Zero-Trust Sandboxed Extraction for macOS, Linux, & Windows.
專屬工程師與資安研究員的跨平台終極物理隔離解壓縮防護傘。
ZDefuser is a highly secure archive extraction tool built for engineers and security researchers. By combining unidirectional WebAssembly (Wasm) isolation technology with a hardened Native Rust backend, it analyzes and extracts .zip, .rar, .tar, and .tar.gz / .tgz files within a "purely physically isolated" Wasm sandbox, while safely routing highly-compressed .7z archives through a dedicated Native LZMA engine. This effectively blocks malicious payloads from penetrating or damaging the host system during the exact moment of decompression.
Traditional OS archiving tools run with full native file permissions, providing hackers a perfect window for exploitation. ZDefuser drops the payload into a strictly controlled environment (either a WASI sandbox or a hardened native thread)—completely cut off from networking and native OS calls. This "sterile extraction" guarantees immunity against 8 advanced threat vectors:
- 💣 Zip Bomb & CPU DoS Defusion: Enforces strict resource ratios (max 100x inflation / 100GB limits) and integrates Dynamic Compute Rationing (Dynamic Fuel) to intercept both volumetric memory exhaustion attacks and infinite-loop mathematical bombs.
- 🚫 Path Traversal Blocking: Drops any hazardous relative paths like
../../etc/passwdattempting to escape the sandbox and overwrite the system. - 🔗 Symlink Attack Isolation: Zero tolerance for illegal directory references and symbolic shortcuts, protecting host private keys and config files from stealthy exfiltration.
- 🛡 RCE / Buffer Overflow Immunity: Even if the internal extraction engine suffers a buffer overflow, it will only trigger a Wasm linear memory trap crash. It is physically impossible to penetrate the host.
- 🪟 Unicode Spoofing (RTLO) Protection: Sanitizes malicious Right-to-Left Override sequences inside paths, ensuring stealthy
invoice[RTLO]xcod.exefiles cannot be masqueraded as harmless.docxfiles. - 🔒 Executable Bit Stripping (Unix Only): Through the Layer-3 Release Gate, any stealthy
+xscript permissions implanted by attackers are forcibly stripped, downgrading malicious executables to harmless text chunks. - 🗄️ Encrypted Vector Neutralization: Safely handles AES-encrypted ZIPs and RARs. Even if an archive mandates a password and harbors malware, the decryption process and structural validation occur strictly within the quarantine zone.
- 🕵️ Network Leakage Prevention: WASI network sockets are entirely disabled. Extracted spyware physically cannot ping external command-and-control servers or exfiltrate data.
graph TD;
A[User Drops Archive] --> B(Tauri Backend: Commands Layer);
B -->|ZIP, RAR, TAR| C{WASI Sandbox Engine};
B -->|7Z Archive| N{Native Rust Engine};
C -->|Streaming I/O Extraction| D[Wasm Decompression];
N -->|Solid Block Decryption| D2[Native LZMA Router];
D --> E{Security Context Verification};
D2 --> E;
E -->|Zip Bomb / 100GB Bypass| F[Trap / Thread Abort];
E -->|RTLO / Symlink| F;
E -->|Clean Output| G[Virtual Output Directory];
F -->|Strict Error Validation| H[Abort & Destroy Env];
G --> I{Layer 2 Integrity Check};
I -->|Fails Global Limits| H;
I -->|Success| J[Stage for Release];
- Host: Tauri v2 (Rust)
- Isolated Virtual Machine (Sandbox): Wasmtime v29 (
wasm32-wasip1) - Frontend UI: React + TypeScript + Vite + Vanilla CSS (Dark minimal aesthetics featuring a Live Threat Telemetry Dashboard)
- Inter-process Communication: Async Tokio MPSC Channels
ZDefuser features an automated Third-Party License orchestration pipeline (generate_licenses.py) integrated into the build process, ensuring full compliance with underlying MIT/Apache dependencies.
Commercial & Enterprise Usage ZDefuser is distributed under a Dual License Strategy:
- Open Source (GNU AGPLv3): Free for personal use, hobbyists, and non-commercial research, provided you comply with the strong copyleft terms of the AGPLv3 (any server/backend deployment of this tool obligates you to open-source your entire surrounding architecture).
- Commercial Enterprise License: If your organization wishes to use ZDefuser internally, embed it in commercial products, or deploy it in a cloud backend without being forced to open-source your proprietary code, you must purchase a Commercial License Bypass. Please contact the maintainers for enterprise EULA details.
