Data Hiding/Embedding
Parchivist (Talk | contribs) |
Parchivist (Talk | contribs) |
||
| (45 intermediate revisions by one user not shown) | |||
| Line 21: | Line 21: | ||
This can work with [[JPEG]], [[GIF]], [[MP3]], some executables and more | This can work with [[JPEG]], [[GIF]], [[MP3]], some executables and more | ||
| + | |||
=== Links === | === Links === | ||
| − | * [[ | + | * [[BDV DataHider]] |
| + | * [[Camouflage]] | ||
| + | * [[Cloak]] | ||
| + | * [[Clotho]] | ||
| + | * [[Data Stash]] | ||
| + | * [[Data Stealth]] | ||
| + | * [[DeEgger Embedder]] | ||
| + | * [[FileStegano]] | ||
| + | * [[GRL RealHidden]] | ||
| + | * [[HideMyFile]] | ||
| + | * [[Hider]] | ||
| + | * [[Hiderman]] | ||
| + | * [[Masker]] | ||
| + | * [[Max File Encryption]] (formerly X-EXE) | ||
| + | * [[OmniHide PRO]] | ||
* [[Our Secret]] (formerly Pipisoft Steganography) | * [[Our Secret]] (formerly Pipisoft Steganography) | ||
| + | * [[Pretty Good Envelope (PGE)]] | ||
| + | * [[Safe & Quick Hide Files and Folders (SQHideFile)]] (aka Secure Box) | ||
| + | * [[Smuggle Bus]] - more sophisticated file appending | ||
| + | * [[Steganofile]] | ||
| + | * [[StegoMagic (MrMugiwara)]] | ||
| + | * [[StegoStick]] | ||
| + | * [[Xidie Security Suite]] | ||
| + | * [https://web.archive.org/web/20081210084707/http://googlebordello.crushhumanity.org/jpgrar.html JPGRAR lore] | ||
| Line 37: | Line 60: | ||
* [https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html Malware Hidden Inside JPG EXIF Headers] | * [https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html Malware Hidden Inside JPG EXIF Headers] | ||
* [[GG-AESY]] - implements both methods of hiding data | * [[GG-AESY]] - implements both methods of hiding data | ||
| + | * [[Jpeginsert]] - uses the quantization tables | ||
| + | * [[JPegX]] - functions like a generic appender, but limited to txt messages in JPEG | ||
| + | * [[Invisible Secrets]] - hidden data in the comment field at the beginning of the JPEG file | ||
* [https://www.provos.org/p/detection-with-stegdetect/ Stegdetect] - detects data at the end of JPEG files hidden with tools like [[appendX]] or [[camouflage]]. | * [https://www.provos.org/p/detection-with-stegdetect/ Stegdetect] - detects data at the end of JPEG files hidden with tools like [[appendX]] or [[camouflage]]. | ||
| + | |||
| + | |||
| + | |||
| + | == [[PNG]] == | ||
| + | |||
| + | |||
| + | === Links === | ||
| + | * [[Invisible Secrets]] - hidden data in the comment field at the end of the PNG file | ||
| + | * [[tweetable-polyglot-png]] | ||
| + | |||
| Line 45: | Line 81: | ||
=== Links === | === Links === | ||
* [[js-bmp-packer]] - combine js code and a bmp file into a file that can be viewed as an image and run as code | * [[js-bmp-packer]] - combine js code and a bmp file into a file that can be viewed as an image and run as code | ||
| + | * [[Z-File Camouflage/Encryption System]] | ||
| + | |||
| + | |||
| + | |||
| + | == [[MP3]] == | ||
| + | |||
| + | |||
| + | MP3 files are fairly tolerant of random data being added to the file, and not just the end, but also the beginning. | ||
| + | |||
| + | Hence wrapping an MP3 in a zip/rar with no compression will still be playable. | ||
| + | |||
| + | See also: [[MP3 wrapper]] | ||
| + | |||
| + | |||
| + | |||
| + | == Video == | ||
| + | |||
| + | |||
| + | === Links === | ||
| + | * [[TCStego]] - hides TrueCrypt/VeraCrypt volumes in [[QuickTime]], [[MP4]], or [[3GP]] | ||
| + | |||
| + | |||
| + | |||
| + | == [[ZIP]] == | ||
| + | |||
| + | |||
| + | === Links === | ||
| + | * [[Zipped Steganography]] | ||
| + | * [https://www.codeproject.com/Messages/1453994/A-few-thoughts Discussion of more ways to hide data in Zip files] | ||
| + | |||
| + | |||
| + | |||
| + | == [[GZIP]] == | ||
| + | |||
| + | |||
| + | === Links === | ||
| + | * [[GZSteg]] | ||
| + | |||
| + | |||
| + | |||
| + | == [[Office Open XML]] == | ||
| + | |||
| + | Office XML (Microsoft Office 2007+ DOCX, XLSX, PPTX, etc) files are just [[ZIP]] files with other files inside. If you don't care about the file opening successfully afterwards, you can just add anything you want in there. | ||
| + | |||
| + | To get the file to open, you'll need to edit [Content_Types].xml so office programs don't complain about a corrupted file. | ||
| + | |||
| + | If you save any changes in the Office document after you hide a file, the embedded file will be lost. | ||
| + | |||
| + | |||
| + | === Links === | ||
| + | |||
| + | * [[Office XML Steganography Tool]] | ||
| + | * [[Steganography for OfficeXML file]] | ||
| + | * [[Xidie Security Suite]] | ||
| + | |||
| + | |||
| + | |||
| + | == [[Microsoft Compound File]] == | ||
| + | |||
| + | Older Microsoft Office files | ||
| + | |||
| + | |||
| + | === Links === | ||
| + | * [[Merge Streams]] | ||
| + | |||
| Line 62: | Line 163: | ||
=== Links === | === Links === | ||
* [https://stackoverflow.com/questions/27075859/steganography-hiding-data-in-pdf-files Discussion of hiding spots in PDF] | * [https://stackoverflow.com/questions/27075859/steganography-hiding-data-in-pdf-files Discussion of hiding spots in PDF] | ||
| + | * [[wbStego]] | ||
| + | * [[Xidie Security Suite]] | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| Line 90: | Line 183: | ||
They can also be opened directly in notepad:<br> | They can also be opened directly in notepad:<br> | ||
notepad test.txt:stream | notepad test.txt:stream | ||
| + | |||
=== Links === | === Links === | ||
| Line 97: | Line 191: | ||
* [https://www.nirsoft.net/utils/alternate_data_streams.html Nirsoft AlternateStreamView] - find/view/copy/delete NTFS Alternate Data Streams | * [https://www.nirsoft.net/utils/alternate_data_streams.html Nirsoft AlternateStreamView] - find/view/copy/delete NTFS Alternate Data Streams | ||
* [https://github.com/RichardD2/NTFS-Streams NTFS Streams] - A .NET library for working with alternate data streams on NTFS file systems. | * [https://github.com/RichardD2/NTFS-Streams NTFS Streams] - A .NET library for working with alternate data streams on NTFS file systems. | ||
| + | * [[Xidie Security Suite]] | ||
| + | |||
| + | |||
| + | |||
| + | == Unused Disk Space == | ||
| + | |||
| + | |||
| + | === Links === | ||
| + | * [[BDV DataHider]] | ||
| + | * [[S-Tools]] | ||
Latest revision as of 16:47, 11 November 2023
Data hiding/embedding is a cruder form of Steganography that relies on not being noticed/looked for in the first place while true steganography tries to remain hidden even when actively being looked for.
Contents |
[edit] Generic appending
Appending a file to the end of another often results in a file that continues to work as usual, with the file viewer/player ignoring the extra bytes at the end.
