Zsteg

From aldeid
Jump to navigation Jump to search

Description

detect stegano-hidden data in PNG & BMP:

  • LSB steganography in PNG & BMP
  • zlib-compressed data
  • OpenStego
  • Camouflage 1.2.1
  • LSB with The Eratosthenes set

Installation

$ sudo gem install zsteg
Fetching: rainbow-2.0.0.gem (100%)
Fetching: zpng-0.2.5.gem (100%)
Fetching: zsteg-0.1.2.gem (100%)
Successfully installed rainbow-2.0.0
Successfully installed zpng-0.2.5
Successfully installed zsteg-0.1.2
3 gems installed
Installing ri documentation for rainbow-2.0.0...
Installing ri documentation for zpng-0.2.5...
Installing ri documentation for zsteg-0.1.2...
Installing RDoc documentation for rainbow-2.0.0...
Installing RDoc documentation for zpng-0.2.5...
Installing RDoc documentation for zsteg-0.1.2...

Usage

Syntax

Usage: zsteg [options] filename.png [param_string]

Options

-c, --channels X
channels (R/G/B/A) or any combination, comma separated valid values: r,g,b,a,rg,bgr,rgba,r3g2b3,...
-l, --limit N
limit bytes checked, 0 = no limit (default: 256)
-b, --bits N
number of bits, single int value or '1,3,5' or range '1-8' advanced: specify individual bits like '00001110' or '0x88'
--lsb
least significant BIT comes first
--msb
most significant BIT comes first
-P, --prime
analyze/extract only prime bytes/pixels
--invert
invert bits (XOR 0xff)
-a, --all
try all known methods
-o, --order X
pixel iteration order (default: 'auto') valid values: ALL,xy,yx,XY,YX,xY,Xy,bY,...
-E, --extract NAME
extract specified payload, NAME is like '1b,rgb,lsb'
--[no-]file
use 'file' command to detect data type (default: YES)
--no-strings
disable ASCII strings finding (default: enabled)
-s, --strings X
ASCII strings find mode: first, all, longest, none (default: first)
-n, --min-str-len X
minimum string length (default: 8)
--shift N
prepend N zero bits
-v, --verbose
Run verbosely (can be used multiple times)
-q, --quiet
Silent any warnings (can be used multiple times)
-C, --[no-]color
Force (or disable) color output (default: auto)

Examples

Identification

$ zsteg file.png 
imagedata           .. text: "\r\t(%%*,&"
b1,r,msb,xy         .. file: Applesoft BASIC program data, first line number 64
b1,rgb,msb,xy       .. file: PE32 executable (Unknown subsystem 0x1814) Intel 80386, for MS Windows
b1,bgr,lsb,xy       .. file: GLS_BINARY_LSB_FIRST
b2,rgb,msb,xy       .. text: "UDDADPAE"
b2,bgr,msb,xy       .. text: "|[email protected]"
b4,r,msb,xy         .. text: "[email protected]&we-b e"
b4,g,msb,xy         .. text: "%`$Q\"[email protected]"
b4,b,msb,xy         .. text: "C$qFqgf#0wpq"
b4,rgb,msb,xy       .. text: "BcrpAPpv#"
b4,bgr,msb,xy       .. text: "@[email protected] s"

Extraction

$ zsteg -E "b1,rgb,msb,xy" file.png > extracted.exe