Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hydan: Steganography in Executables

Posted by ryuzaki0 on from the something-to-hack-on dept.

An anonymous reader says "Ever wanted to hide a message into an executable? Now you can with Hydan. Presented recently by Rakan El-Khalil at Defcon and Blackhat, this tool lets you embed data into an application without changing its functionality or filesize! Check it out. Use includes steganography as well as embedding a program's signature into itself to verify it's not been tampered with."

4 of 235 comments (clear)

  1. Signed binaries... nice idea by advocate_one · · Score: 4, Insightful

    especially if the OS goes off and double checks the executable is legit before executing it...

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  2. embedding signiature?? by guanno · · Score: 4, Insightful

    If you embed a signiature of the file into the file, this by definition changes the file's signiature. At best you can append the signiature. However if the file can be modified, so can it's signiature.

    If these folks have figured out a way of circumventing this innate paradox, I'm impressed and am dying to hear more about the technology/mathematics behind it! Can you say Nobel Prize nomination?

  3. Re:First Post and On Topic by Ioldanach · · Score: 4, Insightful
    If steganography is now in the hands of joe user, how useful is it really? It's not exactly a secret anymore, is it? ;P

    If I transmit files out to my friends that include encrypted data using steganography, then the extra data should be indistinguishable, effectively hiding within the noise of random crap on the web/usenet/email. Thus, without the key, an intercepted message is difficult to detect, and even if detected, I have sufficient plausible deniability to say "nothing there".

    In order to detect an message encrypted and included inside another file, you either need to know its there and be looking for it, compare it to an existing file which should be identical, or statistically detect some aspect of the file. If you know it should be there, you just need to grab any file that looks like the file you're seeking, grab the relevant bits, and attempt decryption. If you have a file that should be identical, (say, an image that looks the same that was posted to usenet a couple days earlier), you can take the bits that are different and try and make some sense of them. If you are just doing statistical analysis, you might be able to find files which have a set of bits whose randomness is just shy of where it should be, and maybe those bits mean something.

    In short, unencrypted steganography isn't particularly useful, but encrypted, you can really hide things.

  4. Been done for ages by A86 by iamacat · · Score: 4, Insightful

    This guy wrote his assembler to generate unusual form of MOV instructions at least 10 years ago. In this way, he can find out if a program is generated using an unregistered version of A86.

    Any CPU that has an instruction to exchange two registers will have some redundancy, but for X86 even basic mov (as well as add, sub, cmp and so on) specifies both two operands and a flag that specifies which one is source and which one is destination. The significance is that both operands can be registers, but only one can be a memory reference.

    A much more impressive use would be a program that reads its own code as data to save the last few bytes, especially if it has a real purpose, like fitting a game into a fixed-size ROM.