zsteg

Description

detect stegano-hidden data in PNG & BMP

Installation

gem install zsteg

Detects:

LSB steganography in PNG & BMP
zlib-compressed data
OpenStego
Camouflage 1.2.1
LSB with The Eratosthenes set

Usage

# zsteg -h

Usage: zsteg [options] filename.png [param_string]

    -a, --all                        try all known methods
    -E, --extract NAME               extract specified payload, NAME is like '1b,rgb,lsb'

Iteration/extraction params:
    -o, --order X                    pixel iteration order (default: 'auto')
                                     valid values: ALL,xy,yx,XY,YX,xY,Xy,bY,...
    -c, --channels X                 channels (R/G/B/A) or any combination, comma separated
                                     valid values: r,g,b,a,rg,bgr,rgba,r3g2b3,...
    -b, --bits N                     number of bits, single int value or '1,3,5' or range '1-8'
                                     advanced: specify individual bits like '00001110' or '0x88'
        --lsb                        least significant bit comes first
        --msb                        most significant bit comes first
    -P, --prime                      analyze/extract only prime bytes/pixels
        --shift N                    prepend N zero bits
        --step N                     step
        --invert                     invert bits (XOR 0xff)
        --pixel-align                pixel-align hidden data

Analysis params:
    -l, --limit N                    limit bytes checked, 0 = no limit (default: 256)

        --[no-]file                  use 'file' command to detect data type (default: YES)
        --no-strings                 disable ASCII strings finding (default: enabled)
    -s, --strings X                  ASCII strings find mode: first, all, longest, none
                                     (default: first)
    -n, --min-str-len X              minimum string length (default: 8)

    -v, --verbose                    Run verbosely (can be used multiple times)
    -q, --quiet                      Silent any warnings (can be used multiple times)
    -C, --[no-]color                 Force (or disable) color output (default: auto)

PARAMS SHORTCUT
	zsteg fname.png 2b,b,lsb,xy  ==>  --bits 2 --channel b --lsb --order xy

Examples

Simple LSB

# zsteg flower_rgb3.png

imagedata           .. file: 370 XA sysV pure executable not stripped - version 768
b3,rgb,lsb,xy       .. text: "SuperSecretMessage"

Multi-result file

# zsteg cats.png

meta F              .. ["Z" repeated 14999985 times]
meta C              .. text: "Fourth and last cat is Luke"
meta A              .. [same as "meta F"]
meta date:create    .. text: "2012-03-15T23:32:46+07:00"
meta date:modify    .. text: "2012-03-15T23:32:14+07:00"
imagedata           .. file: 68K BCS executable
b1,r,lsb,xy         .. text: "Second cat is Marussia"
b1,g,lsb,xy         .. text: "Good, but look a bit deeper..."
b1,bgr,lsb,xy       .. text: "MF_WIhf>"
b2,g,lsb,xy         .. text: "VHello, third kitten is Bessy"

wbStego even distributed

# zsteg wbstego/wbsteg_noenc_even.bmp 1b,lsb,bY -v

b1,lsb,bY           .. <wbStego size=22, data="xtSuperSecretMessage\n", even=true, mix=true, controlbyte="t">
    00000000: 51 00 00 16 00 00 74 0d  b5 78 1e a1 39 74 e8 38  |Q.....t..x..9t.8|
    00000010: 53 c6 56 94 75 d1 a5 70  84 c8 27 65 fe 08 72 35  |S.V.u..p..'e..r5|
    00000020: 1f 3e 53 5d a7 65 8b 6e  3b 63 6b 1d bf 72 ee 27  |.>S].e.n;ck..r.'|
    00000030: 65 8d ee 82 74 da 8d 4d  b3 8a 06 65 7e f8 73 9c  |e...t..M...e~.s.|
    00000040: 36 0c 73 aa bd 61 67 29  37 67 5f 0b 06 65 1f a4  |6.s..ag)7g_..e..|
    00000050: 0a a1 f8 35                                       |...5            |

wbStego encrypted

# zsteg wbstego/wbsteg_blowfish_pass_1.bmp 1b,lsb,bY -v

b1,lsb,bY           .. <wbStego size=26, data="\rC\xF5\xBF#\xFF[6\e\xB3"..., even=false, hdr="\x01", enc="Blowfish">
    00000000: 1a 00 00 00 ff 01 01 0d  43 f5 bf 23 ff 5b 36 1b  |........C..#.[6.|
    00000010: b3 17 42 4a 3f ba eb c7  ee 9c d7 7a 2b           |..BJ?......z+   |

