EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections. Each section is encrypted individually using its own 16-byte key with the RC4 encryption algorithm.

Implementation

This repository consists of two implementations:

• EmbedPayloadInPng.py – Python script to embed an input payload to a specified PNG file.
• FetchPayloadFromPng – Extract the payload from EmbedPayloadInPng.py‘s outputted PNG file, and decrypt it using the ExtractDecryptedPayload function.

Usage

1. Use EmbedPayloadInPng.py to create the embedded payload PNG file:

2. Copy the MARKED_IDAT_HASH macro definition outputted by EmbedPayloadInPng.py and replace it with the existing one in the FetchPayloadFromPng project here.

Embedded PNG File Structure

As mentioned earlier, EmbedPayloadInPng.py is responsible for embedding the payload file within a PNG one. Below is the structure of a payload-embedded PNG file.

Since the maximum size of an IDAT section is 8192 bytes, our payload is chunked to multiple IDAT sections. Each section has a size equivalent to (8192 – 16 [RC4 key length]). Furthermore, The last IDAT section will contain the remaining bytes of the payload.

The following images explain EmbedPayloadInPng.py‘s output and compare it to the structure of the created PNG file:

• The output PNG file sections.

• The random IDAT section, which is created to mark the start of our payload. The CRC hash of this section is used in our C code to identify the start of our payload in the PNG file.

• The first payload IDAT section, following our random section (in blue). This image also demonstrates the position of the CRC hash and the size of the randomized IDAT section beforehand (in yellow).

• The CRC hash of the first payload IDAT section, which is located at the end of the section following the encrypted first chunk of our payload.
• The start of the second payload IDAT section.