You can grab the latest pre-compiled binaries from the GitHub Releases page. We offer cross-platform support:
- Windows:
.exeand.msiinstallers. - Linux:
.AppImage(Portable) and.deb(Debian/Ubuntu) packages. - macOS:
.dmgbundles.
🍎 macOS Security Notice (Unsigned App): Because this application is not natively code-signed with an Apple Developer Certificate, Gatekeeper will block the app upon first launch with a warning like "App is damaged and can't be opened". To fix this: open your Terminal and run the following command to remove the quarantine attribute:
xattr -cr /Applications/ZDefuser.app
Ensure you have the Node.js and Rust toolchains (including the wasm32-wasip1 target) installed.
# 1. Clone the repository
git clone https://github.com/Cyber-Sec-Space/zdefuser.git
# 2. Install frontend dependencies
npm install
# 3. Prepare the WASM Sandbox environment
rustup target add wasm32-wasip1
cd wasm-sandbox
cargo build --target wasm32-wasip1 --release
cd ..
# 4. Kickstart developer mode
npm run tauri dev
⚠️ Developer Note:npm run tauri devautomatically recompiles the Rust host (ZDefuser), but it does not track or auto-compile the inner Wasm binary. If you modify any code inside/wasm-sandbox, you must manually re-runcargo build --target wasm32-wasip1 --releaseand touchwasm.rsbefore the host registers the sandbox changes!
Included with built-in realistic penetration verification payloads.
You can run the script python3 tests/generate_payloads.py to generate authentic malicious archives, including Zip Bombs, Path Traversals, and executable hijacks, and witness the defensive mechanisms in action via the UI interface.
"In a zero-trust world, even air doesn't pass verification without inspecting its atoms."
Audited securely by Snyk 🐶 - 0 Vulnerabilities Detected.
ZDefuser 是一款專為工程師與資安研究員打造的極端安全解壓縮工具。透過單向的 WebAssembly (Wasm) 隔離技術結合強化的原生 Rust 引擎,它能在「純粹物理隔離」的 Wasm 沙箱環境中提取 .zip, .rar, .tar 與 .tar.gz / .tgz 壓縮檔,並將高壓縮率的 .7z 檔案完美分流至專屬的原生 LZMA 引擎處理,徹底阻斷任何惡意 Payload 在解壓縮的瞬間穿透或破壞宿主系統。
傳統的作業系統解壓工具具備過高的原生檔案權限,這讓駭客有機可乘。ZDefuser 將檔案丟進受嚴格控制的環境(無網路的 WASI 沙箱或受限的原生執行緒)中進行「無菌抽取」,徹底免疫以下八大進階解壓縮威脅向量:
- 💣 解壓炸彈與 CPU 劫持防殺 (Zip Bomb & CPU DoS):雙效合一。採用硬性資源比例上限 (最高 100 倍膨脹) 防禦記憶體溢出,並搭配 動態算力配給制 (Dynamic Compute Rationing) 依據檔案大小發放精準的 Wasmtime 運算燃料指令配額,幾秒內自動絞殺無窮迴圈型邏輯炸彈。
- 🚫 目錄穿越 (Path Traversal):攔截所有
../../etc/passwd等企圖跳脫沙箱覆寫系統檔案的危險路徑。 - 🔗 符號連結 (Symlink) 隔離:對非法目錄參照與符號捷徑做到零容忍丟棄,防護主機私鑰與配置檔遭到無痕竊取。
- 🛡 任意代碼執行 (RCE/Buffer Overflow) 免疫:就算底層解壓涵式庫發生緩衝區溢位,也只會導致 Wasm 線性記憶體陷阱崩潰,物理上絕對無法滲透宿主機。
- 🪟 Unicode 視覺詐騙 (RTLO) 防護:過濾掉在檔名中安插的 U+202E 逆向反轉字元,讓偽裝成
