Detecting ZLIB Compression
In diary entry "Recognizing ZLIB Compression", I mention my tool file-magic.py: it's mainly a wrapper for command file (libmagic).
By default, command file has no definitions to detect ZLIB detection, but my tool file-magic.py uses an additional file with custom definitions:
Take for example a ZLIB compressed stream in a PDF document:
As you can see, the stream starts with 0x78, an indication that this is ZLIB compression.
Piping this stream in my file-magic.py tool helps identifying the unfiltered stream content:
Of course, if you don't want to use this tool, you can just integrate these ZLIB definitions in your own definition files.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
Join us at SANS!
Attend with Didier Stevens in starting
×
![]()
Diary Archives
