Slashdot Mirror


Hydan: Steganography in Executables

An anonymous reader says "Ever wanted to hide a message into an executable? Now you can with Hydan. Presented recently by Rakan El-Khalil at Defcon and Blackhat, this tool lets you embed data into an application without changing its functionality or filesize! Check it out. Use includes steganography as well as embedding a program's signature into itself to verify it's not been tampered with."

3 of 235 comments (clear)

  1. Re:without changing its functionality or filesize! by Carnildo · · Score: 5, Interesting

    Many executable formats include unused space for alignment purposes. For example, I've been working on a Mach-O equivalent of the super-tiny ELF executable mentioned a few days back. The executable produced by GCC includes 300 bytes of code and headers, and 8000 bytes of padding.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  2. Re:embedding signiature?? by jrockway · · Score: 5, Interesting

    Unless you do it like this (an example is always easy to understand).

    Say you have an executable:

    1337PROGRAM

    Your signature checking routine then does this:

    1_3_3_7_P_R_O_G_R_A_M

    and computes the hash

    deadbabeca

    And then sends:

    1d3e3a7dPbRaObGeRcAaM

    To reverse, we extract the hash (deadbabeca) and the "original" executable.

    Then we compute the hash (of 1_3_3_7...) and check if it matches...

    In summary, we embedded a checksum, but we removed it before we checked it. Simple, really.

    --
    My other car is first.
  3. Re:embedding signiature?? by Ioldanach · · Score: 4, Interesting
    If you embed a signiature of the file into the file, this by definition changes the file's signiature. At best you can append the signiature.
    1. Set the swappable instructions in the program to their bitwise equivalent of 0.
    2. Calculate a signature based on that number.
    3. Swap the instructions to encode that number.

    To decode.

    1. Find swappable instructions.
    2. Determine what bit setting they're at.
    3. Set their bit setting to 0.
    4. Recalc signature based on the new bit setting.
    5. Compare to the bit setting you just retrieved.

    I would still recommend publishing a separate public key, however, and include an encrypted signature in the program. As you say, it can always be changed and re-encoded.

    On the other hand, this might be useful on a server, by encoding a public key and checker on a CD-R and checking all your programs periodically against the CD-R key. You could encode signatures in each program and be able to upgrade programs from a central encoding server without having to write a new cd each time.