stegosaurus - a poor man's steganography

Under development: PCMCIA, wireless, etc.
Post Reply
Message
Author
User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

stegosaurus - a poor man's steganography

#1 Post by technosaurus »

so, its pretty simple, encrypt a file (optional)
xz it to a container file (jpg, mpg, mov ...)
the regular file will work as normal
to get the hidden file just zcat container > original


This was my original intention:
inspired by steganography and the exe icons in windows / ROX-App icons in puppy, here is a package format that looks nice too.

This is how it works (have only tested manually, script to follow)
take a screenshot image (as jpeg)
make your package format is optional at this point (tar.xz is my preference)

get the size of your package:
PKGSIZE=`stat -c %s package`

add the package to the jpg:
cat package >> screenshot.jpg

we will need to know how much data to get later:
printf $PKGSIZE >> screenshot.jpg

crap now we need to now how many bytes that was
printf ${#PKGSIZE} >> screenshot.jpg

That is it for creating it, you should still be able to open it with an image viewer.

But how to get the data?

how many bytes was our info string
BYTESINFO=`tail -c 1 screenshot.jpg`

now we get the string:
STRSIZE=`tail -c $(($BYTESINFO+1)) screenshot.jpg`

but we still have that extra byte
SIZE=${STRSIZE:0:BYTESINFO}

tail -c $(($SIZE+${#STRSIZE})) screenshot.jpg |head -c $SIZE >package

Edit: other things to consider - filename, checksum, default operation
use the good ol' puppy standard separator ...
size|file_name|chcksum|chcksumtype|defaultmode|strlen

edit2: I wrote an sfs linker in jwm_tools that will mount link and autorun an sfs file ... new squash has xz support, so perhaps this would be a better way to go. Click on screenshot, get corresponding screen in ~0.2s (similar to magicermine which is currently proprietary)
Last edited by technosaurus on Mon 11 Jan 2016, 22:09, edited 2 times in total.

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#2 Post by technosaurus »

so here is a working example:

Code: Select all

#!/bin/sh
#copyright 2011 Brad Conroy - redistributable under the UIUC license
[ -f "$1" ] && [ -f "$2" ] || exit
SIZE1=`stat -c %s $1`
SIZE2=`stat -c %s $2`
NAME1=${1##*/}
NAME2=${2##*/}
EXT=${1##*.}

cp $1 ${NAME1}_${NAME2}.$EXT
echo "
NAME1=${NAME1} SIZE1=${SIZE1} NAME2=${NAME2} SIZE2=${SIZE2}
" >> ${NAME1}_${NAME2}.$EXT
cat $2 >> ${NAME1}_${NAME2}.$EXT

Code: Select all

#!/bin/sh
#copyright 2011 Brad Conroy - redistributable under the UIUC license
[ $1 ] && [ -f $1 ] || exit
while read LINE; do
case $LINE in
	NAME1=*SIZE1=*NAME2=*SIZE2=*)eval $LINE;break;;
esac
done < $1
[ "${SIZE1}" ] && [ "${NAME1}" ] && [ "${SIZE2}" ] && [ "${NAME2}" ] || exit
head -c ${SIZE1} ${1} > ${NAME1}
tail -c ${SIZE2} ${1} > ${NAME2}
This is a very generic implementation that can also be used as a poor man's steganography using only busybox applets (shell, stat, head and tail)
the first file should be something containerized (so it knows where the end of its data is) and preferably known to have varying sizes jpeg is fine if the second file is small, but avi, mov or mpg if the second file is large

The second file could be anything from text to a heavily encrypted file.

