gchq/CyberChef

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS

Open

#534 opened on 2019年4月4日

GitHub で見る
 (2 comments) (10 reactions) (0 assignees)JavaScript (3,944 forks)batch import
help wantedoperation

Repository metrics

Stars
 (34,843 stars)
PR merge metrics
 (平均マージ 57d 13h) (30d で 62 merged PRs)

説明

Summary

On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.

コントリビューターガイド