Source code view
The source code view is accessed using the F4 shortcut. This view displays the source code of the current file. Its content depend on the file type of the analyzed file:
for x86/x64 programs, the decompiled C source code of the current function is displayed
for AutoIT .tok files, the AutoIT detokenized script is displayed
for OLE/CFB documents, the VBA macro source code is displayed
for Excel Biff8/Biff12 streams, the XLM macros are displayed, as well as cell values
for MSI installer, the content of the MSI tables is dumped
for pure text files (i.e files which only contain utf-8 or utf16-le text), the whole file content is displayed in a text editor with syntax highlighting
From a user interface point of view, the source code view can be one of two different views, which are listed below:
C function decompiler
If you are analyzing a x86 or x64 program, Malcat offers C-source function decompilation based on the Sleigh decompiler. In this mode, the decompiler works on a function per function basis and you need to be located within an identified function.
Note
The C-function view is read-only: decompiled content cannot be modified.
If you are outside the scope of a function, you’ll first need to jump to one, either by hitting f or F, or by clicking on any of the identified function in the Functions tab left of the window.
Decompiled C code view
The view will display the C-code reconstruction of the current function. Most function names and strings are clickable:
clicked function names will bring you to the decompilation of the clicked function.
clicked strings or pointers will bring you to the address using the best-suited view.
Also any symbol defined in Malcat should be transposed to the decompiled C code. In the same vein, Malcat’s identified constants (cf. Known patterns identification) are also used and a C comment will be added next to the identified constant in the C code listing. This comes handy when facing obfuscated shellcodes for instance.
Note
In some case, Malcat and the sleigh decompiler disagree regarding Functions recovery. In such cases, you will see some function calls whose name is prefixed with code_ and won’t be clickable. We are working on the issue.
Beside these integrations, you are facing a very standard view which has the usual shortcuts:
Shortcut |
Action |
|---|---|
LeftClick |
Go to data/function |
Backspace |
Go back |
f or F |
Goto next/previous Function |
← |
Scroll left |
→ |
Scroll right |
↑ |
Scroll up one line |
↓ |
Scroll down one line |
Home |
Goto top of function |
End |
Goto end of function |
PageUp |
Goto back one page |
PageDown |
Display next page |
Ctrl+G |
Goto address (opens a dialog) |
Source code / pure text viewer
For other file types, mainly pure text files, AutoIT .tok scripts, MSI installers, OLE documents and BIFF8/12 Workbooks, the source code view is a scintilla-based text control showing either:
the full content of the file for pure text files
the decrypted/reconstructed scripts found in the current file for AutoIT .tok scripts, MSI installers, OLE documents and BIFF8/12 Workbooks.
This view mode is global: you don’t need to be located within a function for it to work.
A detokenized malicious AutoIT script
By default, the best suited syntax highlighting will be chosen automatically when you open the source code view. The choice is made based either on the file type (for recovered scripts) or on the file extension (for pure text files). You can override it using the choice control in the top toolbar. Syntax highlighting also influences folding: for some programming languages, functions, classes and logic blocks can be folded using the symbol margins.
Contrary to the C function view, this view is fully editable. You can even make using of Malcat’s 60+ transform algorithms in order to Transform text in the source code view, which is kind of handy when facing obfuscated scripts. If you do modify the file, you can save it to disk using the save icon in the toolbar. Beside transforms, you have access to the usual text control shortcuts:
Shortcut |
Action |
|---|---|
← |
Scroll left |
→ |
Scroll right |
↑ |
Scroll up one line |
↓ |
Scroll down one line |
Home |
Goto top of function |
End |
Goto end of function |
PageUp |
Goto back one page |
PageDown |
Display next page |
Ctrl+A |
Select all text |
Ctrl+T |
Transform selection |
Ctrl+Z |
Undo |
Ctrl+Y |
Redo |
Ctrl+C |
Copy |
Ctrl+V |
Paste |