Malware

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections. Each section is encrypted individually using its own 16-byte key with the RC4 encryption algorithm.

Implementation

This repository consists of two implementations:

  • EmbedPayloadInPng.py – Python script to embed an input payload to a specified PNG file.
  • FetchPayloadFromPng – Extract the payload from EmbedPayloadInPng.py‘s outputted PNG file, and decrypt it using the ExtractDecryptedPayload function.

Usage

  1. Use EmbedPayloadInPng.py to create the embedded payload PNG file:
  1. Copy the MARKED_IDAT_HASH macro definition outputted by EmbedPayloadInPng.py and replace it with the existing one in the FetchPayloadFromPng project here.

Embedded PNG File Structure

As mentioned earlier, EmbedPayloadInPng.py is responsible for embedding the payload file within a PNG one. Below is the structure of a payload-embedded PNG file.

Since the maximum size of an IDAT section is 8192 bytes, our payload is chunked to multiple IDAT sections. Each section has a size equivalent to (8192 – 16 [RC4 key length]). Furthermore, The last IDAT section will contain the remaining bytes of the payload.

The following images explain EmbedPayloadInPng.py‘s output and compare it to the structure of the created PNG file:

  • The output PNG file sections.
  • The random IDAT section, which is created to mark the start of our payload. The CRC hash of this section is used in our C code to identify the start of our payload in the PNG file.
  • The first payload IDAT section, following our random section (in blue). This image also demonstrates the position of the CRC hash and the size of the randomized IDAT section beforehand (in yellow).
  • The CRC hash of the first payload IDAT section, which is located at the end of the section following the encrypted first chunk of our payload.
  • The start of the second payload IDAT section.
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

22 hours ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 day ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 day ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 day ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 day ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

1 day ago