|
In diary entry "Recognizing ZLIB Compression", I mention my tool file-magic.py: it's mainly a wrapper for command file (libmagic). By default, command file has no definitions to detect ZLIB detection, but my tool file-magic.py uses an additional file with custom definitions:
Take for example a ZLIB compressed stream in a PDF document:
As you can see, the stream starts with 0x78, an indication that this is ZLIB compression. Piping this stream in my file-magic.py tool helps identifying the unfiltered stream content:
Of course, if you don't want to use this tool, you can just integrate these ZLIB definitions in your own definition files. Didier Stevens |
DidierStevens 649 Posts ISC Handler Aug 4th 2019 |
| Thread locked Subscribe |
Aug 4th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
