0x00 Preface
Continue to learn the art of steganography, this time to learn and understand the JPEG file format. Compared with the PNG file format, the JPEG file is relatively simple, the way to read the hidden payload is similar, the difference between the file format is different, the details available to use the difference.
Related tools in this article:
- 16 Binary editor: Hex editor
- Implicit write Detection: Stegdetect
:
Https://github.com/abeluck/stegdetect
- Edit Exit Info: magicexif
:
http://www.magicexif.com/
- Analyze JPEG picture format: Jpegsnoop
:
Http://www.impulseadventure.com/photo/jpeg-snoop.html
0x01 Related concepts JPEG files
JPEG is an abbreviation for Joint Photographic Experts Group (joint image Expert Group)
- Supported with meteorite compression
- Transparent not supported
- Animations are not supported
- Non-vector
The difference between JPEG and JPG
- JPEG can be both an extension and a file format
- JPG is a shorthand for JPEG, which represents the extension
- JPEG and JPG are basically indistinguishable, and their format is universal.
Color model
Use YCRCB color model, more suitable for graphics compression, rather than RGB
- Y indicates brightness
- CR denotes red component
- CB indicates blue component
The human eye's change in brightness y on the image is far more sensitive than the change in chroma C. If each point holds a 8bit luminance value y, and each 2x2 point holds a CRCB value, the image does not change much in the naked eye and saves half of the space
- RGB Model 4 points requires 4x3=12 bytes
- YCRCB Model 4 points requires 4+2=6 bytes
[R G B], [Y Cb Cr] Conversion:
Y= 0.299R + 0.587G + 0.114*BCb = - 0.1687r - 0.3313g + 0.5 *b +128cr = 0.5 R -0.4187g - 0.0813*b + 128
[Y,CB,CR], [r,g,b] Conversion:
R=Y+ 1.402 * (cr-128g = Y -0.34414 (cb-128 - 0.71414 (cr-128b = Y +1.772 * (cb- 128)
File format
JPEG files can be broadly divided into two parts: tag code and compressed data
Tag code:
Consists of two bytes, the first byte is a fixed value of 0xFF, the latter byte has different values according to different meanings
An unlimited number of meaningless 0xFF fills can be added before each tag, and multiple 0xFF consecutive can be interpreted as a 0xFF and represent the beginning of a marker code
Common Tag Code:
- SOI 0xd8 Image Start
- APP0 0xE0 Application Retention tag 0
- APPn 0XE1–0XEF Application retention tag n (n=1~15)
- DQT 0xDB Quantization table (Define quantization table)
- SOF0 0xC0 Frame Start (start of frame)
- DHT 0xc4 definition Huffman tables (Define Huffman table)
- DRI 0XDD defines the interval for the cumulative reset of differential codes (Define Restart Interval)
- SOS 0xDA Scan Start (start of scan)
- EOI 0xd9 Image End
Compress data:
The first two bytes hold the length of the entire segment, including these two bytes
Note:
The representation of this length is based on the high, low, and the length of the PNG file is represented in a different way
For example, the length is 0x12ab, and the storage order is 0x12,0xab
EXIF Information
An EXIF file is a JPEG file that adheres to the JPEG standard and only adds the capture information and index map to the header information of the file.
The JPEG from the camera will have this information.
stored in the APP1 (0XFFE1) data area
The next two bytes save the size of the APP1 data area (that is, the EXIF data area)
Then the EXIF Header, fixed structure: 0x457869660000
The data behind the EXIF
- Tools to view EXIF information: ExifTool
:
Https://github.com/alchemy-fr/exiftool
- Tools for editing exit information: magicexif
:
http://www.magicexif.com/
Add action
0x02 Common Steganography method
- DCT Encryption
- LSB encryption
- DCT LSB
- Average DCT
- High Capacity DCT
- High Capacity Dct–algorithm
The above steganography methods are referenced from:
Https://www.blackhat.com/docs/asia-14/materials/Ortiz/Asia-14-Ortiz-Advanced-JPEG-Steganography-And-Detection.pdf
There are many open source tools available to implement these advanced steganography methods.
