Unicode and LSB Steganography program examples

        I wrote these Autoit3 code examples to illustrate some of the ways that steganography (hiding data in other data, or as I like to call it "hiding your stuff in other stuff so people can't find your stuff") can be done. These sorts of techniques can be of great use in passing messages without others knowing, in anti-forensics activities, or as covert command and control channels for botnets (as I plan to study for my final project in the malware class I'm enrolled in).  There are probably better stego tools out there for these tasks, I know steghide is a better option if you want to encode hidden data into images. Still, these examples are fairly simple and should help students begin to learn the concepts. The download contains two programs and their source code:

unisteg.exe: This tool lets you encode data using different representations Unicode of characters. The hidden message can then be pasted into Twitter or Facebook. On Twitter, I can only get 17 hidden characters encoded into a 140 byte message, but for a command and control channel I'm sure I can split it up across multiple posts. I'm hoping to get Robin Wood to implement an encoding scheme similar to this one into his KreiosC2 project.

lsbsteg.exe: This tool is a simple image editor that takes a message and hides it as bits in a lossless image format (PNGs for example).

         I plan to use some of these stego techniques in future projects. Looks at the comments at the top of the source code for more details on the specifics of how each algorithm works. Most of the real technical information is in those comments.

Download Tools and Source Code

Code printouts:

