Detecting ZLIB Compression

Published: 2019-08-04
Last Updated: 2019-08-04 20:07:05 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Recognizing ZLIB Compression", I mention my tool file-magic.py: it's mainly a wrapper for command file (libmagic).

By default, command file has no definitions to detect ZLIB detection, but my tool file-magic.py uses an additional file with custom definitions:

Take for example a ZLIB compressed stream in a PDF document:

As you can see, the stream starts with 0x78, an indication that this is ZLIB compression.

Piping this stream in my file-magic.py tool helps identifying the unfiltered stream content:

Of course, if you don't want to use this tool, you can just integrate these ZLIB definitions in your own definition files.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: file zlib
0 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
1 week ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
1 week ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
1 week ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
1 week ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
1 week ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
1 week ago

Login here to join the discussion.


Diary Archives