zsteg 0.0.0

data/Gemfile

@@ -0,0 +1,15 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+gem 'zpng', ">= 0.2.1"
+gem "awesome_print"
+gem "iostruct"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "rspec",   ">= 2.8.0"
+  gem "bundler", ">= 1.0.0"
+  gem "jeweler", "~> 1.8.4"
+end

data/Gemfile.lock

@@ -0,0 +1,38 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    awesome_print (1.1.0)
+    diff-lcs (1.1.3)
+    git (1.2.5)
+    iostruct (0.0.1)
+    jeweler (1.8.4)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+      rdoc
+    json (1.7.5)
+    rainbow (1.1.4)
+    rake (10.0.3)
+    rdoc (3.12)
+      json (~> 1.4)
+    rspec (2.12.0)
+      rspec-core (~> 2.12.0)
+      rspec-expectations (~> 2.12.0)
+      rspec-mocks (~> 2.12.0)
+    rspec-core (2.12.2)
+    rspec-expectations (2.12.1)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.12.1)
+    zpng (0.2.1)
+      rainbow
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  awesome_print
+  bundler (>= 1.0.0)
+  iostruct
+  jeweler (~> 1.8.4)
+  rspec (>= 2.8.0)
+  zpng (>= 0.2.1)

data/README.md

@@ -0,0 +1,46 @@
+zsteg
+======
+
+
+Description
+-----------
+detect stegano-hidden data in PNG & BMP
+
+
+Installation
+------------
+    gem install zsteg
+
+
+Detects:
+--------
+ * LSB steganography in PNG & BMP
+ * zlib-compressed data
+ * [OpenStego](http://openstego.sourceforge.net/)
+ * [Camouflage 1.2.1](http://camouflage.unfiction.com/)
+
+
+Usage
+-----
+
+    # zsteg -h
+
+    Usage: zsteg [options] filename.png
+    
+        -c, --channels X                 channels (R/G/B/A) or any combination, comma separated
+                                         valid values: r,g,b,a,rg,rgb,bgr,rgba,...
+        -l, --limit N                    limit bytes checked, 0 = no limit (default: 256)
+        -b, --bits N                     number of bits (1..8), single value or '1,3,5' or '1-8'
+            --lsb                        least significant BIT comes first
+            --msb                        most significant BIT comes first
+        -o, --order X                    pixel iteration order (default: 'auto')
+                                         valid values: ALL,xy,yx,XY,YX,xY,Xy,bY,...
+        -E, --extract NAME               extract specified payload, NAME is like '1b,rgb,lsb'
+    
+        -v, --verbose                    Run verbosely (can be used multiple times)
+        -q, --quiet                      Silent any warnings (can be used multiple times)
+
+
+License
+-------
+Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/zsteg/blob/master/LICENSE.txt) file for further details.

data/README.md.tpl

@@ -0,0 +1,31 @@
+zsteg
+======
+
+
+Description
+-----------
+detect stegano-hidden data in PNG & BMP
+
+
+Installation
+------------
+    gem install zsteg
+
+
+Detects:
+--------
+ * LSB steganography in PNG & BMP
+ * zlib-compressed data
+ * [OpenStego](http://openstego.sourceforge.net/)
+ * [Camouflage 1.2.1](http://camouflage.unfiction.com/)
+
+
+Usage
+-----
+
+% zsteg -h
+
+
+License
+-------
+Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/zsteg/blob/master/LICENSE.txt) file for further details.

