gchq/CyberChef
GitHub で見るFeature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS
Open
#534 opened on 2019年4月4日
help wantedoperation
Repository metrics
- Stars
- (34,843 stars)
- PR merge metrics
- (平均マージ 57d 13h) (30d で 62 merged PRs)
説明
Summary
On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.