gchq/CyberChef

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS

Open

#534 创建于 2019年4月4日

在 GitHub 查看
 (2 评论) (10 反应) (0 负责人)JavaScript (3,944 fork)batch import
help wantedoperation

仓库指标

Star
 (34,843 star)
PR 合并指标
 (平均合并 57天 13小时) (30 天内合并 62 个 PR)

描述

Summary

On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.

贡献者指南