xpress-huffman 0.1.0

Pure-Rust, panic-free decompressor for Microsoft Xpress-Huffman ([MS-XCA] §2.2.4, LZXPRESS_HUFFMAN) — the codec behind Win10+ prefetch (MAM), hiberfil.sys, SMB3 and registry-hive compression. Cross-platform, no Windows API.
Documentation
  • Coverage
  • 100%
    5 out of 5 items documented1 out of 3 items with examples
  • Size
  • Source code size: 86.71 kB This is the summed size of all the files inside the crates.io package for this release.
  • Documentation size: 219.69 kB This is the summed size of all files generated by rustdoc for all configured targets
  • Ø build duration
  • this release: 2s Average build duration of successful builds.
  • all releases: 2s Average build duration of successful builds in releases after 2024-10-23.
  • Links
  • SecurityRonin/xpress-huffman
    0 0 0
  • crates.io
  • Dependencies
  • Versions
  • Owners
  • h4x0r

xpress-huffman

Crates.io Docs.rs Rust 1.85+ License: Apache-2.0 Sponsor

CI unsafe forbidden Security advisories

Decompress Microsoft Xpress-Huffman (MS-XCA §2.2.4) anywhere — the codec behind Win10+ prefetch, hiberfil.sys, SMB3 and registry-hive compression — in pure, panic-free Rust with no Windows API.

// `compressed` is an LZXPRESS_HUFFMAN stream (e.g. a prefetch MAM payload after
// the 8-byte header); `size` is the decompressed length the container records.
let plain = xpress_huffman::decompress(compressed, size)?;

That's the whole surface: one function, no setup, #![no_std]-compatible.

Why this crate

Modern Windows compresses a lot with Xpress-Huffman (COMPRESSION_FORMAT_XPRESS_HUFF, value 4): Win8.1+ Prefetch (the MAM wrapper), hiberfil.sys, SMB3 transport compression, registry hive compression, and Windows Update payloads. Decoding it off-Windows usually means shelling out to RtlDecompressBufferEx — which only exists on Windows.

Algorithm Xpress-Huffman support? Decodes off-Windows?
xpress-huffman (this crate) Xpress-Huffman (MS-XCA §2.2.4) ✅ pure Rust, any platform
rust-lzxpress, xpress_rs plain LZXpress (COMPRESSION_FORMAT_XPRESS = 3) ❌ format 3 only
RtlDecompressBufferEx (Windows API) both ❌ Windows only

The existing Rust crates implement plain LZXpress (the LZNT-style LZ77 format, value 3). This crate implements the Huffman-coded variant (value 4) that the artifacts above actually use.

Trust, but verify

  • #![forbid(unsafe_code)], no unwrap/expect/panic in production paths — every length and offset read from the (untrusted) input is bounds-checked. A corrupt stream yields an Err, never a panic or out-of-bounds read.
  • #![no_std] (uses alloc); enable the std feature for a std::error::Error impl.
  • Validated against an independent decompressor. The decoder is a clean-room implementation of the MS-XCA algorithm; its output is confirmed byte-for-byte against Fox-IT's independent dissect.util decompressor on real Windows artifacts. See docs/validation.md.

Install

[dependencies]
xpress-huffman = "0.1"

Decoding a Windows prefetch payload

// A Win8.1+ prefetch file: `MAM\x04` + u32 decompressed size + the stream.
let size = u32::from_le_bytes(mam[4..8].try_into().unwrap()) as usize;
let scca = xpress_huffman::decompress(&mam[8..], size)?;
assert_eq!(&scca[4..8], b"SCCA");

(For full prefetch parsing — run counts, last-run times, loaded files — see the prefetch-forensic crate, which builds on this one.)

Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd