|| Author: tanMa || Back to articles ||
Compress Easy by tanMa (firstname.lastname@example.org) written for EOF-PROJECT (http://www.eof-project.net) Serbia, December of 2006. DESCRIPTION: This article is about compression and will be short as possible because I don't want to bother you. Just want, advert you on some un-documented functions of Windows NT/XP and Windows Server 2003 that are used by OS it-self for internal operations during compression and some MS utility programs for managing files with attribute "compressed". Functions were discovered in 2000. and I'm badly surprised that this is very first usage by virus writers. Functions are exported by ntdll.dll dynamic-linking library and exist on x86 and x64 editions of mentioned OSes, that is Microsoft implementation of Lempel-Ziv algorithm. I don't know about Windows Vista but I'm pretty sure Vista has those functions built-in. FUNCTIONS:
NTSTATUS RtlCompressBuffer ( USHORT CompressionFormatAndEngine, PUCHAR UncompressedBuffer, ULONG UncompressedBufferSize, PUCHAR CompressedBuffer, ULONG CompressedBufferSize, ULONG UncompressedChunkSize, PULONG FinalCompressedSize, PVOID WorkSpace ) Parameters: [in] CompressionFormatAndEngine Format of compression and level of compression, for correct values look at inside of WinNT.h under macro names COMPRESSION_FORMAT* and COMPRESSION_ENGINE* (eg. COMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_STANDARD) [in] UncompressedBuffer The starting address of source buffer to be compressed [in] UncompressedBufferSize Size in bytes of source buffer [out] CompressedBuffer The starting address of destination buffer, where compressed data will be stored after compression [in] CompressedBufferSize Size of destination buffer [in] UncompressedChunkSize Put 0x1000. Probably means page size [out] FinalCompressedSize Size in bytes of data after compression [in] WorkSpace The starting address of internal buffer used during compression, beforehand established by RtlGetCompressionWorkSpaceSize Return values: Use NT_SUCCESS macro to determinate, failed or success
NTSTATUS RtlGetCompressionWorkSpaceSize ( USHORT CompressionFormatAndEngine, PULONG CompressBufferWorkSpaceSize, PULONG CompressFragmentWorkSpaceSize ) Parameters: [in] CompressionFormatAndEngine Look at RtlCompressBuffer description for more information [out] CompressBufferWorkSpaceSize You must allocate temporary internal buffer, buffer is used by RtlCompressBuffer. Buffer must have CompressBufferWorkSpaceSize bytes length. [out] CompressFragmentWorkSpaceSize Unknown. Return values: Use NT_SUCCESS macro to determinate, failed or success
NTSTATUS RtlDecompressBuffer ( USHORT CompressionFormat, PUCHAR UncompressedBuffer, ULONG UncompressedBufferSize, PUCHAR CompressedBuffer, ULONG CompressedBufferSize, PULONG FinalUncompressedSize ) Parameters: [in] CompressionFormat Look at RtlCompressBuffer description for more information, but looks like it is discarded. [out] UncompressedBuffer The starting address of destination buffer, where data will be stored after decompression [in] UncompressedBufferSize Size in bytes of destination buffer [in] CompressedBuffer The starting address of compressed buffer, data to be uncompressed [in] CompressedBufferSize Size of compressed buffer in bytes [out] FinalUncompressedSize Size of data in bytes after decompression Return values: Use NT_SUCCESS macro to determinate, failed or success
Ending: I'm sorry for example code not included (because lack of time) in this short article. I hope you'll find those functions useful, especially when implementing of your own compression / decompression engine isn't suitable, btw 'this' compression algorithm looks like is also used by NTFS for managing files with attribute 'compressed' . Thank you for your time.