data/Rakefile

@@ -0,0 +1,99 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "zsteg"
+  gem.homepage = "http://github.com/zed-0xff/zsteg"
+  gem.license = "MIT"
+  gem.summary = %Q{Detect stegano-hidden data in PNG & BMP files.}
+  #gem.description = %Q{TODO: longer description of your gem}
+  gem.email = "zed.0xff@gmail.com"
+  gem.authors = ["Andrey \"Zed\" Zaikin"]
+  #gem.executables = %w'zsteg'
+  gem.files.include "lib/**/*.rb"
+  gem.files.include "bin/zsteg"
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+RSpec::Core::RakeTask.new(:rcov) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :default => :spec
+
+desc "build readme"
+task :readme do
+  require 'erb'
+  tpl = File.read('README.md.tpl').gsub(/^%\s+(.+)/) do |x|
+    x.sub! /^%/,''
+    "<%= run(\"#{x}\") %>"
+  end
+  def run cmd
+    cmd.strip!
+    puts "[.] #{cmd} ..."
+    r = "    # #{cmd}\n\n"
+    cmd.sub! /^zsteg/,"../bin/zsteg"
+    lines = `#{cmd}`.sub(/\A\n+/m,'').sub(/\s+\Z/,'').split("\n")
+    lines = lines[0,25] + ['...'] if lines.size > 50
+    r << lines.map{|x| "    #{x}"}.join("\n")
+    r << "\n"
+  end
+  Dir.chdir 'samples'
+  result = ERB.new(tpl,nil,'%>').result
+  Dir.chdir '..'
+  File.open('README.md','w'){ |f| f << result }
+end
+
+Rake::Task[:console].clear
+
+# from /usr/local/lib64/ruby/gems/1.9.1/gems/jeweler-1.8.4/lib/jeweler/tasks.rb
+desc "Start IRB with all runtime dependencies loaded"
+task :console, [:script] do |t,args|
+  dirs = ['./ext', './lib'].select { |dir| File.directory?(dir) }
+
+  original_load_path = $LOAD_PATH
+
+  cmd = if File.exist?('Gemfile')
+          require 'bundler'
+          Bundler.setup(:default)
+        end
+
+  # add the project code directories
+  $LOAD_PATH.unshift(*dirs)
+
+  # clear ARGV so IRB is not confused
+  ARGV.clear
+
+  require 'irb'
+
+  # ZZZ actually added only these 2 lines
+  require 'zsteg'
+  include ZSteg
+
+  # set the optional script to run
+  IRB.conf[:SCRIPT] = args.script
+  IRB.start
+
+  # return the $LOAD_PATH to it's original state
+  $LOAD_PATH.reject! { |path| !(original_load_path.include?(path)) }
+end

data/TODO

@@ -0,0 +1,14 @@
+[ ] make 'extract' cmd stream its data directly to stdout
+[ ] gzip
+[*] wbStego
+[ ] openstego
+[ ] tmp/steg*/*.bmp
+[ ] 4bpp/8bpp BMP
+
+[+] auto pixel order for BMP
+[+] BMP
+[+] zlib
+
+[ ] detect AES from http://punkroy.drque.net/PNG_Steganography/Steganography5.php
+[?] http://tobyinkster.co.uk/article/steg-encode/
+[ ] Sieve of Eratosthenes: http://wiki.cedricbonhomme.org/security:steganography

data/VERSION

@@ -0,0 +1 @@
+0.0.0

data/bin/zsteg

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib'))
+require 'zsteg'
+require 'zsteg/cli'
+
+ZSteg::CLI.new.run

data/cmp_bmp.rb

@@ -0,0 +1,47 @@
+#!/usr/bin/env ruby
+require 'zpng'
+require 'awesome_print'
+
+@show_all = true
+
+images = ARGV.map{ |fname| ZPNG::Image.load(fname) }
+raise "need at least 2 images" if images.size < 2
+
+limit = 25
+alpha_used = images.any?(&:alpha_used?)
+channels = alpha_used ? %w'r g b a' : %w'r g b'
+channels.reverse!
+
+printf "%6s %4s %4s : %s  ...\n".magenta, "#", "X", "Y", (alpha_used ? "RRGGBBAA":"RRGGBB").reverse
+
+idx = ndiff = 0
+(images[0].height-1).downto(0) do |y|
+  0.upto(images[0].width-1) do |x|
+    colors = images.map{ |img| img[x,y] }
+    if colors.uniq.size > 1 || @show_all
+      ndiff += 1
+      printf "%6d %4d %4d : ", idx, x, y
+      t = Array.new(images.size){ '' }
+      channels.each do |channel|
+        values = colors.map{ |color| color.send(channel) }
+        if values.uniq.size == 1
+          # all equal
+          values.each_with_index do |value,idx|
+            t[idx] << "%02x".gray % value
+          end
+        else
+          # got diff
+          values.each_with_index do |value,idx|
+            t[idx] << "%02x".red % value
+          end
+        end
+      end
+      puts t.join('  ')
+    end
+    idx += 1
+    if limit && ndiff >= limit
+      puts "[.] diff limit #{limit} reached"
+      exit
+    end
+  end
+end

