gchq/CyberChef

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS

Open

#534 opened on Apr 4, 2019

View on GitHub
 (2 comments) (10 reactions) (0 assignees)JavaScript (3,944 forks)batch import
help wantedoperation

Repository metrics

Stars
 (34,843 stars)
PR merge metrics
 (Avg merge 57d 13h) (62 merged PRs in 30d)

Description

Summary

On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.

Contributor guide