I think I have it broken down into the simplest form for further modification
you may not need to fuss with recovering the container file - if so you can remove the code related to it ... name1 size1 and head portions
if you are trying to hide a file, you may not want to even have the file name included and just have the output defined by the user - also a fairly easy mod
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

PANZERKOPF
Posts: 282
Joined: Wed 16 Dec 2009, 21:38
Location: Earth

Re: jpkg - screenshots as the package format

#3 Post by PANZERKOPF »

technosaurus wrote:inspired by steganography
Probably I found another way, without any additional tools.
cat archive.tar.xz >>image.jpg
xzcat image.jpg > archive.tar
Seems xzcat successfully finds a signature (FD377A58h) at the end of "garbage" (mean jpeg's body) and decompresses an archive.
SUUM CUIQUE.

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#4 Post by technosaurus »

nice, maybe instead of catting an xz file, we can just:
xz -cze9 inputfile.tc >> outputfile.mpg

edit: nope, neither way seems to be working - back to my previous example then
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

aragon
Posts: 1698
Joined: Mon 15 Oct 2007, 12:18
Location: Germany

#5 Post by aragon »


aragon
Posts: 1698
Joined: Mon 15 Oct 2007, 12:18
Location: Germany

#6 Post by aragon »

a second note: psteg is allready taken by an app from vovchik.

http://www.murga-linux.com/puppy/viewtopic.php?t=57806

aragon

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#7 Post by technosaurus »

steg-osaurus it is then :)
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#8 Post by DPUP5520 »

There are many great stego programs out there u may want to check out and try such as hide and seek, outguess, snow, diit, and steghide just to name a few.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#9 Post by technosaurus »

Yes there are, but they all have some limitation that would keep them out of standard puppy (size, dependencies, file limitations ...)

All this needs is a GUI that uses bcrypt which is already included.

The code in /usr/sbin/grub-md5-crypt and bcrypt_gui is a good starting point

The encryption format can be anything though (including none) if bcrypt is replaced.
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#10 Post by technosaurus »

here is the start of a basic gui

Code: Select all

#! /bin/sh
#copyright 2011 Brad Conroy - redistributable under the UIUC license
#todo add bcrypt options, output filename, backup container ...
export MAIN_DIALOG='
<vbox>
	<frame Container Filename>
		<hbox tooltip-text="Select a container file such as: jpg,mpg,avi,mov...">
			<entry accept="filename">
				<label>Select an Existing File</label>
				<variable>CONTAINER_FILENAME</variable>
			</entry>
			<button>
				<input file stock="gtk-open"></input>
				<action type="fileselect">CONTAINER_FILENAME</action>
			</button>
		</hbox>
	</frame>
	<frame Encrypted Filename>
		<hbox tooltip-text="Select the file you wish to encrypt">
			<entry accept="filename">
				<label>Select an Existing File</label>
				<variable>ENCRYPT_FILENAME</variable>
			</entry>
			<button>
				<input file stock="gtk-open"></input>
				<action type="fileselect">ENCRYPT_FILENAME</action>
			</button>
		</hbox>
	</frame>
	<frame Password>
		<entry invisible_char="052" visibility="false">
			<default>woofwoof</default>
			<variable>PASSWORD1</variable>
		</entry>
	</frame>
	<frame Verify Password>
		<entry invisible_char="052" visibility="false">
			<default>woofwoof</default>
			<variable>PASSWORD2</variable>
		</entry>
	</frame>
	<hbox>
	 <button ok></button>
	 <button cancel></button>
	</hbox>
</vbox>
'

eval `gtkdialog3 --program=MAIN_DIALOG`

[ "$CONTAINER_FILENAME" ] && [ "$ENCRYPT_FILENAME" ] || exit
[  "$PASSWORD1" == "$PASSWORD2" ] || exit

echo "$PASSWORD1
$PASSWORD2" |bcrypt -o "$ENCRYPT_FILENAME" >/tmp/stegosaurus
SIZE=`stat -c %s /tmp/stegosaurus`

echo "
ALLTRANSLATIONSSIZE=${SIZE}
" >> ${CONTAINER_FILENAME}
cat /tmp/stegosaurus >> ${CONTAINER_FILENAME}

yaf-splash -text "complete ${CONTAINER_FILENAME} increased by just over $SIZE"