A common tactic to take advantage of this behavior is to manually append a zip/rar file to the end of a file. The resulting file will still open as regular, but any archiver will automatically detect and open zip/rar part.
In DOS/Windows command line, files can be appended by using the command:
copy /b host.jpg + hidden.zip combined.jpg
In Linux/Mac the command looks like:
$ cat host.jpg hidden.zip > combined.jpg
This can work with JPEG, GIF, MP3, some executables and more
[edit] Links
- BDV DataHider
- Camouflage
- Cloak
- Clotho
- Data Stash
- Data Stealth
- DeEgger Embedder
- FileStegano
- GRL RealHidden
- HideMyFile
- Hider
- Hiderman
- Masker
- Max File Encryption (formerly X-EXE)
- OmniHide PRO
- Our Secret (formerly Pipisoft Steganography)
- Pretty Good Envelope (PGE)
- Safe & Quick Hide Files and Folders (SQHideFile) (aka Secure Box)
- Smuggle Bus - more sophisticated file appending
- Steganofile
- StegoMagic (MrMugiwara)
- StegoStick
- Xidie Security Suite
- JPGRAR lore
[edit] JPEG
There are two main approaches to embedding data in a JPEG file: using the EXIF headers or appending it after the end of image marker (FF D9)
[edit] Links
- Under the hood: Hiding data in JPEG images
- Malware Hidden Inside JPG EXIF Headers
- GG-AESY - implements both methods of hiding data
- Jpeginsert - uses the quantization tables
- JPegX - functions like a generic appender, but limited to txt messages in JPEG
- Invisible Secrets - hidden data in the comment field at the beginning of the JPEG file
- Stegdetect - detects data at the end of JPEG files hidden with tools like appendX or camouflage.
[edit] PNG
[edit] Links
- Invisible Secrets - hidden data in the comment field at the end of the PNG file
- tweetable-polyglot-png
[edit] BMP
[edit] Links
- js-bmp-packer - combine js code and a bmp file into a file that can be viewed as an image and run as code
- Z-File Camouflage/Encryption System
[edit] MP3
MP3 files are fairly tolerant of random data being added to the file, and not just the end, but also the beginning.
Hence wrapping an MP3 in a zip/rar with no compression will still be playable.
See also: MP3 wrapper
[edit] Video
[edit] Links
[edit] ZIP
[edit] Links
[edit] GZIP
[edit] Links
[edit] Office Open XML
Office XML (Microsoft Office 2007+ DOCX, XLSX, PPTX, etc) files are just ZIP files with other files inside. If you don't care about the file opening successfully afterwards, you can just add anything you want in there.
To get the file to open, you'll need to edit [Content_Types].xml so office programs don't complain about a corrupted file.
If you save any changes in the Office document after you hide a file, the embedded file will be lost.
[edit] Links
[edit] Microsoft Compound File
Older Microsoft Office files
[edit] Links
[edit] PDF
PDF allows embedding complete files in the actual PDF file.
PDF allows adding arbitrary objects anywhere (or almost anywhere) in the file.
PDF allows writing data between objects
PDF allows adding for example white text on a white background or text behind other objects.
Adobe's PDF spec allows at least 1K of fluff after the %%EOF marker (although ISO 32000 does not).
[edit] Links
[edit] NTFS Alternate Data Streams
NTFS provides Alternate Data Streams (ADS) for each file and directory.
You can create one from the command line:
echo hello > test.txt:stream
You can also copy an existing file into a stream:
type hidden.txt > test.txt:hidden.txt
To read the stream back:
more < test.txt:stream
They can also be opened directly in notepad:
notepad test.txt:stream
[edit] Links
- How to Create, Open, Detect, and Remove Alternate Data Stream
- Exploring NTFS Alternate Data Streams from a security standpoint
- Streams - finds files and directories with streams
- Nirsoft AlternateStreamView - find/view/copy/delete NTFS Alternate Data Streams
- NTFS Streams - A .NET library for working with alternate data streams on NTFS file systems.
- Xidie Security Suite
