gchq/CyberChef
Ver no GitHubFeature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS
Open
#534 aberto em 4 de abr. de 2019
help wantedoperation
Métricas do repositório
- Stars
- (34.843 stars)
- Métricas de merge de PR
- (Mesclagem média 57d 13h) (62 fundiu PRs em 30d)
Description
Summary
On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.