Unicode Steganography

#Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_icon=steg.ico #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs     Steganography using Unicode homoglyphs example ver 1.0     From: Adrian Crenshaw http://irongeek.com     Written in Autoit3     In Unicode there are multiple ways to encode characters that look more     or less the same to the human eye, but have different numerical values     (homoglyphs). I thought this would be a great way to try to hide data in     user generated content. I did some searching around, but did not find     any code. Antonio Alcorn had a demo page (link below), which he may put     up code for later. I looked at what he did, but went a slightly     different direction in how I do my encoding (his results looks better,     mine hides more data). It seems the characters:     !"$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~     are represented in both the 0021-007E (Basic Latin) and the FF01-FF5E     (Fullwidth Latin) ranges. This means I can use the lower range to     represent 0s and the higher range to represent 1s. I have to do     something special with spaces and encode them as Unicode number 8287     decimal. This means changing from one encoding to another is as easy as     adding the decimal values 65248 to the lower range versions. With some     effort, I should be able to encode more data or make the output look     better by using other homoglyphs, but that will make the algorithm more     complicated. Also, some sort of XOR based encryption to the payload     would be an easy option to add. Since this first release is for     learning, I’ve opted for simplicity of concept. Great thing about this     code, you can hide your messages in Twitter or Facebook posts. :)     Useful Links: http://en.wikipedia.org/wiki/Steganography     http://homoglyphs.net/     http://www.cs.trincoll.edu/~aalcorn/steganography/     http://en.wikipedia.org/wiki/IDN_homograph_attack #ce #include <ButtonConstants.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include <String.au3> #include <Math.au3> #Region ### START Koda GUI section ### Form=c:\users\adrian\desktop\stego\unisteg\unisteg.kxf $UniStegFrm = GUICreate("UniSteg - Crappy code from Irongeek", 529, 577, 192, 114, BitOR($WS_MAXIMIZEBOX, $WS_MINIMIZEBOX, $WS_SIZEBOX, $WS_THICKFRAME, $WS_SYSMENU, $WS_CAPTION, $WS_OVERLAPPEDWINDOW, $WS_TILEDWINDOW, $WS_POPUP, $WS_POPUPWINDOW, $WS_GROUP, $WS_TABSTOP, $WS_BORDER, $WS_CLIPSIBLINGS)) $InputMessageEdit = GUICtrlCreateEdit("", 8, 32, 513, 105, BitOR($ES_AUTOVSCROLL, $ES_WANTRETURN, $WS_VSCROLL)) $Label1 = GUICtrlCreateLabel("Input to encode/decode:", 8, 8, 151, 17) $CoverTextEdit = GUICtrlCreateEdit("", 8, 168, 513, 105, BitOR($ES_AUTOVSCROLL, $ES_WANTRETURN, $WS_VSCROLL)) $Label2 = GUICtrlCreateLabel("Cover Text:", 8, 144, 75, 17) $OutputEdit = GUICtrlCreateEdit("", 8, 304, 513, 105, BitOR($ES_AUTOVSCROLL, $ES_WANTRETURN, $WS_VSCROLL)) GUICtrlSetData(-1, "") $Label3 = GUICtrlCreateLabel("Output/Errors:", 8, 280, 85, 17) $EncodeBut = GUICtrlCreateButton("Encode", 64, 432, 113, 25, $WS_GROUP) $DecodeBut = GUICtrlCreateButton("Decode", 192, 432, 113, 25, $WS_GROUP) $Info = GUICtrlCreateButton("Info", 320, 432, 113, 25, $WS_GROUP) $InfoReadoutLbl = GUICtrlCreateLabel("", 8, 504, 510, 50) ;Main code loop below GUISetState(@SW_SHOW) #EndRegion ### END Koda GUI section ### $DetectChangesInInput = "" While 1     $CoverStr = GUICtrlRead($CoverTextEdit)     $InputMessageStr = GUICtrlRead($InputMessageEdit)     If $CoverStr & $InputMessageStr <> $DetectChangesInInput Then         $DetectChangesInInput = $CoverStr & $InputMessageStr         GUICtrlSetData($InfoReadoutLbl, ShowInfo($CoverStr, $InputMessageStr))     EndIf     $nMsg = GUIGetMsg()     Switch $nMsg         Case $CoverTextEdit             ShowInfo($CoverStr, $InputMessageStr)         Case $EncodeBut             If CanEncode($CoverStr, $InputMessageStr) Then                 GUICtrlSetData($OutputEdit, UniEncodeString($CoverStr, $InputMessageStr))                 ShowInfo($CoverStr, $InputMessageStr)             Else                 MsgBox(0, "", ShowInfo($CoverStr, $InputMessageStr))             EndIf         Case $DecodeBut             GUICtrlSetData($OutputEdit, UniDecodeString($InputMessageStr))         Case $Info             ;GUICtrlSetData($OutputEdit, "a " & "b" & ChrW(8287) & "c" & chrW(32+65248) & "d") ; Code I use for testing             MsgBox(0, "Unicode Values", PrintDecodeString(GUICtrlRead($OutputEdit)))         Case $GUI_EVENT_CLOSE             Exit     EndSwitch WEnd ;Function checks to see if a valid encode is possible Func