Hydan: Steganography in Executables
An anonymous reader says "Ever wanted to hide a message into an executable? Now you can with Hydan. Presented recently by Rakan El-Khalil at Defcon and Blackhat, this tool lets you embed data into an application without changing its functionality or filesize! Check it out. Use includes steganography as well as embedding a program's signature into itself to verify it's not been tampered with."
Many executable formats include unused space for alignment purposes. For example, I've been working on a Mach-O equivalent of the super-tiny ELF executable mentioned a few days back. The executable produced by GCC includes 300 bytes of code and headers, and 8000 bytes of padding.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Unless you do it like this (an example is always easy to understand).
Say you have an executable:
1337PROGRAM
Your signature checking routine then does this:
1_3_3_7_P_R_O_G_R_A_M
and computes the hash
deadbabeca
And then sends:
1d3e3a7dPbRaObGeRcAaM
To reverse, we extract the hash (deadbabeca) and the "original" executable.
Then we compute the hash (of 1_3_3_7...) and check if it matches...
In summary, we embedded a checksum, but we removed it before we checked it. Simple, really.
My other car is first.