Known constants (analysis.constants)

analysis.constants: malcat.Constants

The analysis.constants or analysis.cst object is a malcat.Constants instance that gives you access to all known constants / patterns found in the current file.

Note that in addition to this documentation, you can find usage examples in the sample script which is loaded when you hit F8.

Accessing / enumerating found constants

Malcat embeds a constant scanner as one of its analyses (see Known patterns identification). The result of the scan is available through the analysis.constants or analysis.cst (an alias) python objects. Accessing the result of the scan can be useful in your scripts. If you’re looking for AES usage instance, a simple if "AES" in analysis.constants is enough.

class malcat.Constants
__iter__()

Iterate over all constants found in file

for cst in analysis.constants:
    print(f"constant found {cst.name} ({cst.category}) at {analysis.ppa(cst.address)} !")
Return type:

iterator over Constant

__getitem__(name)

Returns all Constant whose Constant.name attribute is name. If no such constant can be found, an empty list is returned.

if analysis.sigs["Delphi"].matching:
    print("Delphi!")
Parameters:

name (str) – rule id or name to search for

Return type:

ScanRule or None

__getitem__(interval)

Iterate over all the constants contained in the interval (effective address):

constants = list(analysis.constants[analysis.p2a(0) : analysis.p2a(0x5000)])
print("there are {} constants found in range[#0-#5000[".format(len(constants)))
Parameters:

interval (slice) – effective address interval

Return type:

iterator over the list of functions (Constants)

__contains__(name)

return True iff one or more constants named name was found in the file.

if "AES" in analysis.constants:
    print("AES usage found!")
Parameters:

name (str) – constant name to lool for

Return type:

bool

__contains__(ea)

return True iff there exists a constant spanning over the effective address ea

Parameters:

ea (int) – address to query

Return type:

bool

__len__(self)

return the number of constants found in the file

Return type:

int

find(ea)

return the Constant which starts at or contains the effective address ea, or None if no one can be found.

Parameters:

ea (int) – effective address for the query

Return type:

Constant or None

find_forward(ea)

return the Constant which starts at or contains the effective address ea or starts directly after ea, or None if no Constant is defined beyond ea.

first_constant = analysis.constants.find_forward(0)
if first_constant is None:
    raise ValueError("No constant in program!")
Parameters:

ea (int) – effective address for the query

Return type:

Constant or None

find_backward(ea)

return the Constant which starts at or contains the effective address ea or the first one that start before ea, or None if no Constant is defined before ea.

last_constant = analysis.constants.find_backward(analysis.map.end)
if last_constant is None:
    raise ValueError("No constant in program!")
Parameters:

ea (int) – effective address for the query

Return type:

Constant or None

Constant object

Identified patterns/constants are python objects of type malcat.Constant and offer the following interface:

class malcat.Constant
name: str

nice name for the constant (not always unique)

category: str

category of the constant (crypto, guid, etc.)

is_code: bool

True if this is a code constant (i.e a constant that can be found only within a single instruction, as immediate operand)

address: int

the effective address at which the identified constant starts

start: int

same as address

end: int

same as start + size

size

size in bytes of the pattern

Return type:

int

__len__()

same as size

Return type:

int

.