CanEncode($CoverStr, $InputMessageStr)     $TotalCoverChrs = StringLen($CoverStr)     ;$CoverStrNoSpaces = StringReplace($CoverStr, " ", "")     ;$EncodablePlaces = StringLen($CoverStrNoSpaces) / 8     $EncodablePlaces = StringLen($CoverStr) / 8     $ChrToEncode = StringLen($InputMessageStr)     If $EncodablePlaces >= $ChrToEncode Then         Return True     Else         Return False     EndIf EndFunc   ;==>CanEncode ;This function just lets the use know what they can encode Func ShowInfo($CoverStr, $InputMessageStr)     $TotalCoverChrs = StringLen($CoverStr)     ;$CoverStrNoSpaces = StringReplace($CoverStr, " ", "")     ;$EncodablePlaces = StringLen($CoverStrNoSpaces) / 8     $EncodablePlaces = StringLen($CoverStr) / 8     $ChrToEncode = StringLen($InputMessageStr)     $InfoMessage = "You have " & $ChrToEncode & " characters to encode" & @CRLF     $InfoMessage = $InfoMessage & "With the current cover text, you can only encode " & $EncodablePlaces & " characters" & @CRLF     $InfoMessage = $InfoMessage & "You have " & $TotalCoverChrs & " total cover characters (140 is all Twitter will allow)"     Return $InfoMessage EndFunc   ;==>ShowInfo ;Encodes the input string into the cover text Func UniEncodeString($CoverStr, $InputMessageStr)     $HideMeBin = BinEncodeString($InputMessageStr)     $results = ""     $BinIndex = 0     For $i = 1 To StringLen($CoverStr)         $TheChr = StringMid($CoverStr, $i, 1)         If AscW($TheChr) > 31 Then ;do nothing if it's a lower ASCII character             $BinIndex = $BinIndex + 1             $TheBit = StringMid($HideMeBin, $BinIndex, 1)             Select                 Case $TheBit = "1"                     $TheChr = UnicodeReplace($TheChr)                 Case Else                     ;Just leave it latin             EndSelect         EndIf         $results = $results & $TheChr     Next     Return $results EndFunc   ;==>UniEncodeString ;Decodes the input string into the hidden text Func UniDecodeString($InputStr)     $BinTemp = ""     For $i = 1 To StringLen($InputStr)         $TheChr = StringMid($InputStr, $i, 1)         Select             Case AscW($TheChr) < 32                 ;do nothing, it's a  lower ASCII character, so we skip it             Case AscW($TheChr) > 126                 $BinTemp = $BinTemp & "1"             Case Else                 $BinTemp = $BinTemp & "0"         EndSelect     Next     Return BinDecodeString($BinTemp) EndFunc   ;==>UniDecodeString ;Somethin I put here to help me debug Func PrintDecodeString($arg)     $results = ""     For $i = 1 To StringLen($arg)         $TheChr = StringMid($arg, $i, 1)         $results = $results & $TheChr & " " & AscW($TheChr) & @CRLF     Next     Return $results EndFunc   ;==>PrintDecodeString ;Just a simple function to make the code easier to read Func UnicodeReplace($arg)     If AscW($arg) = 32 Then         Return ChrW(8287) ;encode a space this way, since 32+65248 does not work     Else         Return ChrW(AscW($arg) + 65248)     EndIf EndFunc   ;==>UnicodeReplace ;Loops though the sting, turing the Binary to ASCII Func BinDecodeString($arg)     $results = ""     For $i = 1 To StringLen($arg) Step 8         $results = $results & Byte2Asc(StringMid($arg, $i, 8))     Next     Return $results EndFunc   ;==>BinDecodeString Func Byte2Asc($arg)     $results = 0     If StringMid($arg, 1, 1) = 1 Then $results = $results + 128     If StringMid($arg, 2, 1) = 1 Then $results = $results + 64     If StringMid($arg, 3, 1) = 1 Then $results = $results + 32     If StringMid($arg, 4, 1) = 1 Then $results = $results + 16     If StringMid($arg, 5, 1) = 1 Then $results = $results + 8     If StringMid($arg, 6, 1) = 1 Then $results = $results + 4     If StringMid($arg, 7, 1) = 1 Then $results = $results + 2     If StringMid($arg, 8, 1) = 1 Then $results = $results + 1     Return Chr($results) EndFunc   ;==>Byte2Asc ;Loops though the sting, turing the ASCII to a series of 1s and 0s Func BinEncodeString($arg)     $results = ""     For $i = 1 To StringLen($arg)         $results = $results & Asc2Byte(StringMid($arg, $i, 1))     Next     Return $results EndFunc   ;==>BinEncodeString Func Asc2Byte($arg)     $tempasc = Asc($arg)     Local $result = ""     While ($tempasc >= 1)         $tempasc /= 2         If StringIsDigit($tempasc) Then             $result &= 0         Else             $split = StringSplit($tempasc, ".")             $tempasc = $split[1]             $result &= 1         EndIf     WEnd     $result = _StringReverse($result)     While StringLen($result) < 8         $result = "0" & $result     WEnd     Return $result EndFunc   ;==>Asc2Byte ;based on a post from Mpro

