Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hydan: Steganography in Executables

Posted by ryuzaki0 on from the something-to-hack-on dept.

An anonymous reader says "Ever wanted to hide a message into an executable? Now you can with Hydan. Presented recently by Rakan El-Khalil at Defcon and Blackhat, this tool lets you embed data into an application without changing its functionality or filesize! Check it out. Use includes steganography as well as embedding a program's signature into itself to verify it's not been tampered with."

6 of 235 comments (clear)

  1. Re:without changing its functionality or filesize! by Carnildo · · Score: 5, Interesting

    Many executable formats include unused space for alignment purposes. For example, I've been working on a Mach-O equivalent of the super-tiny ELF executable mentioned a few days back. The executable produced by GCC includes 300 bytes of code and headers, and 8000 bytes of padding.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  2. Re:without changing its functionality or filesize! by jdray · · Score: 5, Informative
    From the article:

    Hydan steganographically conceals a message into an application. It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions. It then encodes information in machine code by using the appropriate instructions from each set.

    --
    The Spoon
    Updated 6/28/2011
  3. Hydan... by Anonymous Coward · · Score: 5, Funny

    The message retrieval method should be called "Hydan Seek"

  4. Re:embedding signiature?? by jrockway · · Score: 5, Interesting

    Unless you do it like this (an example is always easy to understand).

    Say you have an executable:

    1337PROGRAM

    Your signature checking routine then does this:

    1_3_3_7_P_R_O_G_R_A_M

    and computes the hash

    deadbabeca

    And then sends:

    1d3e3a7dPbRaObGeRcAaM

    To reverse, we extract the hash (deadbabeca) and the "original" executable.

    Then we compute the hash (of 1_3_3_7...) and check if it matches...

    In summary, we embedded a checksum, but we removed it before we checked it. Simple, really.

    --
    My other car is first.
  5. Re:Information Theory by Carnildo · · Score: 5, Informative

    inc ax
    add ax, 1
    add al, 1
    inc eax
    add eax, 1

    All of these i386 instructions do the same thing, but they've got different binary representations. If you encode your information by which instruction you use, you can hide the message without changing filesize or functionality.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  6. Re: For the slightly less knowledgable by Black+Parrot · · Score: 5, Funny


    > steganography: the hiding of a secret message within an ordinary message and the extraction of it at its destination.

    I thought steganography meant pictures of stegasaurs making little stegasarus.

    --
    Sheesh, evil *and* a jerk. -- Jade