A good friend asked me how to decompress a gzip compressed file, stored inside a McAfee quarantine file. On Linux, it’s simple, using the punbup.py tool. Like this:
punbup.py -f quarantine.bup | gzip -d
Option -f dumps the first file in the quarantine file to the pipe of gzip, which decompresses the file and dumps it to stdout.
On Windows, where you have no gzip (unless you use Cygwin or a similar solution), you can use my translate.py tool.
translate has 2 modes of operation: translate byte per byte, or translate the complete byte sequence in one go.
By default, translate operates in byte per byte mode. To operate on the complete byte sequence, you use option -f. The translation expression (a Python expression) needs to be a lambda function when you use option -f. It receives the complete byte sequence as argument, and must return the translated byte sequence. So we need to use the gzip Python module for decompression, and the StringIO Python module to operate in memory (and not with files). This is the lambda function (argument b is the byte sequence, e.g. the quarantined file):
lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()
As translate does not import the gzip Python module (it does import the StringIO Python module however), we need to import it using option -e:
-e -“import gzip”
The complete command is:
punbup.py -f quarantine.bup | translate.py -e “import gzip” -f “lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()”
Didier Stevens 
[…] Gzip Decompression Via Pipes […]
Pingback by Overview of Content Published In May | Didier Stevens — Wednesday 7 June 2017 @ 0:15
[…] Yesterday I had to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog post. […]
Pingback by Update: translate.py Version 2.5.2 | Didier Stevens — Tuesday 30 January 2018 @ 0:00