Virtual files (analysis.vfiles)

analysis.vfiles: List[malcat.VirtualFile]

The analysis.vfiles object is a list of malcat.VirtualFile instances that gives you access to all the virtual files identified by the current parser (cf. File parsers).

Note that in addition to this documentation, you can find usage examples in the sample script which is loaded when you hit F8.

What are virtual files?

Malcat can list and extract two different types of sub-files:

  • The current File parsers will parse the structures of the current file and interpret their content, looking for descriptions or links to stored / packed files. These can be archive members in a ZIP file, files in an ISO image or resource items defined in a PE program for instance. These are listed inside the Virtual File System tab.

  • Malcat will run a File carving algorithm and scan the entire file range for embedded files of known types (like binwalk, but without all the FPs). This pass can identify files even in raw dumps. These are listed inside the Carved files tab.

The analysis.vfiles is a (python) list containing all files belonging to the first category, i.e. the list of virtual files. These files are virtual in the sense that they need to be unpacked/extracted first before being used.

The virtual file object

class malcat.VirtualFile

A Virtual file that can be extracted from the current file’s file system using the current file parser.

property path: str

The virtual file’s absolute path. For an archive, this would be the file’s stored path for instance.

property size: int

The virtual file’s unpacked size. Note that this field is not accurate. For some file system, the real size of the file can only be computed after extraction. So take it as an approximation.

property filetype: str

The type of the virtual file as a short string, e.g. “PE”

unpack()

unpack the file, using the appropriate unpack method. Can raise exceptions.

with open("dumped", "wb") as f:
    f.write(analysis.vfiles[0].unpack())
Return type:

bytes