Detecting ZLIB Compression, (Sun, Aug 4th)

In diary entry “Recognizing ZLIB Compression“, I mention my tool it’s mainly a wrapper for command file (libmagic).

By default, command file has no definitions to detect ZLIB detection, but my tool uses an additional file with custom definitions:

Take for example a ZLIB compressed stream in a PDF document:

As you can see, the stream starts with 0x78, an indication that this is ZLIB compression.

Piping this stream in my tools helps identifiying the unfiltered stream content:

Of course, if you don’t want to use this tool, you can just integrate these ZLIB definitions in your own definiton files.

Didier Stevens
Senior handler
Microsoft MVP

