Gzip Decompression Via Pipes

A good friend asked me how to decompress a gzip compressed file, stored inside a McAfee quarantine file. On Linux, it’s simple, using the punbup.py tool. Like this:

punbup.py -f quarantine.bup | gzip -d

Option -f dumps the first file in the quarantine file to the pipe of gzip, which decompresses the file and dumps it to stdout.

On Windows, where you have no gzip (unless you use Cygwin or a similar solution), you can use my translate.py tool.

translate has 2 modes of operation: translate byte per byte, or translate the complete byte sequence in one go.

By default, translate operates in byte per byte mode. To operate on the complete byte sequence, you use option -f. The translation expression (a Python expression) needs to be a lambda function when you use option -f. It receives the complete byte sequence as argument, and must return the translated byte sequence. So we need to use the gzip Python module for decompression, and the StringIO Python module to operate in memory (and not with files). This is the lambda function (argument b is the byte sequence, e.g. the quarantined file):

lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()

As translate does not import the gzip Python module (it does import the StringIO Python module however), we need to import it using option -e:

-e -“import gzip”

The complete command is:

punbup.py -f quarantine.bup | translate.py -e “import gzip” -f “lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()”

Source: Didier Stevens @ May 3, 2017 at 07:00PM