Strings list
The strings view is accessed using the F6 shortcut and lists all strings extracted by Malcat’s String analysis. You can sort, filter, copy strings, or add them to the Current Yara rule. For more informations on how Malcat extract strings from a program, please refer to String analysis.
The grid
Depending on the identified file type, different string extraction algorithms can be used. Algorithms can range from the simple regular-expression based linear sweep to more advanced file-format aware parsers, or even disassembly-based parsers (cf. below). Multiple algorithms can also be used at the same time. Extracted strings are then analyzed and sorted inside the grid you can see below:
The string view in a nutshell
Columns
The string grids features the following columns:
- String
the content of the string. If the string is bigger than 128 characters, only the start and the end of the string will be displayed
- Address
the start of the string object (see note above). Double-clicking the row takes you there
- Type
describes what kind of string it is (cf. String analysis):
USER: a string literal used by user code (eg. a .NET UserString, for other CPUs these could be just scan strings with at least one reference)
META: a string used by the file format. These could be symbols, or class names
DYN: a dynamic string, constructed on the stack or in memory
SCAN: a string found via linear scan. Could also not be a string at all
- Encoding
how the characters are encoded. Could be Ascii, UTF8, or UTF16-le
- Tag
tags which describe the content of the strings characters. Currently supported tags are:
BASE64: string is likely a base64 string (heuristic)
HEXA: string is likely an hexadecimal string (heuristic, at with 16 characters)
URL: string looks like an url
IP: string looks like an IPv4 address
PATH: string looks like a file path
REGISTRY: string looks like a Windows registry
Additional tags can be defined using regular expressions in the file located at
data/strings/specialr.reor<user data dir>/strings/specialr.re(cf. Customisation).- Size
number of characters in the string
- Score
string interest score, see below
- Xrefs
number of incoming references (code and data refs).
Most columns can be used to sort the grid. Keep in mind sorting can be potentially slow if a large amount of strings have been found. By default, strings are sorted by their score, descending.
Coloring
You will notice that some of the rows in the strings grid are colored. Currently two type of colors are used:
The Anomaly scanner theme color for string which are part of an identified anomaly
The Yara signatures theme color for string which are part of a matching Yara rule
This helps identifying rapidly important strings.
String preview / goto
Clicking on a string will display the string’s details in the quickview panel. There, you will also have access to the complete list of incoming references to the string.
If you double-click the string, you will jump to the start of the string in the Hexadecimal view or the Structure/text view (the most recently used view is chosen).
Note
Malcat makes the difference between how string objects are stored and the string they contain. The first character of the string is not always located at the beginning of the string object. NET user strings are prefixed by their size for instance. Keeping track of the whole string object is a necessity for working cross references. Thus don’t be surprised when you double-click on a string and Malcat does not jump to its first character.
Shortcut |
Action |
|---|---|
LeftClick |
Select single string / display quick preview |
DoubleLeftClick |
Go to start of string |
How score is computed
The string score is a value between 0 and 255 (255 being the highest) which is given to every extracted string, using an internal algorithm. The goal is to give a higher value to the strings which are more interesting to human analysts, like crypto content, IOCs or code literals. Since this is merely an heuristic, don’t expect it to do miracles: interesting strings are more likely to be listed at the top, but it’s not guaranteed.
The exact algorithm won’t be described there, since it is a draft likely to change in the future. Its inputs are fixed though, and are the following:
Entropy of the string: the bigger the better
Number of printable characters: the bigger the better
Number of characters: the bigger the better
Type of the string: DYN > USER > META > SCAN
Encoding of the string: ascii strings gets negative points
Has the string a specific tag ? Gives extra points for HEXA and BASE64 strings
Number of incoming references: 1 is the best, 2 or more references the second best, 0 the worst
Is a string a known constant (see Known patterns identification), this would lower the score
Is a string part of a yara pattern (see Yara signatures), this would increase the score
The algorithm is currently still in beta, any constructive feedback is welcome on this matter.
Filtering
The string view can potentially display a very large amount of strings. To make things easier, it is possible to filter the displayed strings:
By string type, using the checkboxes on top of the string view
By string content, using the search box.
Shortcut |
Action |
|---|---|
Ctrl+F |
Set focus to the view’s search box |
Other operations
Copy single/multi
From within the string view you can select one or multiple strings at once, using the usual mouse shortcuts. If you hit Ctrl+C afterwards, you will copy all selected strings to the clipboard. Multiple strings are separated using line returns.
Shortcut |
Action |
|---|---|
LeftClick |
Select single string / set start of strings selection |
Shift+LeftClick |
Set end of strings selection |
Ctrl+LeftClick |
Add/remove single string to/from strings selection |
Ctrl+C |
Copy selected strings |
Add to Yara
If you select a string, you can add it to the Current Yara rule using the context menu: . You can add it as an hexadecimal pattern or a string. If you chose the later, ascii or wide parameter will be appended automatically to the line in the Yara rule depending on the encoding of the string.
Download
Strings which look like urls (i.e thy have the URL tag) are treated in a special way. In the string context menu, you will see a new action appearing: . If you chose this context action, Malcat will download the given url using a fake user agent and open it as a sub-file inside Malcat.