Slashdot Mirror

← Back to Stories (view on slashdot.org)

Program Hides Secret Messages in Executables

Posted by timothy on from the ms-reveals-code-to-piglatinland dept.

DmuZ writes "My friend Rakan has created a new steganographic tool named Hydan which can embed messages into an executable without altering its size. He recently presented this tool to the public for the first time at codecon. This new technique was intriguing enough to get coverage on SecurityFocus.com. The code is available here."

7 of 243 comments (clear)

  1. Re:You might have gotten hoaxed. by Michael+Dorfman · · Score: 5, Funny

    > Second, and most importantly, the size of the file is dependent on the size of the bytes
    > within the file.

    I don't know about you, but where I come from all bytes are pretty much 8 bits in size.

    >Because the bytes in the file have differing values depending on the instructions they
    >encode, altering the data will alter the size unless you're borrowing from one byte to inflate
    >another -- and in this case, again, you run afoul of the first problem.

    Altering the value of a byte changes its size?
    Man, I need to get me some of them new magic size-changing bytes! Down with the tyranny of 8-bit bytes!

  2. Re:Redundancy? by BenV666 · · Score: 5, Informative
    Can someone explain to me exactly what this means?
    It means exactly what it says, there is more than 1 road that leads to Rome.... combining instructions in different ways leads to the same results.
    Will all i386 executable binaries have unnecessary redundancy?
    Almost everything can be done in several ways. Consider these 2 pieces of asm:
    XOR DX,DX
    MOV AX,3
    MOV BX,4
    MUL BX
    verses
    MOV BX,4
    MOV AX,3
    XOR DX,DX
    MUL BX
    Same results, same size, different order :)
    Could the size of the binary be harmlessly reduced by removing it? If so, then why isn't this done?
    Often the binary can't get much smaller without having effect on efficiency of the code, as far as I trust compilers that is :) (ASM rules!!! :)) I.e.
    MOV AX,A000
    MOV ES,AX
    verses
    PUSH A000
    POP ES
    Same effect while the latter saves 1 byte in code.
  3. Re:Redundancy? by etcpasswd · · Score: 5, Informative
    From my understanding, it appears that he chooses a complentary pair of instructions: addition-subtraction. Then you designate "1" to addition instruction, and "0" to subtraction. So, if you look at only these instructions, your executable can contain a binary string (addition and subtraction instructions).

    Now what the author does is, alter the original binary string to that bit-string data of our interest (of the same length). This process requires flipping of instructions. For example, if some instruction is addition (1), but your data requires it to be (0) bit, you change the instruction to subtraction, and change the operand to a negative of the original value. Same applies to flipping a '0' to '1'.

    Addition-subtraction works because there are no overflow issues (atleast with signed ints). Since this is also a very common operation, your executable is likely to be large enough to "hold" sizeable data.

  4. Re:Virus by KDan · · Score: 5, Informative

    Never. The information, though contained in an executable file, is not itself executable (unless you went and took that information out and then executed it separately. The whole point is it does not affect the execution of the program that you hide the information into. So you can put whatever information you want in there (even the code for a virus) and it will still not be a virus, because that information will never get executed unless you actively go in there, extract it, paste it as an executable file somewhere else (eg in memory) and then execute it - so you'd need another virus to do this, basically.

    Daniel

    --
    Carpe Diem
  5. Wrong product by Mostly+a+lurker · · Score: 5, Funny
    ...the Declaration of Independence in a single copy of Microsoft Word

    Surely, a declaration of independence should be stored in a non Microsoft product.

  6. Re:stenography by Bunji+X · · Score: 5, Insightful

    "exactly why did you send Mohammed bin Mohammed a picture of your kitten a day before al-Queda hijacked that airliner?"

    None of your freaking business. Mohammed bin Mohammed is an old friend of mine, he wanted to see a picture of my new kitten.

    Freedom of expression, freedom of speech. No?

    Maybe a professor's testamony of "high probability" is enough to get you in deep shit over there, fortunately we still have something that reminds of citizen rights, this side of the pond.

    --
    ---
    The combined human population is enough to feed every living tiger for app. 28000 years.
  7. Re:stenography by WzDD · · Score: 5, Funny

    RPG values?

    "Bring me my +5 Sword of Information Hiding!"