Add support for LZNT1 decompression

Introduces support for LZNT1 decompression, commonly leveraged by malware through RtlDecompressBuffer (closes #534).

The decompression logic is ported from go-ntfs, the test data is similar to malduck's.

from: https://github.com/gchq/CyberChef/pull/1675

tests/node/tests/operations.mjs

@@ -635,6 +635,10 @@ WWFkYSBZYWRh\r
         assert.strictEqual(chef.keccak("Flea Market").toString(), "c2a06880b19e453ee5440e8bd4c2024bedc15a6630096aa3f609acfd2b8f15f27cd293e1cc73933e81432269129ce954a6138889ce87831179d55dcff1cc7587");
     }),
 
+    it("LZNT1 Decompress", () => {
+        assert.strictEqual(chef.LZNT1Decompress("\x1a\xb0\x00compress\x00edtestda\x04ta\x07\x88alot").toString(), "compressedtestdatacompressedalot");
+    }),
+
     it("MD6", () => {
         assert.strictEqual(chef.MD6("Head Over Heels", {key: "arty"}).toString(), "d8f7fe4931fbaa37316f76283d5f615f50ddd54afdc794b61da522556aee99ad");
     }),

tests/operations/index.mjs

@@ -64,6 +64,7 @@ import "./tests/JSONtoCSV.mjs";
 import "./tests/JWTDecode.mjs";
 import "./tests/JWTSign.mjs";
 import "./tests/JWTVerify.mjs";
+import "./tests/LZNT1Decompress.mjs";
 import "./tests/MS.mjs";
 import "./tests/Magic.mjs";
 import "./tests/Modhex.mjs";

tests/operations/tests/LZNT1Decompress.mjs

@@ -0,0 +1,22 @@
+/**
+ * LZNT1 Decompress tests.
+ *
+ * @author 0xThiebaut [thiebaut.dev]
+ * @copyright Crown Copyright 2023
+ * @license Apache-2.0
+ */
+import TestRegister from "../../lib/TestRegister.mjs";
+
+TestRegister.addTests([
+    {
+        name: "LZNT1 Decompress",
+        input: "\x1a\xb0\x00compress\x00edtestda\x04ta\x07\x88alot",
+        expectedOutput: "compressedtestdatacompressedalot",
+        recipeConfig: [
+            {
+                op: "LZNT1 Decompress",
+                args: []
+            }
+        ],
+    }
+]);