Steganography-Hide payload with JPEG file format

0x00 Preface

Continue to learn the art of steganography, this time to learn and understand the JPEG file format. Compared with the PNG file format, the JPEG file is relatively simple, the way to read the hidden payload is similar, the difference between the file format is different, the details available to use the difference.

Related tools in this article:

• 16 Binary editor: Hex editor
• Implicit write Detection: Stegdetect

：

Https://github.com/abeluck/stegdetect

• Edit Exit Info: magicexif

：

http://www.magicexif.com/

• Analyze JPEG picture format: Jpegsnoop

：

Http://www.impulseadventure.com/photo/jpeg-snoop.html

0x01 Related concepts JPEG files

JPEG is an abbreviation for Joint Photographic Experts Group (joint image Expert Group)

1. Supported with meteorite compression
2. Transparent not supported
3. Animations are not supported
4. Non-vector

The difference between JPEG and JPG

1. JPEG can be both an extension and a file format
2. JPG is a shorthand for JPEG, which represents the extension
3. JPEG and JPG are basically indistinguishable, and their format is universal.

Color model

Use YCRCB color model, more suitable for graphics compression, rather than RGB

• Y indicates brightness
• CR denotes red component
• CB indicates blue component

The human eye's change in brightness y on the image is far more sensitive than the change in chroma C. If each point holds a 8bit luminance value y, and each 2x2 point holds a CRCB value, the image does not change much in the naked eye and saves half of the space

• RGB Model 4 points requires 4x3=12 bytes
• YCRCB Model 4 points requires 4+2=6 bytes

[R G B], [Y Cb Cr] Conversion:

Y= 0.299R + 0.587G + 0.114*BCb = - 0.1687r  - 0.3313g +  0.5 *b +128cr =  0.5 R -0.4187g - 0.0813*b + 128     

[Y,CB,CR], [r,g,b] Conversion:

R=Y+ 1.402 * (cr-128g = Y -0.34414 (cb-128 - 0.71414  (cr-128b = Y +1.772 * (cb- 128)             

File format

JPEG files can be broadly divided into two parts: tag code and compressed data

Tag code:

Consists of two bytes, the first byte is a fixed value of 0xFF, the latter byte has different values according to different meanings

An unlimited number of meaningless 0xFF fills can be added before each tag, and multiple 0xFF consecutive can be interpreted as a 0xFF and represent the beginning of a marker code

Common Tag Code:

• SOI 0xd8 Image Start
• APP0 0xE0 Application Retention tag 0
• APPn 0XE1–0XEF Application retention tag n (n=1~15)
• DQT 0xDB Quantization table (Define quantization table)
• SOF0 0xC0 Frame Start (start of frame)
• DHT 0xc4 definition Huffman tables (Define Huffman table)
• DRI 0XDD defines the interval for the cumulative reset of differential codes (Define Restart Interval)
• SOS 0xDA Scan Start (start of scan)
• EOI 0xd9 Image End

Compress data:

The first two bytes hold the length of the entire segment, including these two bytes

Note:

The representation of this length is based on the high, low, and the length of the PNG file is represented in a different way

For example, the length is 0x12ab, and the storage order is 0x12,0xab

EXIF Information

An EXIF file is a JPEG file that adheres to the JPEG standard and only adds the capture information and index map to the header information of the file.

The JPEG from the camera will have this information.

stored in the APP1 (0XFFE1) data area

The next two bytes save the size of the APP1 data area (that is, the EXIF data area)

Then the EXIF Header, fixed structure: 0x457869660000

The data behind the EXIF

• Tools to view EXIF information: ExifTool

：

Https://github.com/alchemy-fr/exiftool

• Tools for editing exit information: magicexif

：

http://www.magicexif.com/

Add action

0x02 Common Steganography method

• DCT Encryption
• LSB encryption
• DCT LSB
• Average DCT
• High Capacity DCT
• High Capacity Dct–algorithm

The above steganography methods are referenced from:

Https://www.blackhat.com/docs/asia-14/materials/Ortiz/Asia-14-Ortiz-Advanced-JPEG-Steganography-And-Detection.pdf

There are many open source tools available to implement these advanced steganography methods.

