CyberChef icon indicating copy to clipboard operation
CyberChef copied to clipboard
verified publisher icon gchq

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS

Open joseph-hannon opened this issue 6 years ago • 2 comments

Summary

On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.

joseph-hannon avatar Apr 04 '19 15:04 joseph-hannon

Agreed this would be nice

notdeclan avatar May 02 '21 18:05 notdeclan

Reopening as #1675 only handles decompression, whereas this ticket also requests compression.

a3957273 avatar Feb 03 '24 13:02 a3957273