gchq/CyberChef
在 GitHub 查看Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS
Open
#534 创建于 2019年4月4日
help wantedoperation
仓库指标
- Star
- (34,843 star)
- PR 合并指标
- (平均合并 57天 13小时) (30 天内合并 62 个 PR)
描述
Summary
On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.