gchq/CyberChef
Auf GitHub ansehenFeature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS
Open
#534 geöffnet am 4. Apr. 2019
help wantedoperation
Repository-Metriken
- Stars
- (34.843 Stars)
- PR-Merge-Metriken
- (Durchschn. Merge 57T 13h) (62 gemergte PRs in 30 T)
Beschreibung
Summary
On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.