data/cmp_png.rb

@@ -0,0 +1,42 @@
+#!/usr/bin/env ruby
+require 'zpng'
+require 'awesome_print'
+
+images = ARGV.map{ |fname| ZPNG::Image.load(fname) }
+raise "need at least 2 images" if images.size < 2
+
+limit = 20
+alpha_used = images.any?(&:alpha_used?)
+channels = alpha_used ? %w'r g b a' : %w'r g b'
+
+printf "%6s %4s %4s : %s  ...\n".magenta, "#", "X", "Y", (alpha_used ? "RRGGBBAA":"RRGGBB")
+
+idx = ndiff = 0
+images[0].each_pixel do |c,x,y|
+  colors = images.map{ |img| img[x,y] }
+  if colors.uniq.size > 1
+    ndiff += 1
+    printf "%6d %4d %4d : ", idx, x, y
+    t = Array.new(images.size){ '' }
+    channels.each do |channel|
+      values = colors.map{ |color| color.send(channel) }
+      if values.uniq.size == 1
+        # all equal
+        values.each_with_index do |value,idx|
+          t[idx] << "%02x".gray % value
+        end
+      else
+        # got diff
+        values.each_with_index do |value,idx|
+          t[idx] << "%02x".red % value
+        end
+      end
+    end
+    puts t.join('  ')
+  end
+  idx += 1
+  if limit && ndiff >= limit
+    puts "[.] diff limit #{limit} reached"
+    break
+  end
+end

data/lib/zsteg.rb

@@ -0,0 +1,12 @@
+require 'zpng'
+require 'iostruct'
+
+require 'zsteg/extractor/byte_extractor'
+require 'zsteg/extractor/color_extractor'
+require 'zsteg/extractor'
+
+require 'zsteg/checker'
+require 'zsteg/result'
+require 'zsteg/file_cmd'
+
+require 'zsteg/checker/wbstego'