Common steganography Tools:

• Jsteg
• Jphide
• Outguess
• Invisible Secrets
• F5
• Appendx
• Camouflage

Of course, the corresponding steganography detection tool also appeared for a long time

For example: Stegdetect

：

Https://github.com/abeluck/stegdetect

0x03 using the JPEG file format to hide payload

The following is a description of some of the hidden ideas generated after learning file formats:

1. Add data directly to the tail

, does not affect the normal browsing of pictures

2. Inserting a custom COM comment

COM annotations are 0xFF and 0xFE

Inserting Data 0x11111111

Length is 0x04

Total length is 0x06

The full hexadecimal format is 0xffff000611111111

Insert position as DHT front,

After inserting, does not affect the normal view of the picture

Change FF to FE, also without affecting the normal view of the picture

3. Insert the tag code that can be ignored

The same principle, the symbol code for the special value can be ignored

For example:

• 00
• *tem
• D0 *rst0
• DC DNL
• EF APP15

The above-tested identification code does not affect the normal viewing of the picture

4, modify the DQT

Dqt:define quantization Table

Identification code is 0XDB

The next two bytes represent the length

The next byte represents the QT setup information

The first 4bit is the QT number

After 4bit for QT accuracy, 0=8bit, otherwise 16bit

The last is the QT information, the length is 64 integer times

To view the DQT information for a test picture,

Length is 0x43, decimal is 67

00 for QT number 0 with accuracy of 8bit

Then 64 bytes is the QT information byte

Note:

Here DQT format reference from Http://www.opennet.ru/docs/formats/jpeg.txt

Try to replace these 64 bytes,

Before and after contrast, can find the change of picture

If you only adjust some of the bytes, instead of payload, then how much difference can it be, compared

And so on, there are a lot of places to modify.

0x04 Detection and recognition

For the above hidden methods, the JPEG Image format Analysis tool can be used to find traces

Like Jpegsnoop.

：

Http://www.impulseadventure.com/photo/jpeg-snoop.html

Supports format analysis for the following files:

• . Jpg–jpeg still Photo
• . Thm–thumbnail for RAW Photo/movie Files
• . Avi*–avi Movies
• . Dng–digital Negative RAW Photo
• . Psd–adobe Photoshop Files
• . CRW,. CR2,. NEF,. ORF,. Pef–raw Photo
• . Mov*–quicktime Movies, QTVR (Virtual reality/360 panoramic)
• . Pdf–adobe PDF Documents

Actual test:

For example, a COM comment added to the picture was found

For example, by viewing DQT's data, the added payload,0x11 corresponds to a decimal of 17

Similarly, Jpegsnoop can parse the EXIF information of a JPEG image, such as

Note:

For ease of testing, the following values are manually added through the MAGICEXIF software:

Make/Model:[test][???] makernotes:software:[magicexifMetadataCodec1.02]  

0x05 Supplement

Since JPEG files do not have parity bits for image data, adding payload in JPEG files is a lot easier than PNG files.

Download JPEG image parse and execute payload method no longer introduced

(Refer to Https://3gstudent.github.io/3gstudent.github.io/%E9%9A%90%E5%86%99%E6%8A%80%E5%B7%A7-%E5%88%A9%E7%94%A8PNG %e6%96%87%e4%bb%b6%e6%a0%bc%e5%bc%8f%e9%9a%90%e8%97%8fpayload/)

0X06 Summary

This paper introduces the format of JPEG, and emphatically analyzes how to hide the payload with a specific code based on the JPEG file format, although this method will not affect the normal browsing of the image, but can still find the details with the help of the format analysis software. Official document describing JPEG format there is much more to learn, and the more you know, the more skills you will be able to study.

Steganography-Hide payload with JPEG file format