Improve compressed file handling

[stevebeattie]

Recent work was done to handle compressed archives better, there are still some issues where some compressed files are overlooked or report different results when extracted from a containing archive. A simple example of this is extracting the uncompressed elf kernel binary out of a compressed vmlinuz image, like so (using current tip of malcont 0ffa0db):

$ mal --format=simple analyze /boot/vmlinuz-6.8.0-51-generic | wc -l
9
$ /usr/src/linux-headers-6.8.0-51-generic/scripts/extract-vmlinux /boot/vmlinuz-6.8.0-51-generic > /tmp/vmlinux-6.8.0-51-generic
$ mal --format=simple analyze /tmp/vmlinux-6.8.0-51-generic  | wc -l
139

Also, we should probably flag, either via yara rules or otherwise, situations where a file advertises it is one type of file (e.g. named something.gz, but it is some other file type).

[egibs]

Good catch. I can hack around on vmlinuz extraction support, but TBD on how straightforward it will be since it's not a given that the given kernel will be entirely gzipped.

Agreed re: flagging inconsistent file extension/type. We can at least start with common mismatches (e.g., returning a more informative error if the extension is .gz but the Yara rule says it's actually something else).

[stevebeattie]

Good catch. I can hack around on vmlinuz extraction support, but TBD on how straightforward it will be since it's not a given that the given kernel will be entirely gzipped.

Yeah, it's tricky, the extract-vmlinux script does some ugly things looking for the various compression type headers.

But also, I'm seeing things where a .bz2 compressed file in a tar.gz seems to get ignored by current malcontent.