Compression algorithms

aPLib

malduck.aplib(buf: bytes, headerless: bool = True) → bytes | None

aPLib decompression

from malduck import aplib

# Headerless compressed buffer
aplib(b'T\x00he quick\xecb\x0erown\xcef\xaex\x80jumps\xed\xe4veur`t?lazy\xead\xfeg\xc0\x00')
# Header included
aplib(b'AP32\x18\x00\x00\x00\r\x00\x00\x00\xbc\x9ab\x9b\x0b\x00\x00\x00\x85\x11J\rh8el\x8eo wnr\xecd\x00')

Parameters:

• buf (bytes) – Buffer to decompress

• headerless (bool (default: True)) – Force headerless decompression (don’t perform ‘AP32’ magic detection)

Return type:

bytes

gzip

malduck.gzip(buf: bytes) → bytes

gzip/zlib decompression

from malduck import gzip, unhex

# zlib decompression
gzip(unhex(b'789ccb48cdc9c95728cf2fca4901001a0b045d'))
# gzip decompression (detected by 1f8b08 prefix)
gzip(unhex(b'1f8b08082199b75a0403312d3100cb48cdc9c95728cf2fca49010085114a0d0b000000'))

Parameters:

buf (bytes) – Buffer to decompress

Return type:

bytes

lznt1 (RtlDecompressBuffer)

malduck.lznt1(buf: bytes) → bytes

Implementation of LZNT1 decompression. Allows to decompress data compressed by RtlCompressBuffer

from malduck import lznt1

lznt1(b"°compressedtestdataˆalot")

Parameters:

buf (bytes) – Buffer to decompress

Return type:

bytes