Detecting ZLIB Compression, (Sun, Aug 4th)

In diary entry “Recognizing ZLIB Compression“, I mention my tool it’s mainly a wrapper for command file (libmagic).

By default, command file has no definitions to detect ZLIB detection, but my tool uses an additional file with custom definitions:

Take for example a ZLIB compressed stream in a PDF document:

As you can see, the stream starts with 0x78, an indication that this is ZLIB compression.

Piping this stream in my tools helps identifiying the unfiltered stream content:

Of course, if you don’t want to use this tool, you can just integrate these ZLIB definitions in your own definiton files.

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) ↓