zlib

# zsteg ndh2k12_sp113.bmp -b 1 -o yx -v

b1,rgb,lsb,yx       .. zlib: data="%PDF-1.4\n%\xC3\xA4\xC3\xBC\xC3\xB6\xC3\x9F\n2 0 obj\n<</Length 3 0 R/Filter/FlateDecode>>\nstream\nx\x9C\x8DT\xC9n\xDB@\f\xBD\xCFW\xF0\x1C \x13\x92\xB3\x03\x86\x80\xC8K\xD1\xDE\\\b\xE8\xA1...", offset=4, size=186
    00000000: 00 02 eb 9b 78 9c d4 b9  65 54 24 cc 92 36 58 b8  |....x...eT$..6X.|
    00000010: d3 68 e3 ee ee 4e e3 ee  ee 0e 85 bb 3b dd 68 23  |.h...N......;.h#|
    00000020: 8d bb bb bb 3b 8d bb bb  3b 34 ee 6e 1f ef 7b ef  |....;...;4.n..{.|
    00000030: 9d 3b b3 e7 cc 9e d9 3d  df 9e dd cd 8a 1f 99 19  |.;.....=........|
    00000040: 99 55 11 99 4f 58 25 99  82 88 18 1d 13 3d 2b 2c  |.U..OX%......=+,|
    00000050: 59 6f 7e 6f 7b 6f 63 6f  16 2c 33 21 23 a1 9d 91  |Yo~o{oco.,3!#...|
    00000060: 25 2c 2f 2f 83 0c d0 d6  cc d9 9c 90 e5 73 46 89  |%,//.........sF.|
    00000070: 41 cc c2 da 19 e8 c8 20  66 6d e8 0c 14 01 1a db  |A...... fm......|
    00000080: 99 00 f9 f8 60 9d 9c 1d  81 86 36 b0 ee e9 bf 54  |....`.....6....T|
    00000090: 86 6d 57 05 e0 3b 26 d5  2f 71 09 51 63 eb c0 82  |.mW..;&./q.Qc...|
    000000a0: bf 0f 49 4f 6f e8 40 ff  c9 f9 43 25 1d 9e 6b 1b  |[email protected]%..k.|
    000000b0: a3 73 fd 42 c4 a6 65 3d  ef 0a 07 32 17 2d dc f9  |.s.B..e=...2.-..|
    000000c0: 10 8c 0d 4b d7 9d e6 01  12 4f 11 6f f0 cd 64 f2  |...K.....O.o..d.|
    000000d0: f2 19 5c df 76 eb 01 49  dc fd cd 76 65 a2 3a 8a  |..\.v..I...ve.:.|
    000000e0: fd bb 13 a9 e6 3a c9 da  19 34 ae f0 43 bb 90 90  |.....:...4..C...|
    000000f0: 58 88 de 46 ce 91 6f aa  8d d9 7d b8 d6 88 a6 65  |X..F..o...}....e|

License

Released under the MIT License. See the LICENSE file for further details.

Name	Name	Last commit message	Last commit date
Latest commit zed-0xff Merge pull request #32 from zed-0xff/dependabot/bundler/rack-3.0.6.1 Jul 16, 2023 8fc7798 · Jul 16, 2023 History 149 Commits
bin	bin	fix bad symlinks on gem install	Jan 14, 2020
lib	lib	Check each chunk for embedded data	Feb 20, 2023
samples	samples	Check each chunk for embedded data	Feb 20, 2023
spec	spec	Check each chunk for embedded data	Feb 20, 2023
tmp	tmp	polictf2012 multilevel steg spec	Jan 10, 2013
writers	writers	stego-writers	Jan 24, 2013
.gitignore	.gitignore	better extradata	Jan 24, 2013
Gemfile	Gemfile	detect SteganographyPNG	Feb 19, 2023
Gemfile.lock	Gemfile.lock	Merge pull request #32 from zed-0xff/dependabot/bundler/rack-3.0.6.1	Jul 16, 2023
README.md	README.md	detect SteganographyPNG	Feb 19, 2023
README.md.tpl	README.md.tpl	readme upd	Mar 24, 2020
Rakefile	Rakefile	exclude samples from release	Feb 14, 2023
TODO	TODO	better extradata	Jan 24, 2013
VERSION	VERSION	Version bump to 0.2.13	Feb 19, 2023
cmp_bmp.rb	cmp_bmp.rb	image compare scripts	Jan 9, 2013
cmp_png.rb	cmp_png.rb	detect SteganographyPNG	Feb 19, 2023
zsteg.gemspec	zsteg.gemspec	Regenerate gemspec for version 0.2.13	Feb 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

zsteg

Description

Installation

Detects:

Usage

Examples

Simple LSB

Multi-result file

wbStego even distributed

wbStego encrypted

zlib

See also

License

About

Releases

Packages

Contributors 2

Languages

zed-0xff/zsteg

Folders and files

Latest commit

History

Repository files navigation

zsteg

Description

Installation

Detects:

Usage

Examples

Simple LSB

Multi-result file

wbStego even distributed

wbStego encrypted

zlib

See also

License

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Contributors 2

Languages

Packages