pytai is a Python-based Kaitai Struct visualizer and HEX viewer.
Kaitai Struct is a declarative language used for describing various binary data structures laid out in files or in memory: i.e. binary file formats, network stream packet formats, etc.
Given a binary file with a supported format, pytai can be used to browse the structure of the file and locate its members in the HEX view.
$ python3 ./pytai.pyz -h
usage: pytai.pyz [-h] [-kf FORMAT] [file]
pytai: A Python-based Kaitai Struct Visualizer and HEX Viewer
positional arguments:
file Path to binary file
optional arguments:
-h, --help show this help message and exit
-kf FORMAT, --kaitai-format FORMAT
Kaitai Format to use when parsing the file. Current formats found under "kaitai/formats" are:
aix_utmp, allegro_dat, andes_firmware, android_asus_bootldr, android_dto, android_img,
android_opengl_shaders_cache, android_super, apm_partition_table, apple_single_double, au,
avi, bcd, bitcoin_transaction, blender_blend, bmp, broadcom_trx, bson, btrfs_stream,
bytes_with_io, code_6502, compressed_resource, cpio_old_le, cramfs, creative_voice_file, dbf,
dex, dicom, dime_message, dns_packet, doom_wad, dos_datetime, dos_mz, ds_store, dune_2_pak,
edid, efivar_signature_list, elf, ethernet_frame, exif, ext2, fallout2_dat, fallout_dat,
ftl_dat, genmidi_op2, gettext_mo, gif, gimp_brush, glibc_utmp, gltf_binary, google_protobuf,
gpt_partition_table, gran_turismo_vol, gzip, hashcat_restore, hccap, hccapx, heaps_pak,
heroes_of_might_and_magic_agg, heroes_of_might_and_magic_bmp, icmp_packet, ico, id3v1_1,
id3v2_3, id3v2_4, ines, ipv4_packet, ipv6_packet, iso9660, java_class, jpeg, luks, lvm2, lzh,
mach_o, mac_os_resource_snd, magicavoxel_vox, mbr_partition_table, microsoft_cfb,
microsoft_network_monitor_v2, microsoft_pe, minecraft_nbt, monomakh_sapr_chg, mozilla_mar,
msgpack, nitf, ogg, openpgp_message, packet_ppi, pcap, pcf_font, pcx, pcx_dcx,
phar_without_stub, php_serialized_value, png, protocol_body, psx_tim, python_pickle,
python_pyc_27, quake_mdl, quake_pak, quicktime_mov, rar, regf, renderware_binary_stream,
resource_fork, riff, rtcp_payload, rtpdump, rtp_packet, ruby_marshal, saints_row_2_vpp_pc,
shapefile_index, shapefile_main, sqlite3, ssh_public_key, standard_midi_file, stl, sudoers_ts,
swf, systemd_journal, tcp_segment, tga, tls_client_hello, tr_dos_image, tsm, ttf,
udp_datagram, uefi_te, uimage, utf8_string, vdi, vfat, vlq_base128_be, vlq_base128_le,
vmware_vmdk, vp8_ivf, warcraft_2_pud, wav, websocket, windows_evt_log, windows_lnk_file,
windows_minidump, windows_resource_file, windows_shell_items, windows_systemtime, wmf, xwd,
zip, zx_spectrum_tapExamples:
$ python3 ./pytai.pyz
$ python3 ./pytai.pyz ../../image.png -kf png
$ python3 ./pytai.pyz ../../archive.zip -kf zip
$ python3 __main__.py ../../program.exe -kf dos_mzThe latest stable version of pytai.pyz can be downloaded from the Releases page.
These are members that are inferred from the binary contents (usually a user-friendly display for explicit data).
- Kaitai Struct: Visualizer: Text-based visualizer written in Ruby
- Kaitai Web IDE: A browser-based visualizer
- Kaitai Struct: Visualization GUI Tool: GUI visualizer written in Java
- Binary Ninja UI Plugin: A GUI plugin for Binary Ninja
- Kaitai Struct VSCode: Extension for VS Code
- Hobbits: Multi-platform GUI for bit-based analysis, processing, and visualization
- PolyFile: A utility to identify and map the semantic structure of files
- Python3.8+ with tkinter
The supported formats were taken from the Kaitai Struct format gallery repo and compiled to Python using the Kaitai Struct Compiler.
-
Create or download a format definition (
*.ksyfile) using the Kaitai Struct language -
Install the Kaitai Struct Compiler
-
Compile the format definition file:
ksc --target python --debug --import-path /path/to/imports/if/needed /path/to/format.ksy -
Copy the output file (
*.py) to thepytai/kaitai/formatssubfolder.
- No ability to interactively edit files (not a HEX editor, just a viewer).
- Currently no special optimizations implemented in order to handle very large files.
- Structure offsets are based on output from Kaitai. Kaitai doesn't fully support bit-field offsets, and therefore the GUI cannot accurately mark bit-field members.