Didier Stevens

Thursday 4 May 2017

Gzip Decompression Via Pipes

Filed under: My Software — Didier Stevens @ 0:00

A good friend asked me how to decompress a gzip compressed file, stored inside a McAfee quarantine file. On Linux, it’s simple, using the punbup.py tool. Like this:

punbup.py -f quarantine.bup | gzip -d

Option -f dumps the first file in the quarantine file to the pipe of gzip, which decompresses the file and dumps it to stdout.

On Windows, where you have no gzip (unless you use Cygwin or a similar solution), you can use my translate.py tool.

translate has 2 modes of operation: translate byte per byte, or translate the complete byte sequence in one go.

By default, translate operates in byte per byte mode. To operate on the complete byte sequence, you use option -f. The translation expression (a Python expression) needs to be a lambda function when you use option -f. It receives the complete byte sequence as argument, and must return the translated byte sequence. So we need to use the gzip Python module for decompression, and the StringIO Python module to operate in memory (and not with files). This is the lambda function (argument b is the byte sequence, e.g. the quarantined file):

lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()

As translate does not import the gzip Python module (it does import the StringIO Python module however), we need to import it using option -e:

-e -“import gzip”

The complete command is:

punbup.py -f quarantine.bup | translate.py -e “import gzip” -f “lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()”


  1. […] Gzip Decompression Via Pipes […]

    Pingback by Overview of Content Published In May | Didier Stevens — Wednesday 7 June 2017 @ 0:15

  2. […] Yesterday I had to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog post. […]

    Pingback by Update: translate.py Version 2.5.2 | Didier Stevens — Tuesday 30 January 2018 @ 0:00

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.