Malware

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections. Each section is encrypted individually using its own 16-byte key with the RC4 encryption algorithm.

Implementation

This repository consists of two implementations:

  • EmbedPayloadInPng.py – Python script to embed an input payload to a specified PNG file.
  • FetchPayloadFromPng – Extract the payload from EmbedPayloadInPng.py‘s outputted PNG file, and decrypt it using the ExtractDecryptedPayload function.

Usage

  1. Use EmbedPayloadInPng.py to create the embedded payload PNG file:
  1. Copy the MARKED_IDAT_HASH macro definition outputted by EmbedPayloadInPng.py and replace it with the existing one in the FetchPayloadFromPng project here.

Embedded PNG File Structure

As mentioned earlier, EmbedPayloadInPng.py is responsible for embedding the payload file within a PNG one. Below is the structure of a payload-embedded PNG file.

Since the maximum size of an IDAT section is 8192 bytes, our payload is chunked to multiple IDAT sections. Each section has a size equivalent to (8192 – 16 [RC4 key length]). Furthermore, The last IDAT section will contain the remaining bytes of the payload.

The following images explain EmbedPayloadInPng.py‘s output and compare it to the structure of the created PNG file:

  • The output PNG file sections.
  • The random IDAT section, which is created to mark the start of our payload. The CRC hash of this section is used in our C code to identify the start of our payload in the PNG file.
  • The first payload IDAT section, following our random section (in blue). This image also demonstrates the position of the CRC hash and the size of the randomized IDAT section beforehand (in yellow).
  • The CRC hash of the first payload IDAT section, which is located at the end of the section following the encrypted first chunk of our payload.
  • The start of the second payload IDAT section.
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

WhatsMyName App – Find Anyone Across 640+ Platforms

Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…

2 weeks ago

Analyzing Directory Size Linux Tools Explained

Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…

2 weeks ago

Understanding Disk Usage with du Command

Efficient disk space management is vital in Linux, especially for system administrators who manage servers…

2 weeks ago

How to Check Directory Size in Linux

Knowing how to check directory sizes in Linux is essential for managing disk space and…

2 weeks ago

Essential Commands for Linux User Listing

Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…

2 weeks ago

Command-Line Techniques for Listing Linux Users

Linux offers powerful command-line tools for system administrators to view and manage user accounts. Knowing…

2 weeks ago