Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS

gchq / CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

https://gchq.github.io/CyberChef

Apache License 2.0

29.46k stars 3.29k forks source link

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS #534

Open joseph-hannon opened 5 years ago

joseph-hannon commented 5 years ago

Summary

On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.

notdeclan commented 3 years ago

Agreed this would be nice

a3957273 commented 10 months ago

Reopening as #1675 only handles decompression, whereas this ticket also requests compression.