Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Detecting ZLIB Compression SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting ZLIB Compression

In diary entry "Recognizing ZLIB Compression", I mention my tool file-magic.py: it's mainly a wrapper for command file (libmagic).

By default, command file has no definitions to detect ZLIB detection, but my tool file-magic.py uses an additional file with custom definitions:

Take for example a ZLIB compressed stream in a PDF document:

As you can see, the stream starts with 0x78, an indication that this is ZLIB compression.

Piping this stream in my file-magic.py tool helps identifying the unfiltered stream content:

Of course, if you don't want to use this tool, you can just integrate these ZLIB definitions in your own definition files.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

398 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!