Add support for LZNT1 decompression

Introduces support for LZNT1 decompression, commonly leveraged by malware through RtlDecompressBuffer (closes #534). The decompression logic is ported from go-ntfs, the test data is similar to malduck's. from: https://github.com/gchq/CyberChef/pull/1675
2025-05-10 16:25:01 -04:00 · 2023-12-27 12:41:09 +00:00 · 2023-12-27 12:41:09 +00:00 · cc86650786
commit cc86650786
parent d7448c329f
6 changed files with 158 additions and 1 deletions
--- a/tests/operations/index.mjs
+++ b/tests/operations/index.mjs
@ -64,6 +64,7 @@ import "./tests/JSONtoCSV.mjs";
 import "./tests/JWTDecode.mjs";
 import "./tests/JWTSign.mjs";
 import "./tests/JWTVerify.mjs";
+import "./tests/LZNT1Decompress.mjs";
 import "./tests/MS.mjs";
 import "./tests/Magic.mjs";
 import "./tests/Modhex.mjs";
--- a/tests/operations/tests/LZNT1Decompress.mjs
+++ b/tests/operations/tests/LZNT1Decompress.mjs
@ -0,0 +1,22 @@
+/**
+ * LZNT1 Decompress tests.
+ *
+ * @author 0xThiebaut [thiebaut.dev]
+ * @copyright Crown Copyright 2023
+ * @license Apache-2.0
+ */
+import TestRegister from "../../lib/TestRegister.mjs";
+
+TestRegister.addTests([
+    {
+        name: "LZNT1 Decompress",
+        input: "\x1a\xb0\x00compress\x00edtestda\x04ta\x07\x88alot",
+        expectedOutput: "compressedtestdatacompressedalot",
+        recipeConfig: [
+            {
+                op: "LZNT1 Decompress",
+                args: []
+            }
+        ],
+    }
+]);