PRACTICAL STEGANOGRAPHY 

[ PART-I ]

Hiding information in Binary Executable File 

07-FEB-2008

Credits

Rakan El-Khalil has designed Hydan which actually does the magic.


Disclaimer

I don't guarantee the accuracy of anything that follows, so use this guide at your own risk.


Binary Executable as Carrier

The inherent redundancy in the machine instruction set (e.g., the i386 processor family instruction set) is used to conceal the message in binary executable, as several instructions can be expressed in more than one way.

For example, adding the value 50 to register eax can be represented as either

                                         "add %eax, $50"
                                                  or
                                         "sub %eax, $-50"

Using these two alternate forms, we can encode one bit of information.

Another example is XORing a register against itself and subtracting the register from it has the same effect.

The larger the set of equivalent instructions, the more bits can be embedded.

There are some other methods also to hide data in executable but beyond the scope of this tutorial


What is Hydan ?

Hydan [hI-dn] means to hide or conceal. Rakan El-Khalil has cleverly selected the name of his steganographic tool as Hydan which hides messages in Binary Executable.

After getting the message to be embedded and the covertext; Hydan asks for a key to encrypt the message with. Hydan then prepends the message length to the message and encrypts the resulting data with Blowfish in CBC mode. The length of the message must be embedded for decoding but is encrypted to hide the presence of hidden data in binary.

Once the encryption process is finished, Hydan determines the locations of instructions which can be used for embedding the message. whenever it finds an instruction that it has equivalents to, it substitutes in the instruction that represents the bit(s) of data hydan is currently embedding. Before embedding Hydan follows a random walk by skipping a random amount of instructions to increase the work load of any detection technique. TOO CLEVER.  

For extracting the message Hydan uses user password to seed the random-walk algorithm and extracts the length of the embedded data. Next step is to extract the relevant amount of data from the carrier


Features

The size of carrier (binary executable) and that of the
Stego-medium ( binary + hidden message + password ) are same.

Message is blowfish encrypted with a user-supplied passphrase before being embedded


How to get Hydan ?

The dedicated web site for hydan is http://www.crazyboy.com/hydan

Download the source code http://www.crazyboy.com/hydan/hydan-0.13.tar.gz

Extract the source and compile

mylinux@debian:~$  tar -zxvf hydan.tar.gz
mylinux@debian:~$  cd hydan
mylinux@debian:~/hydan$  make


An Example

I am showing an example based on /bin/date command


hydan-stats   >>>   know about maximum embeddable instructions and other information of the command to be used as carrier 


mylinux@debian:~$ ./hydan-stats /bin/date

File : /bin/date
Code size : 28407 bytes
Embeddeable insns : 205 bytes
Number of functions : 20 (6 bytes)
-------> Encoding Rate: 1/138 (1/133 with fns)

Total embeddeable insns: 205 bytes
Total number of fns : 20 (6 bytes/file, 6 bytes/total)
Total encoding rate : 1/138 (with fns: 1/133/file - 1/133/total)

mov32:
 mov r/m32, r32: 389
addsub32-3:
 add r/m32, imm8: 79
 sub r/m32, imm8: 74
xorsub32:
 xor r/m32, r32: 314
addsub32-2:
 add r/m32, imm32: 15
 sub r/m32, imm32: 6
toac32:
 test r/m32, r32: 462
addsub32-1:
 add eax, imm32: 2
 sub eax, imm32: 1
add32:
 add r/m32, r32: 53
cmp32:
 cmp r/m32, r32: 49
toac8:
 test r/m8 , r8: 62
and8:
 and r/m8 , r8: 1
sub32:
 sub r/m32, r32: 115
xor32:
 xor r/m32, r32: 22
or32:
 or r/m32, r32: 26
mov8:
 mov r/m8 , r8: 7
and32:
 and r/m32, r32: 2
add8:
 add r/m8 , r8: 1
cmp8:
 cmp r/m8 , r8: 1
rrcmp32:
 cmp r/m32, r32: 4
addsub8:
 add al , imm8: 5
 sub al , imm8: 3
sub8:
 sub r/m8 , r8: 2
sbb32:
 sbb r/m32, r32: 2
addsub8-2:
 add r/m8 , imm8: 1
 sub r/m8 , imm8: 1

