Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Detecting ZLIB Compression

Published: 2019-08-04
Last Updated: 2019-08-04 20:07:05 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Recognizing ZLIB Compression", I mention my tool file-magic.py: it's mainly a wrapper for command file (libmagic).

By default, command file has no definitions to detect ZLIB detection, but my tool file-magic.py uses an additional file with custom definitions:

Take for example a ZLIB compressed stream in a PDF document:

As you can see, the stream starts with 0x78, an indication that this is ZLIB compression.

Piping this stream in my file-magic.py tool helps identifying the unfiltered stream content:

Of course, if you don't want to use this tool, you can just integrate these ZLIB definitions in your own definition files.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: file zlib
0 comment(s)
Join us at SANS! Attend with Didier Stevens in starting
Diary Archives