file system, the real size of the file can only be computed after extraction. So take it as an approximation.

property filetype: str

The type of the virtual file as a short string, e.g. “PE”