Compression algorithms¶

aPLib¶

malduck.aplib(buf, length=None, headerless=False)¶

aPLib decompression

Changed in version 2.0: length argument is deprecated

from malduck import aplib

# Headerless compressed buffer
aplib(b'T\x00he quick\xecb\x0erown\xcef\xaex\x80jumps\xed\xe4veur`t?lazy\xead\xfeg\xc0\x00')
# Header included
aplib(b'AP32\x18\x00\x00\x00\r\x00\x00\x00\xbc\x9ab\x9b\x0b\x00\x00\x00\x85\x11J\rh8el\x8eo wnr\xecd\x00')

Parameters

buf (bytes) – Buffer to decompress
headerless (bool (default: True)) – Force headerless decompression (don’t perform ‘AP32’ magic detection)

Return type

bytes

gzip¶

malduck.gzip(buf)¶

gzip/zlib decompression

from malduck import gzip, unhex

# zlib decompression
gzip(unhex(b'789ccb48cdc9c95728cf2fca4901001a0b045d'))
# gzip decompression (detected by 1f8b08 prefix)
gzip(unhex(b'1f8b08082199b75a0403312d3100cb48cdc9c95728cf2fca49010085114a0d0b000000'))

Parameters: buf (bytes) – Buffer to decompress
Return type: bytes

lznt1 (RtlDecompressBuffer)¶

malduck.lznt1(buf)¶

Implementation of LZNT1 decompression. Allows to decompress data compressed by RtlCompressBuffer

from malduck import lznt1

lznt1(b"°compressedtestdataalot")

Parameters: buf (bytes) – Buffer to decompress
Return type: bytes

Compression algorithms¶

aPLib¶

gzip¶

lznt1 (RtlDecompressBuffer)¶

Table of Contents

Previous topic

Next topic

This Page