capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

rule idea: zlib fast inflate

Open mike-hunhoff opened this issue 4 years ago • 1 comments

see source: https://github.com/madler/zlib/blob/master/contrib/masmx86/inffas32.asm

I've seen this code used in shellcode; we can hit on the hard-coded strings or the assembly itself.

strings:

  • Fast decoding Code from Chris Anderson
  • invalid literal/length code
  • invalid distance code
  • invalid distance too far back

mike-hunhoff avatar Nov 04 '21 19:11 mike-hunhoff

probably best to hit on the assembly 🚀

mike-hunhoff avatar Nov 04 '21 19:11 mike-hunhoff