Analysis object (malcat)
- malcat: Analysis
malcatobject is a
Analysisinstance and the entry point of Malcat’s scripting interface. It contains the analysis results for a single file/project. While most of Malcat’s analysis is performed in C++, python bindings are available to the user via the
malcatobject. Using this object, you have access to all of the specialized analyses as well as to the raw file using the File object (malcat.file).
Table of Contents
The Analysis object
- class bindings.Analysis
- architecture: bindings.FileType.Architecture
The main CPU architecture of the file (only set for programs).
- category: bindings.FileType.Category
The category of the identified file type
- files: List[bindings.VirtualFile]
The list of virtual files identified by the File parsers.
- imagebase: int
The virtual address at which the file should be loaded
- metadata: Dict[str, Dict[str, str]]
The file metadata, as extracted from the File parsers. This is what you see in the Summary view. Metadata are str->str associations sorted into categories (the first dictionnary keys).
- type: str
The file type as a short string, e.g. “PE”
Access to analyses
- file: bindings.File
A pointer to the File object (malcat.file).
- entropy: bindings.Entropy
A pointer to the File entropy (malcat.entropy).
- map: bindings.MappingAnnotation
A pointer to the Address mapping (malcat.map).
- struct: bindings.FileStructure
A pointer to the File structures (malcat.struct).
- asm: bindings.Asm
A pointer to the Disassembly (malcat.asm).
- cfg: bindings.CFG
A pointer to the Control Flow Graph (malcat.cfg).
- loops: bindings.Loops
A pointer to the Strongly Connected Components (malcat.loops).
- fns: bindings.Functions
A pointer to the Functions (malcat.fns).
- strings: bindings.Strings
A pointer to the Strings (malcat.strings).
- xref: bindings.CrossReferences
A pointer to the Cross References (malcat.xref).
- syms: bindings.Symbols
A pointer to the Symbols (malcat.syms).
- sigs: bindings.Signatures
A pointer to the Yara signatures (malcat.sigs).
- carved: bindings.SubFiles
A pointer to the Carved files (malcat.carved).
- anomalies: bindings.Anomalies
A pointer to the Anomalies (malcat.anomalies).
bindings.Analysis.category attribute is an enum which can take the following values:
- class bindings.FileType.Category
This enum describes the type/category of the analyzed file. I can has one of the following values:
No file type could be infered, i.e the file was rejected by all parsers
The file a an executable program (PE, ELF, NSIS script, etc.)
The file is an image
The file is a sound file format
The file is a document, e.g. an Excel stylesheet
The file is an archive, e.g. zip or rar
The file is a filesystem, e.g. a SquashFS container or a FAT32 image
CPU architectures enum
bindings.Analysis.architecture attribute is an enum which can take the following values:
- class bindings.FileType.Architecture
This enum describes the main CPU architecture that should be used to interpret the code portion of the file (if any). Note that some file types main contain code for more than one architecture, e.g. Visual Basic Pcode + x86.
Visual Basic Pcode
Biff8 or Biff12 Excel stylsheet. These can contain bytcode formulas, thus the architecture.
- class bindings.VirtualFile
A Virtual file that can be extracted from the current file’s file system using the current file parser.
- property path: str
The virtual file’s absolute path. For an archive, this would be the file’s stored path for instance.
- property size: int
The virtual file’s unpacked size. Note that this field is not accurate. For some file system, the real size of the file can only be computed after extraction. So take it as an approximation.
- property filetype: str
The type of the virtual file as a short string, e.g. “PE”