#for debugging ... this will be in the 
#while read A; do case $A in ALLTRANSLATIONSSIZE=*)eval $A && break;;esac;done< ${CONTAINER_FILENAME}
#tail -c $ALLTRANSLATIONSSIZE ${CONTAINER_FILENAME} > ${ENCRYPT_FILENAME}.bfe

PANZERKOPF
Posts: 282
Joined: Wed 16 Dec 2009, 21:38
Location: Earth

#11 Post by PANZERKOPF »

technosaurus wrote: edit: nope, neither way seems to be working - back to my previous example then
Oops... You are right, unxz fails.

Testing zip/unzip archiver:
cat archive.zip >> image.jpg
unzip image jpg
It works! Just says "Warning! ???? extra bytes at begining..."
Note I used "full" unzip, busybox unzip fails.

Testing arj archiver:
cat archive.arj >> image.jpg
arj e image jpg
Works!
SUUM CUIQUE.

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#12 Post by technosaurus »

http://lists.busybox.net/pipermail/busy ... 64569.html
We can use tr to do the encryption

And zip files can be password protected, but I may take a look at patching busybox zip first.
Other possibilities: use it to add sfs file to kernel image
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

User avatar
SFR
Posts: 1800
Joined: Wed 26 Oct 2011, 21:52

#13 Post by SFR »

ZIP files indeed have nice possibilities - what about concatenating a fake zip archive (fake = containing some unimportant stuff, a decoy) with a 7zip (preferably encrypted) archive?

Code: Select all

#!/bin/bash

# slip2zip

[ $# -ne 3 ] && { echo "Usage: ${0##*/} <input_zip_file> <input_7z_file> <output_name>"; exit; }

head -c 30 "$1" | cat - "$2" "$1" > "${3}.zip"
zip -A "${3}.zip"
As long as such file has .zip extension, it behaves like zip - "decoy" part can be listed/extracted (only full 'unzip' or 7zip; busybox's fails in this case, too) without any warnings and 'file somearch.zip' reports an ordinary zip file.
Fooling the 'file' utility and lack of warnings is achieved by appending a part of original zip header to the beginning of the file (head -c 30 ...) and adjusting its internal structure (zip -A ...).
After changing the extension to .7z we're gaining access to the "hidden" 7zip part and, suprisingly, 7zip has nothing against those 30 leading, extra bytes.

BTW, to avoid unnecessary suspicions, the size of uncompressed "decoy" part should be greater than the size of concatenated zip+7z, what could be achieved by using high compression level and by including some "sparse" files into it.

Pros: self-containability (no dedicated tool is needed, except generally available (p)7zip) and portability (tested also in Windoze - both parts can be separately accessed using 7zip, IZArc, PeaZip, WinZIP, WinRAR & ZipGenius).

Cons: well, of course closer look (hexdump) or that unfortunate busybox behavior will reveal that something's not quite right.

I have attached an exemplary zip+7z.

Greetings!
Attachments
example.zip
Change extension to .7z to access &quot;hidden&quot; part.
(3.46 KiB) Downloaded 386 times
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#14 Post by disciple »

It's kind of off topic, but when Flickr came out with their free 1TB my first thought was about how neat it would be to use it as a backup filesystem by zipping files and appending to jpegs. But then I saw that almost as soon as it came out someone had implemented the same idea but hiding the files in pngs instead: https://github.com/Rotten194/flickr-fuse ;)
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#15 Post by technosaurus »

I wouldn't count on that except to share files short term, it is quite possible that they would decide to run image optimizers (optipng, jpegtran,...) or some other craziness on the images that would remove embedded data
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#16 Post by disciple »

No, I wouldn't count on it at all - it's just neat in principle :)
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#17 Post by technosaurus »

I did think it would be a neat idea to put packages inside screenshots of a running version of the package... using a thumbnail browser without the included data or it would take a year for the page to load
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

Post Reply