Common steganography Tools:
- Jsteg
- Jphide
- Outguess
- Invisible Secrets
- F5
- Appendx
- Camouflage
Of course, the corresponding steganography detection tool also appeared for a long time
For example: Stegdetect
:
Https://github.com/abeluck/stegdetect
0x03 using the JPEG file format to hide payload
The following is a description of some of the hidden ideas generated after learning file formats:
1. Add data directly to the tail
, does not affect the normal browsing of pictures
2. Inserting a custom COM comment
COM annotations are 0xFF and 0xFE
Inserting Data 0x11111111
Length is 0x04
Total length is 0x06
The full hexadecimal format is 0xffff000611111111
Insert position as DHT front,
After inserting, does not affect the normal view of the picture
Change FF to FE, also without affecting the normal view of the picture
3. Insert the tag code that can be ignored
The same principle, the symbol code for the special value can be ignored
For example:
- 00
- *tem
- D0 *rst0
- DC DNL
- EF APP15
The above-tested identification code does not affect the normal viewing of the picture
4, modify the DQT
Dqt:define quantization Table
Identification code is 0XDB
The next two bytes represent the length
The next byte represents the QT setup information
The first 4bit is the QT number
After 4bit for QT accuracy, 0=8bit, otherwise 16bit
The last is the QT information, the length is 64 integer times
To view the DQT information for a test picture,
Length is 0x43, decimal is 67
00 for QT number 0 with accuracy of 8bit
Then 64 bytes is the QT information byte
Note:
Here DQT format reference from Http://www.opennet.ru/docs/formats/jpeg.txt
Try to replace these 64 bytes,
Before and after contrast, can find the change of picture
If you only adjust some of the bytes, instead of payload, then how much difference can it be, compared
And so on, there are a lot of places to modify.
0x04 Detection and recognition
For the above hidden methods, the JPEG Image format Analysis tool can be used to find traces
Like Jpegsnoop.
:
Http://www.impulseadventure.com/photo/jpeg-snoop.html
Supports format analysis for the following files:
- . Jpg–jpeg still Photo
- . Thm–thumbnail for RAW Photo/movie Files
- . Avi*–avi Movies
- . Dng–digital Negative RAW Photo
- . Psd–adobe Photoshop Files
- . CRW,. CR2,. NEF,. ORF,. Pef–raw Photo
- . Mov*–quicktime Movies, QTVR (Virtual reality/360 panoramic)
- . Pdf–adobe PDF Documents
Actual test:
For example, a COM comment added to the picture was found
For example, by viewing DQT's data, the added payload,0x11 corresponds to a decimal of 17
Similarly, Jpegsnoop can parse the EXIF information of a JPEG image, such as
Note:
For ease of testing, the following values are manually added through the MAGICEXIF software:
Make/Model:[test][???] makernotes:software:[magicexifMetadataCodec1.02]
0x05 Supplement
Since JPEG files do not have parity bits for image data, adding payload in JPEG files is a lot easier than PNG files.
Download JPEG image parse and execute payload method no longer introduced
(Refer to Https://3gstudent.github.io/3gstudent.github.io/%E9%9A%90%E5%86%99%E6%8A%80%E5%B7%A7-%E5%88%A9%E7%94%A8PNG %e6%96%87%e4%bb%b6%e6%a0%bc%e5%bc%8f%e9%9a%90%e8%97%8fpayload/)
0X06 Summary
This paper introduces the format of JPEG, and emphatically analyzes how to hide the payload with a specific code based on the JPEG file format, although this method will not affect the normal browsing of the image, but can still find the details with the help of the format analysis software. Official document describing JPEG format there is much more to learn, and the more you know, the more skills you will be able to study.
Steganography-Hide payload with JPEG file format