Malware Related > Tools of the trade / Internet News

Hiding Files In Images

(1/1)

Drusepth:
I wrote this guide for another site, I figure it could fit in here (while filling up empty space here), since it's "Everything Else.."


--- Quote ---

Hiding Files in Images
By Drusepth
08/13/07

Typical CYA:
You shouldn't use any information provided by this tutorial in any way to hide or disclose illegal or harmful material.  As the author, I'm not responsible for any caused by the use of this information.  With that being said, here we go:

The Tutorial:
This tutorial is a guide to merging RAR archives onto images.  Well, a more exact description would be that this tutorial teaches how to append the binary data of RAR archives to the end of PNG and JPG images.  To begin, we're going to create an original image to hold our secret archive.  Here we go:



Now that we have an image, we'll decide on an archive to bind to the image.  I'll create a simple winrar archive with one text document included.


--- Quote from: secret.txt ---This is a secret text file we're going to hide in our image.
--- End quote ---

This part of the guide is meant for Windows, and therefore the only tools you'll need are winrar and cmd.exe.  Note also, that although this should work on XP, it has only been tested on Vista.  Archive secret.txt to secret.rar.  We're going to open cmd.exe now, and start.  Upon loading cmd.exe, change directories to where your image and archive are stored.

--- Code: ---cd C:\Users\drusepth\encrypted\Desktop\hotdog\
--- End code ---

Now, we'll need to use the binary flag of windows' copy function.  The correct syntax is

--- Code: ---copy /b image.jpg+archive.rar new_image.jpg
--- End code ---
Note that \b will error out; you need to use /b.  So in our case, we're going to enter

--- Code: ---copy /b image.jpg+secret.rar new.jpg
--- End code ---
The image must come first, and the archive afterwards.  This is because when the image is opened with your image viewer, it will start reading for the image information from the beginning of the file until it reaches the end (where your rar archive is).  When a file is opened in winRAR, it will begin reading for the information where the Rar header is.  This allows us to successfully append rar information to the end of an image file.

Doubleclicking the produced hybrid image-rar will open it in your default image viewer - to view the hidden secret.txt, you'll need to point winRAR to your directory and choose to open new.jpg.


Go ahead and download the above image and open it up in your winrar..  It has secret.txt in it, with a tiny surprise.  :D

Flaws and Improvements
If you were to open the new image with a text viewer such as notepad, you will see the usual mumbo jumbo garbage that you see when opening any image with a similar program; although in this case, if you scroll to the end of the file, you will see

--- Quote ---Rar! ϐs 
       Bt / b   e   rƩa
73
     secret.txt
QP> _Ј _Fjړh/"G$ʗYG籨।T58z [Vr XU0R/4D+>1={ @
--- End quote ---
This could easily be overlooked by the simple person, but someone suspiciously looking for something like this could find Rar! and secret.txt rather quickly.

A spinoff of the above would be using

--- Code: ---copy /b image.jpg+secret.txt text.jpg
--- End code ---
to directly attach the text file to the image.  Now if you open the text.jpg in notepad, you'll see

--- Quote ---(
(
(
(
(
(
(
(
(
(?This is a secret text file we're going to hide in our image.
--- End quote ---

Also if you will notice, the main secret.txt and image.jpg filesizes were 1kb and 25kb, respectively.  If I add a few random programs to the secret.rar archive, eventually making it 8.3mb large and try to append it to the end of image.jpg, it also works fine - although an 8.3mb 591x480 image looks a bit fishy.

This technique can also be used for those pesky pron cutups that give you thirty-second clips at a time.  ;)

--- Code: ---copy /b clip1.mpg+clip2.mpg+clip3.mpg+clip4.mpg full_video.mpg
--- End code ---

This is steganography at it's most basic.. basicness.  Hiding things utilizing technology has always intrigued me, and I hope to have more advanced articles regarding the art of hiding information soon.

Linux Version:
Note: This was done and tested on Ubuntu Edgy Eft - I don't have other OS's here at the moment, so I'm interested to see how it works on other Linux distros.

First, place your image and secret.txt in the same directory.  What you should enter into the terminal is in bold and the response is normal.


--- Quote ---ls
  llama.jpg  secret.txt
zip secret.txt secret.zip
  adding: secret.zip (stored 0%)
ls
  llama.jpg  secret.txt  secret.zip
cat llama.jpg secret.zip > new.jpg

--- End quote ---
This last cat command will place the secret.zip information at the end of the new.jpg image.  According to my testing on Ubuntu, the only way to open the hidden file is with the following commands:

--- Quote ---ls
  new.jpg
unzip new.jpg
  Archive:  new.jpg
  warning [new.jpg]:  1417 extra bytes at beginning or within zipfile
    (attempting to process anyway)
  extracting: secret.txt
ls
  new.jpg  secret.txt

--- End quote ---
And

--- Code: ---nano secret.txt
--- End code ---

lets you read the text:

--- Quote from: secret.txt ---This is a secret message.
--- End quote ---
Any other way of opening new.jpg will open it as an image, effectively hiding secret.zip
--- End quote ---

Navigation

[0] Message Index

Go to full version