Useful informations are   

File : /bin/date
Code size : 28407 bytes
Embeddeable insns : 205 bytes
Number of functions : 20 (6 bytes)
-------> Encoding Rate: 1/138 (1/133 with fns)

Total embeddeable insns: 205 bytes
Total number of fns : 20 (6 bytes/file, 6 bytes/total)
Total encoding rate : 1/138 (with fns: 1/133/file - 1/133/total)


Creating an ASCII text to be hidden inside the binary

Create an ASCII file with the message

Hi all, I am a debian user
Say the file name is msg


./hydan  /path/binary  message_file > new_binary   >>>   Embedding

I have selected /bin/date as carrier and created a message file called msg. I can now embed the message file inside /bin/date command to create a new command which behaves exactly like /bin/date command but with the hidden information.

./hydan  /bin/date  msg > new.date 

Hydan asks for a password which is used as a key to encrypt the message

mylinux@debian:~$ ./hydan /bin/date msg > new.date 
Password: 
Done. Embedded 32/32 bytes out of a total possible 205 bytes.
Encoding rate: 1/138


Checking the newly created command

Execution permission must be given on the newly crated binary

chmod  u+x  new.date

The binary behaves exactly same as /bin/date command  

mylinux@debian:~$ ./new.date 
Sat Feb 2 16:53:36 GMT-8 2008


File size of the stego-medium is same that of the carrier :-) 

mylinux@debian:~$ du -h /bin/date new.date
 
44K /bin/date
44K new.date./new.date


Replacing the original binary with the Hydan created one


These steps need root power

mylinux@debian:~$ su
Password:
debian:# ls -l /bin/date
-rwxr-xr-x 1 root root 42764 2004-07-16 17:07 /bin/date

debian:# mv /bin/date backup.date

debian:# mv new.date /bin/date

debian:# chown root:root /bin/date

debian:# chmod 755 /bin/date

debian:# ls -l /bin/date
-rwxr-xr-x 1 root root 42764 2008-02-02 21:19 /bin/date

It is clear from above that the time stamp of the resultant binary differs from that of the original one. The time stamp of the new binary must be same as the original to make the resultant exactly same when tracing by "ls -l"

 

mylinux@debian:~$ su
Password:
debian:# ls -l /bin/date
-rwxr-xr-x 1 root root 42764 2008-02-02 21:19 /bin/date
debian:# touch -t 200407161707 /bin/date
debian:# ls -l /bin/date
-rwxr-xr-x 1 root root 42764 2004-07-16 17:07 /bin/date


./hydan-decode  <Hydan created binary>   >>>   Extracting the hidden message

  

mylinux@debian:~$ ./hydan-decode /bin/date
Password: 
Hi all, I am a debian user

Or we can extract and save the hidden message in a file

mylinux@debian:~$ # ./hydan-decode new.date > hiddenMSG
Password: 

# cat hiddenMSG 
Hi all, I am a debian user


Detection

The checksum of the original binary does not match with the Hydan produced resultant binary.


Overwriting attack

Hydan embeds the message sequentially, starting from the top of the application. If Hydan be executed again with another message with a message size that is the maximum embeddable in the given application (on top of the original message);  the original message can't be extracted by Hydan.



Copyright and License

Copyright©2008 by Joydeep Bakshi. This material may be distributed only subject to the terms and conditions set forth in the Open Content License, v1.0 or later (the latest version is presently available at opencontent.org ).


Feedback

Comments, corrections and suggestions are always welcome. email.gif

INDEX | HOME
Copyright© 2008, Joydeep Bakshi