You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
+61-1Lines changed: 61 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,6 +64,9 @@ Heuristic: If an APK installs and runs on-device but core entries appear "encryp
64
64
65
65
Fix by clearing GPBF bit 0 in both Local File Headers (LFH) and Central Directory (CD) entries. Minimal byte-patcher:
66
66
67
+
<details>
68
+
<summary>Minimal GPBF bit-clear patcher</summary>
69
+
67
70
```python
68
71
# gpbf_clear.py – clear encryption bit (bit 0) in ZIP local+central headers
69
72
import struct, sys
@@ -95,6 +98,8 @@ if __name__ == '__main__':
95
98
print(f'Patched: LFH={p_lfh}, CDH={p_cdh}')
96
99
```
97
100
101
+
</details>
102
+
98
103
Usage:
99
104
100
105
```bash
@@ -171,11 +176,66 @@ Blue-team detection ideas:
171
176
172
177
---
173
178
179
+
## Other malicious ZIP tricks (2024–2025)
180
+
181
+
### Concatenated central directories (multi-EOCD evasion)
182
+
183
+
Recent phishing campaigns ship a single blob that is actually **two ZIP files concatenated**. Each has its own End of Central Directory (EOCD) + central directory. Different extractors parse different directories (7zip reads the first, WinRAR the last), letting attackers hide payloads that only some tools show. This also bypasses basic mail gateway AV that inspects only the first directory.
184
+
185
+
**Triage commands**
186
+
187
+
```bash
188
+
# Count EOCD signatures
189
+
binwalk -R "PK\x05\x06" suspect.zip
190
+
# Dump central-directory offsets
191
+
zipdetails -v suspect.zip | grep -n "End Central"
192
+
```
193
+
194
+
If more than one EOCD appears or there is "data after payload" warnings, split the blob and inspect each part:
195
+
196
+
```bash
197
+
# recover the second archive (heuristic: start at second EOCD offset)
Modern "better zip bomb" builds a tiny **kernel** (highly compressed DEFLATE block) and reuses it via overlapping local headers. Every central directory entry points to the same compressed data, achieving >28M:1 ratios without nesting archives. Libraries that trust central directory sizes (Python `zipfile`, Java `java.util.zip`, Info-ZIP prior to hardened builds) can be forced to allocate petabytes.
207
+
208
+
**Quick detection (duplicate LFH offsets)**
209
+
210
+
```python
211
+
# detect overlapping entries by identical relative offsets
212
+
import struct, sys
213
+
buf=open(sys.argv[1],'rb').read()
214
+
off=0; seen=set()
215
+
whileTrue:
216
+
i = buf.find(b'PK\x01\x02', off)
217
+
if i<0: break
218
+
rel = struct.unpack_from('<I', buf, i+42)[0]
219
+
if rel in seen:
220
+
print('OVERLAP at offset', rel)
221
+
break
222
+
seen.add(rel); off = i+4
223
+
```
224
+
225
+
**Handling**
226
+
- Perform a dry-run walk: `zipdetails -v file.zip | grep -n "Rel Off"` and ensure offsets are strictly increasing and unique.
227
+
- Cap accepted total uncompressed size and entry count before extraction (`zipdetails -t` or custom parser).
228
+
- When you must extract, do it inside a cgroup/VM with CPU+disk limits (avoid unbounded inflation crashes).
-[ZIP File Format Specification (PKWARE APPNOTE.TXT)](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT)
238
+
-[Hackers bury malware in new ZIP file attack — concatenated ZIP central directories](https://www.tomshardware.com/tech-industry/cyber-security/hackers-bury-malware-in-new-zip-file-attack-combining-multiple-zips-into-one-bypasses-antivirus-protections)
239
+
-[Understanding Zip Bombs: overlapping/quoted-overlap kernel construction](https://ubos.tech/news/understanding-zip-bombs-construction-risks-and-mitigation-2/)
0 commit comments