Least Signifigant Bit in a PNG Steganography

#Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=steg.ico #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs     Steganography using LSB (least significant bit) example ver 1.1     From: Adrian Crenshaw http://irongeek.com     Written in Autoit3     This simple sample code shows using “Least Significant Bit” encoding on     a lossless image file format. We can modify the LSB to hide data if we     wish. The human eye would have a hard time telling the difference     between the RGB color value FF9999 (light red) and FF9899 (which encodes     the binary value 101 on the least significant bit of Red Green and     Blue), but a computer has no problem. Using a lossy algorithm would make     this tougher so this educational code only used PNGs(For JPGs, look up     “StegHide”). Also, some sort of XOR based encryption to the payload     would be an easy option to add. Since this first release is for     learning, I’ve opted for simplicity of concept.     Useful Links:     http://en.wikipedia.org/wiki/Steganography     http://en.wikipedia.org/wiki/Least_significant_bit     http://steghide.sourceforge.net/     Changes:     02/24/2010 - Made a change so the Encode/Decode functions use null     termination so they don't have to iterate through the whole image.     02/24/2010 - First released. #ce #include <GDIPlus.au3> #include <String.au3> #include <Color.au3> #include <Math.au3> ;Main code begins $choice = MsgBox(3, "Irongeek's LSB Stego 1.1: Decode or Encode?", "Yes=Encode" & @CRLF & "No=Decode" & @CRLF & "Cancel=Exit") Select     Case $choice = 6         $TextToEncode = FileOpenDialog("What text should I encode?", @ScriptDir, "Text (*.txt)")         $InputImage = FileOpenDialog("What image should I use as cover?", @ScriptDir, "PNGs (*.png)")         $OutputImage = FileSaveDialog("Where should I save the output image?", @ScriptDir, "PNGs (*.png)")         $DataToEncode = FileRead($TextToEncode)         ;msgbox(0,"",$DataToEncode)         EncodeImage($DataToEncode, $InputImage, $OutputImage)     Case $choice = 7         $ImageToDecode = FileOpenDialog("What should I decode?", @ScriptDir, "PNGs (*.png)")         $DecodedImageData = BinDecodeString(DecodeImage($ImageToDecode))         $TextFileToSaveTo = FileSaveDialog("Where should I save the output?", @ScriptDir, "Text (*.txt)")         FileWrite($TextFileToSaveTo, $DecodedImageData)     Case $choice = 2         Exit EndSelect ;Main code ends ;Extracts our bits Func DecodeImage($InputImage)     $iPosX = 0     $iPosY = 0     $results = ""     _GDIPlus_Startup()     $hImage = _GDIPlus_ImageLoadFromFile($InputImage)     $iXmax = _GDIPlus_ImageGetWidth($hImage)     $iYmax = _GDIPlus_ImageGetHeight($hImage)     For $iPosY = 0 To $iYmax - 1         For $iPosX = 0 To $iXmax - 1             $colval = _GDIPlus_BitmapGetPixel($hImage, $iPosX, $iPosY)             $aColor = _ColorGetRGB(Dec($colval))             $results = $results & GetLSB($aColor[0])             $results = $results & GetLSB($aColor[1])             $results = $results & GetLSB($aColor[2])             _GDIPlus_BitmapSetPixel($hImage, $iPosX, $iPosY, RGBIt(_ColorSetRGB($aColor)))             TrayTip("LSBSteg", "On Pixle " & $iPosX & "x" & $iPosY & " max " & $iXmax & "x" & $iYmax, 0)             If StringRight($results, 16) = "0000000000000000" Then ExitLoop 2 ;exit both for loops         Next     Next     Return $results     _GDIPlus_ImageDispose($hImage)     _GDIPlus_Shutdown() EndFunc   ;==>DecodeImage ;Changes the image to encode our bits Func EncodeImage($StringToHide, $InputImage, $OutputImage)     $iPosX = 0     $iPosY = 0     $BinStringToHide = BinEncodeString($StringToHide) & "0000000000000000" ;double null terminate     _GDIPlus_Startup()     $hImage = _GDIPlus_ImageLoadFromFile($InputImage)     $iXmax = _GDIPlus_ImageGetWidth($hImage)     $iYmax = _GDIPlus_ImageGetHeight($hImage)     For $iPosY = 0 To $iYmax - 1         For $iPosX = 0 To $iXmax - 1             $colval = _GDIPlus_BitmapGetPixel($hImage, $iPosX, $iPosY)             $aColor = _ColorGetRGB(Dec($colval))             $r = PopBinValue($BinStringToHide)             $b = PopBinValue($BinStringToHide)             $g = PopBinValue($BinStringToHide)             $aColor[0] = SetLSB($aColor[0], $r)             $aColor[1] = SetLSB($aColor[1], $b)             $aColor[2] = SetLSB($aColor[2], $g)             _GDIPlus_BitmapSetPixel($hImage, $iPosX, $iPosY, RGBIt(_ColorSetRGB($aColor)))             TrayTip("LSBSteg", "On Pixle " & $iPosX & "x" & $iPosY & " BinLen " & StringLen($BinStringToHide), 0)             If StringLen($BinStringToHide) < 1 Then ExitLoop 2 ;exit both for loops         Next     Next     _GDIPlus_ImageSaveToFile($hImage, $OutputImage)     _GDIPlus_ImageDispose($hImage)     _GDIPlus_Shutdown() EndFunc   ;==>EncodeImage ;Setsu the valus of the least significant bit Func SetLSB($arg, $bit)     If $bit = "1" Then         $results = BitOR($arg, 1) ; 1 as LSB     Else         $results = BitAND($arg, 254) ; 0 as LSB     EndIf     Return $results EndFunc   ;==>SetLSB ;Gives you the value of the least significant bit Func GetLSB($arg)     ;msgbox(0,"",$arg)     $results = _MathCheckDiv($arg, 2)     If $results = 2 Or $results = -1 Then $results = 0     ;msgbox(0,"",$results)     Return $results EndFunc   ;==>GetLSB ;Had to use this to implement a stack, it made the code logic easier Func PopBinValue(ByRef $arg)     $results = StringLeft($arg, 1)     $arg = StringRight($arg, StringLen($arg) - 1)     Return $results EndFunc   ;==>PopBinValue ; Turns decimal color code into a hex encoded string Func RGBIt($deccolor)     Return Hex($deccolor, 6) EndFunc   ;==>RGBIt ;Just get the color of a pixel Func _GDIPlus_BitmapGetPixel($hBitmap, $iX, $iY)     Local $tArgb, $pArgb, $aRet     $tArgb = DllStructCreate("dword Argb")     $pArgb = DllStructGetPtr($tArgb)     $aRet = DllCall($ghGDIPDll, "int", "GdipBitmapGetPixel", "hwnd", $hBitmap, "int", $iX, "int", $iY, "ptr", $pArgb)     Return Hex(DllStructGetData($tArgb, "Argb"), 6) EndFunc   ;==>_GDIPlus_BitmapGetPixel ; Vossen ;Just set the color of a pixel Func _GDIPlus_BitmapSetPixel($hBitmap, $iX, $iY, $iArgb)     Local $aRet     $iArgb = "0xFF" & $iArgb     $aRet = DllCall($ghGDIPDll, "int", "GdipBitmapSetPixel", "hwnd", $hBitmap, "int", $iX, "int", $iY, "dword", $iArgb)     Return EndFunc   ;==>_GDIPlus_BitmapSetPixel ;based on a post from Malkey ;Loops though the sting, turing the Binary to ASCII Func BinDecodeString($arg)     $results = ""     For $i = 1 To StringLen($arg) Step 8         $results = $results & Byte2Asc(StringMid($arg, $i, 8))     Next     Return $results EndFunc   ;==>BinDecodeString Func Byte2Asc($arg)     $results = 0     If StringMid($arg, 1, 1) = 1 Then $results = $results + 128     If StringMid($arg, 2, 1) = 1 Then $results = $results + 64     If StringMid($arg, 3, 1) = 1 Then $results = $results + 32     If StringMid($arg, 4, 1) = 1 Then $results = $results + 16     If StringMid($arg, 5, 1) = 1 Then $results = $results + 8     If StringMid($arg, 6, 1) = 1 Then $results = $results + 4     If StringMid($arg, 7, 1) = 1 Then $results = $results + 2     If StringMid($arg, 8, 1) = 1 Then $results = $results + 1     Return Chr($results) EndFunc   ;==>Byte2Asc ;Loops though the sting, turing the ASCII to a series of 1s and 0s Func BinEncodeString($arg)     $results = ""     For $i = 1 To StringLen($arg)         $results = $results & Asc2Byte(StringMid($arg, $i, 1))     Next     Return $results EndFunc   ;==>BinEncodeString Func Asc2Byte($arg)     $tempasc = Asc($arg)     Local $result = ""     While ($tempasc >= 1)         $tempasc /= 2         If StringIsDigit($tempasc) Then             $result &= 0         Else             $split = StringSplit($tempasc, ".")             $tempasc = $split[1]             $result &= 1         EndIf     WEnd     $result = _StringReverse($result)     While StringLen($result) < 8         $result = "0" & $result     WEnd     Return $result EndFunc   ;==>Asc2Byte ;based on a post from Mpro

Printable version of this article