.docx的惡意可執行檔原形畢露並強行拋棄。 - 🔒 剝除可執行權限 (Executable Bit Stripping - 限 Unix 系統):經過 Layer 3 釋放閘道 (Release Gate),駭客植入的隱形
+x可執行權限會被強制扒除,將腳本檔案降級為無害純文字。 - 🗄️ 加密向量中和 (Encrypted Vector Neutralization):完美安全處理附加密碼的 AES ZIP 與 RAR。即使解壓縮過程包含惡意負載或偽造的校驗碼,所有的解密運算與演算法審核皆強制關押在無菌隔離區內進行。
- 🕵️ 網路外洩阻隔 (No Network Leakage):徹底閹割 WASI 的網路通訊協定,從根源確保被解壓縮的間諜軟體絕對無法連回外部指令與控制 (C2) 伺服器傳送資料。
graph TD;
A[使用者拖曳壓縮包] --> B(Tauri 後端:指令層);
B -->|ZIP, RAR, TAR| C{WASI 沙箱執行環境};
B -->|7Z 壓縮檔| N{原生 Rust 引擎};
C -->|串流抽取| D[Wasm 解壓引擎];
N -->|固態區塊解密| D2[原生 LZMA 路由器];
D --> E{安全上下文審核};
D2 --> E;
E -->|發現 Zip 炸彈| F[觸發 Wasm 崩潰 / 執行緒中斷];
E -->|發現 RTLO/目錄穿越| F;
E -->|檢查通過| G[虛擬輸出區];
F -->|嚴格錯誤結算| H[強行中斷並銷毀環境];
G --> I{Layer 2 總體積稽核};
I -->|超過 100GB 上限| H;
I -->|合規| J[轉入待命區等待釋放];
- 宿主架構 (Host): Tauri v2 (Rust)
- 隔離虛擬機 (Sandbox): Wasmtime v29 (
wasm32-wasip1) - 使用者介面 (Frontend): React + TypeScript + Vite + Vanilla CSS (極黑幾何美學與即時威脅遙測儀表板)
- 通訊層: 異步 Tokio 管道 (Async MPSC Channels)
ZDefuser 專案內建了全自動化的第三方開源條款稽核系統 (generate_licenses.py),100% 滿足底層 MIT / Apache / BSD 套件的合規宣告要求。
商業與企業使用宣告 為了保護本專案的智慧財產權並提供企業級服務,ZDefuser 採用 「雙重授權 (Dual License) 戰略」:
- 開源授權 (GNU AGPLv3):對於個人開發者、學生、與非商業研究用途,您可以免費使用本專案。但請注意 AGPLv3 的極強傳染性——如果您將 ZDefuser 部署於企業後端或重製為服務 (SaaS),法律會強制要求您將貴公司的整合專案「全數開源」。
- 企業商業授權 (Commercial License):如果您是企業客戶,希望將 ZDefuser 部署於內部正式環境、整合進您的商用產品,且不願意將您公司的專屬商業機密代碼強制開源,您必須與作者聯繫並購買 商業授權合約 (Commercial License Bypass) 才能合法使用。
您可以直接前往專案的 GitHub Releases 頁面下載最新編譯完成的跨平台安裝包:
- Windows: 提供
.exe取代檔與.msi安裝檔。 - Linux: 提供
.AppImage(免安裝執行檔) 與.deb(Debian/Ubuntu)。 - macOS: 提供
.dmg映像安裝檔。
🍎 macOS 開啟失敗解決方案 (無數位憑證): 由於目前專案尚未掛載 Apple 開發者數位憑證 (Apple Developer Certificate),macOS 的安全機制 (Gatekeeper) 可能會跳出「檔案已損壞無法開啟」或「無法識別的開發者」的警告。 修復方法: 請開啟終端機 (Terminal),並執行以下指令來解除隔離屬性(假設您已拖曳至「應用程式」目錄):
xattr -cr /Applications/ZDefuser.app
首先確保您已安裝了 Node.js 與 Rust 工具鏈(含 wasm32-wasip1 target)。
# 1. 複製專案
git clone https://github.com/Cyber-Sec-Space/zdefuser.git
# 2. 安裝前端依賴
npm install
# 3. 準備 WASM 沙箱環境
rustup target add wasm32-wasip1
cd wasm-sandbox
cargo build --target wasm32-wasip1 --release
cd ..
# 4. 啟動開發者模式
npm run tauri dev
⚠️ 開發者注意事項:npm run tauri dev雖然會自動熱重載 Rust 宿主端 (ZDefuser),但它無法自動偵測並重新編譯深層的 Wasm 沙箱引擎。若您修改了/wasm-sandbox內的任何程式碼,必須手動重新執行cargo build --target wasm32-wasip1 --release並存檔觸發宿主重載,變更才會生效!
內建真實駭客測試包 (Penetration Verification Payloads):
您可以透過執行測試指令碼 python3 tests/generate_payloads.py,產生包含 Zip Bomb、Path Traversal 與可執行權限劫持的真實惡意壓縮包,並透過介面親自見證攔截防禦機制。
"In a zero-trust world, even air doesn't pass verification without inspecting its atoms." 「在零信任的世界裡,就連空氣也必須先檢驗過原子才能放行。」
Audited securely by Snyk 🐶 - 0 Vulnerabilities Detected.