Hey Habr.
I want to present you a small project on made in my free time.
I made a project on hidden storage of information in the file system (further FS).
This can be used to steal confidential information for educational purposes.
A very old Linux FS was chosen as a prototype .
implementation
Implementation considerations
If it’s good to “irritate” the ext2 standard, then we can replace that in the FS there is a so-called , which provides basic information about the system. After me were found и . Almost immediately, the idea of writing information into currently empty FS blocks was born. Now it was worth considering protection from a programmer armed with .
If you store hidden information without encryption, then, even though it is blurry in the FS, it will still be too conspicuous, especially if the programmer knows what to look for. Therefore, it was decided to encrypt all blocks of the source file. I chose block cipher , but as you can see, it doesn't matter.
To separate the necessary blocks from all the others when reading, it was decided to add a special marker to each block at the beginning of the block. This marker was encrypted depending on the block number in the source file. Such a trick immediately allowed not only to find the right blocks, but also to find out their correct order.
The general principle of the system.
Write algorithm
Point by point:
- First, write some information to the original file system;
- Delete this information (not necessarily all);
- Split the file to hide into blocks of the same length by adding a marker;
- Encrypt these blocks;
- Place encrypted blocks in empty FS blocks.
For lovers of flowcharts
Below is a block diagram of the recording algorithm. The algorithm receives four files as input:
-Image of the changeable file system;
-File subject to steganography;
-File with encryption key for AES;
-File with a marker.
It should be noted right away that this algorithm has one drawback: after writing the file to the FS, must not write something new to the FS, since any new information can get into the blocks that we assigned to our zipped file, although this also opens up the possibility of “quickly covering up traces”.
But it is quite obvious how this can be fixed: it is necessary to rewrite the algorithm for writing blocks to the FS. This is an understandable, but incredibly time-consuming task.
For Proof Of Consept, I did not implement this.
The result will be the following changes in the FS, this is what the FS looks like before steganography (an audio file was previously recorded).
And this is how the FS looks like with already zipped information.
Reading algorithm
Point by point:
- With the knowledge of the key and the method of constructing markers, compose the first N markers, with the guarantee that N multiplied by the length of the file system block is greater than the length of the zipped file;
- Search for blocks in the FS starting with markers;
- Decrypt received blocks and separate markers;
- Assemble the resulting blocks in the correct order and get the source file.
For lovers of flowcharts
Below is a block diagram of the recording algorithm. The algorithm receives three files as input:
- Image file system;
-File with encryption key for AES;
-File with a marker.
After the program runs, the Read file appears, which will be the file extracted from the steganographed FS, if the key or marker was specified incorrectly, then the Read file will be empty.
(for lovers of prettiness, you can intersperse not only the file, but the “header” containing meta-information: file name, rights, last modified time, etc.)
Launch Automation
For convenience, bash scripts have been written that automate the launch on Linux (tested on Ubuntu 16.04.3 LTS).
Let's take a look at the launch step by step.
Record:
- sudo Copy_Flash.sh "DEVICE" - get the FS image from DEVICE (flash);
- ./Write.sh "FILE" "KEY" "MARKER" - create a virtual environment, download the necessary libraries and run the write script;
- sudo ./Write_Flash.sh "DEVICE" - write the modified FS back to DEVICE.
Reading:
- sudo Copy_Flash.sh "DEVICE" - get the FS image from DEVICE (flash);
- ./Read.sh “KEY” 'MARKER” - create a virtual environment, download the necessary libraries and run the script for reading;
- In the current directory, open the Read file - this is the zipped information.
Conclusion
This method of steganography probably needs to be improved, further tested and extended to more popular file systems such as , и .
But the purpose of this work was to show the principle by which it is possible to carry out hidden storage of information in the file system.
With the help of such algorithms, you can fearlessly store information, and if, with the knowledge of the key, such a system can be hacked not by exhaustive search (but by a very long algorithm), then without knowing the key, this system seems to me to be absolutely stable, however, this may serve as a reason for a separate article.
All code is implemented in Python version 3.5.2. featured on my youtube channel. The complete project code is available at .
(Yes, yes, I know that for the production version you need to write in something “fast”, for example, in C 😉 )
In this implementation, the size of the input file for steganography should not exceed 1000 kB.
I want to thank the user for valuable advice in planning the study and recommendations for the design of the article.
Source: habr.com