gchq/CyberChef
Voir sur GitHubFeature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS
Open
#534 ouverte le 4 avr. 2019
help wantedoperation
Métriques du dépôt
- Stars
- (34 843 stars)
- Métriques de merge PR
- (Merge moyen 57j 13h) (62 PRs mergées en 30 j)
Description
Summary
On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.