In diary entry "Analyzing Compressed PowerShell Scripts" and video "Video: Analyzing Compressed PowerShell Scripts" I show how to decompress ZLIB compressed data. Let me share some more info on ZLIB compressed data. Compressing data with ZLIB is called deflating, and the algorithm is called DEFLATE. This data is structured according to RFC 1950: the first byte (0x78 in this example) if known as CMF (Compression Method and Flags). This byte is very often equal to 0x78. The 4 least significant bits identify the compression method (8 is DEFLATE and 15 is reserved), the 4 most significant bits are used to encode the size of the window when the compression method is 8. This value is often 7 (32K window size). My tool translate.py can be used, with function ZlibD (ZLIB Decompression), to decompress this data:
In my tool file-magic.py, I have some custom definitions to detect ZLIB compressed data (RFC1950):
And GZIP? That's RFC 1952. The content of a GZIP file looks like this: The compressed data in this example is RFC 1951. I'll provide more details in an upcoming diary entry, but there are many tools to decompress GZIP files.
Didier Stevens |
DidierStevens 638 Posts ISC Handler Jul 29th 2019 |
Thread locked Subscribe |
Jul 29th 2019 2 years ago |
Thanks Didier, great work
|
Anonymous |
Quote |
Jul 30th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!