gchq/CyberChef

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS

Open

#534 aperta il 4 apr 2019

Vedi su GitHub
 (2 commenti) (10 reazioni) (0 assegnatari)JavaScript (3944 fork)batch import
help wantedoperation

Metriche repository

Star
 (34.843 star)
Metriche merge PR
 (Merge medio 57g 13h) (62 PR mergiate in 30 g)

Descrizione

Summary

On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.

Guida contributor