data/lib/zsteg/checker.rb

@@ -0,0 +1,228 @@
+require 'stringio'
+require 'zlib'
+
+module ZSteg
+  class Checker
+    attr_accessor :params, :channels, :verbose
+
+    MIN_TEXT_LENGTH = 8
+
+    # image can be either filename or ZPNG::Image
+    def initialize image, params = {}
+      @params = params
+      @cache = {}
+      @image = image.is_a?(ZPNG::Image) ? image : ZPNG::Image.load(image)
+      @extractor = Extractor.new(@image, params)
+      @channels = params[:channels] ||
+        if @image.alpha_used?
+          %w'r g b a rgb bgr rgba abgr'
+        else
+          %w'r g b rgb bgr'
+        end
+      @verbose = params[:verbose] || 0
+      @file_cmd = FileCmd.new
+    end
+
+    def check
+      @found_anything = false
+      @file_cmd.start!
+
+      check_extradata
+      check_metadata
+
+      case params[:order].to_s.downcase
+      when /all/
+        params[:order] = %w'xy yx XY YX Xy yX xY Yx'
+      when /auto/
+        params[:order] = @image.format == :bmp ? %w'bY xY' : 'xy'
+      end
+
+      Array(params[:order]).uniq.each do |order|
+        Array(params[:bits]).uniq.each do |bits|
+          if order[/b/i]
+            # byte iterator does not need channels
+            check_channels nil, @params.merge( :bits => bits, :order => order )
+          else
+            channels.each do |c|
+              check_channels c, @params.merge( :bits => bits, :order => order )
+            end
+          end
+        end
+      end
+
+      if @found_anything
+        print "\r" + " "*20 + "\r" if @need_cr
+      else
+        puts "\r[=] nothing :(" + " "*20 # line cleanup
+      end
+    ensure
+      @file_cmd.stop!
+    end
+
+    def check_extradata
+      if @image.extradata
+        @found_anything = true
+        title = "data after IEND"
+        show_title title, :red
+        process_result @image.extradata, :special => true, :title => title
+      end
+    end
+
+    def check_metadata
+      @image.metadata.each do |k,v|
+        @found_anything = true
+        show_title(title = "meta #{k}")
+        process_result v, :special => true, :title => title
+      end
+    end
+
+    def check_channels channels, params
+      unless params[:bit_order]
+        check_channels(channels, params.merge(:bit_order => :lsb))
+        check_channels(channels, params.merge(:bit_order => :msb))
+        return
+      end
+
+      title = ["#{params[:bits]}b",channels,params[:bit_order],params[:order]].compact.join(',')
+      show_title title
+
+      p1 = params.clone
+      p1.delete :channel
+      p1[:title] = title
+
+      if channels
+        p1[:channels] = channels.split('')
+        @max_hidden_size = p1[:channels].size*@image.width
+      elsif params[:order] =~ /b/i
+        # byte extractor
+        @max_hidden_size = @image.scanlines[0].decoded_bytes.size
+      else
+        raise "invalid params #{params.inspect}"
+      end
+      @max_hidden_size *= p1[:bits]*@image.height/8
+
+      data = @extractor.extract p1
+
+      @need_cr = !process_result(data, p1) # carriage return needed?
+      @found_anything ||= !@need_cr
+    end
+
+    def show_title title, color = :gray
+      printf "\r[.] %-14s.. ".send(color), title
+      $stdout.flush
+    end
+
+    # returns true if was any output
+    def process_result data, params
+      verbose = params[:special] ? [@verbose,1.5].max : @verbose
+
+      if @cache[data]
+        if verbose > 1
+          puts "[same as #{@cache[data].inspect}]".gray
+          return true
+        else
+          # silent return
+          return false
+        end
+      end
+
+      # TODO: store hash of data for large datas
+      @cache[data] = params[:title]
+
+      result = data2result data, params
+
+      case verbose
+      when -999..0
+        # verbosity=0: only show result if anything interesting found
+        if result && !result.is_a?(Result::OneChar)
+          puts result
+          return true
+        else
+          return false
+        end
+      when 1
+        # verbosity=1: if anything interesting found show result & hexdump
+        return false unless result
+      end
+
+      # verbosity>1: always show hexdump
+
+      if params[:special]
+        puts result.is_a?(Result::PartialText) ? nil : result
+      else
+        puts result
+      end
+      if data.size > 0 && !result.is_a?(Result::OneChar) && !result.is_a?(Result::WholeText)
+        print ZPNG::Hexdump.dump(data){ |x| x.prepend(" "*4) }
+      end
+      true
+    end
+
+    def data2result data, params
+      if one_char?(data)
+        return Result::OneChar.new(data[0,1], data.size)
+      end
+
+      if idx = data.index('OPENSTEGO')
+        io = StringIO.new(data)
+        io.seek(idx+9)
+        return Result::OpenStego.read(io)
+      end
+
+      if data[0,2] == "\x00\x00" && data[3,3] == "\xed\xcd\x01"
+        return Result::Camouflage.new(data)
+      end
+
+      # only BMP & 1-bit-per-channel
+      if params[:bits] == 1 && params[:bit_order] == :lsb
+        if x = WBStego.check(data, params.merge(
+                                                :image => @image,
+                                                :max_hidden_size => @max_hidden_size
+                            ))
+          return x
+        end
+      end
+
+      if data =~ /\A[\x20-\x7e\r\n\t]+\Z/
+        # whole ASCII
+        return Result::WholeText.new(data, 0)
+      end
+
+      if r = @file_cmd.check_data(data)
+        return Result::FileCmd.new(r, data)
+      end
+
+      # http://blog.w3challs.com/index.php?post/2012/03/25/NDH2k12-Prequals-We-are-looking-for-a-real-hacker-Wallpaper-image
+      # http://blog.w3challs.com/public/ndh2k12_prequalls/sp113.bmp
+      if idx = data.index(/\x78[\x9c\xda\x01]/)
+        begin
+#          x = Zlib::Inflate.inflate(data[idx,4096])
+          zi = Zlib::Inflate.new(Zlib::MAX_WBITS)
+          x = zi.inflate data[idx..-1]
+          # decompress OK
+          return Result::Zlib.new x, idx
+        rescue Zlib::BufError
+          # tried to decompress, but got EOF - need more data
+          return Result::Zlib.new x, idx
+        rescue Zlib::DataError, Zlib::NeedDict
+          # not a zlib
+        ensure
+          zi.close if zi && !zi.closed?
+        end
+      end
+
+      if (r=data[/[\x20-\x7e\r\n\t]{#{MIN_TEXT_LENGTH},}/])
+        return Result::PartialText.new(r, data.index(r))
+      end
+    end
+
+    private
+
+    # returns true if String s consists of one repeating character
+    # performance-optimized
+    # 16Mb string = 0.7s on Core i5 1.7GHz
+    def one_char? s
+      (s =~ /\A(.)\1+\Z/m) == 0
+    end
+  end
+end