gchq/CyberChef
Vedi su GitHubFeature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS
Open
#534 aperta il 4 apr 2019
help wantedoperation
Metriche repository
- Star
- (34.843 star)
- Metriche merge PR
- (Merge medio 57g 13h) (62 PR mergiate in 30 g)
Descrizione
Summary
On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.