[zipdump -& PKZIP Records](/forums/diary/zipdump+PKZIP+Records/31428/)======================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31428 ‘Share on Facebook’)* [](http://twitter.com/share?text=zipdump%20%26%20PKZIP%20Records&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31428&via=SANS_ISC ‘Share on Twitter’) **Published** : 2024-11-10. **Last Updated** : 2024-11-10 15:14:06 UTC **by** [Didier Stevens](/handler_list.html#didier-stevens) (Version: 1) [0 comment(s)](/diary/zipdump+PKZIP+Records/31428/#comments) In yesterday’s diary entry ‘[zipdump -& Evasive ZIP Concatenation](https://isc.sans.edu/diary/zipdump%20%26%20Evasive%20ZIP%20Concatenation/31426)’ I showed how one can inspect the PKZIP records that make up a ZIP file.My tool [zipdump.py](https://github.com/DidierStevens/DidierStevensSuite/blob/master/zipdump.py) can also inspect the data of PKZIP file records, and decompress it (not decrypt it).To select the data of a PKZIP file record, use option -s data. Here we also use option -a to do a hex-ascii dump of the data:When option -d is used (to perform a binary dump), only the raw data is send to stdout, no other metadata:And when option -s decompress is used, the data is decompressed (only INFLATE is supported):These options could also be helpful for corrupt ZIP files.Didier Stevens Senior handler [blog.DidierStevens.com](http://blog.DidierStevens.com) Keywords:[0 comment(s)](/diary/zipdump+PKZIP+Records/31428/#comments)
Related Tags:
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 51 – Information
Blog: SANS Internet Storm Center
Associated Indicators: