Symbols list
The symbol view is accessed using the F5 shortcut and lists all symbols (imports, exports, internal functions and types) extracted by Malcat. Clicking on a symbol shows the references to this symbol, while double-clicking it navigates to the address of the symbol.
The symbols list in a nutshell
Overview
In the symbols list, symbols are displayed in a tree ('.' is used as separators to build the tree), alongside their address and the number of cross references pointing to them. They are furthermore grouped by type. The types are given below:
- Labels
User labels. These are the ones you can add using the context menu . Listing them here allow you to have an overview of your custom locations.
- Imports
All imported APIs, as reported by Malcat File parsers.
- Exports
All exported function, as reported by Malcat File parsers.
- Functions
Here are listed all functions having a name. The name can come from different sources:
From the file’s metadata, e.g. the .NET
MethodDeftableFrom debug informations, e.g. the ELF
.symtabsectionFrom a FLIRT signatures
Not that anonymous functions are not listed there, because they don’t have any symbol defined. I you want to see the list of all functions
- Data
Here you will find all variable-related symbols. These could be symbols for global variables for instance. Constants identified by Malcat’s Known patterns identification are also listed there.
- Typedefs
Here are listed all symbols pointing to type-definition structures. These kind fo symbols can can from different sources:
From the file’s metadata, e.g. the .NET
TypeDeftableFrom RTTI information, e.g. the MSVC vtables
- Internal
This category is currently only used by us when debugging some issues. But in the future, there will be python bindings to add symbols to this category. This will be a way for scripts to add symbols, without polluting the user-defined labels.
By defaults, all nodes of the tree beyond the first level of hierarchy are collapsed. You can expand them all by clicking on the checkbox :menuselection:Expand all located on the top of the view.
Symbol preview / goto
Clicking on a symbol will display all the incoming references to the symbol’s address in the quickview panel.
If you double-click the symbol, you will jump to the start of the symbol. The best view is chosen automatically. It can be the Hexadecimal view or the Structure/text view (the most recently used view is chosen) if the symbol lies outside of a recognized function, otherwise it will be the Disassembly view.
Shortcut |
Action |
|---|---|
LeftClick |
Select single symbol / display quick preview |
DoubleLeftClick |
Go to symbol address |
Filtering
The symbols view can potentially display a very large amount of symbols. To make things easier, it is possible to filter the displayed symbols by name using the search box at the top of the string. Filtering is done immediately, no need to press Enter. Note that the tree will be automatically expanded to display search results.
Shortcut |
Action |
|---|---|
Ctrl+F |
Set focus to the view’s search box |
Copy single/multi
From within the symbols view you can select one or multiple symbols at once, using the usual mouse shortcuts. If you hit Ctrl+C afterwards, you will copy all selected fully-qualified names to the clipboard. Multiple symbols are separated using line returns.
Shortcut |
Action |
|---|---|
LeftClick |
Select single symbol / set start of symbols selection |
Shift+LeftClick |
Set end of symbols selection |
Ctrl+LeftClick |
Add/remove single symbol to/from symbols selection |
Ctrl+C |
Copy selected symbols |