Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes.
The less of a degree you modify the pixel data the less change that the modified file will be noticed as hiding some form of data.
To me this is more of true steganography than the types that just append an exe to the end of the picture data because it is modifying the the pixel data.
The downside is you have to have some program or script to decode and extract the data which will point directly to the picture file used.
These type picture files picture files do not automatically run the data within whereas those with embedded shellcode or exe files can be run by certain programs when viewed.
There are many ways that the hidden data can be obfuscated and stored in the picture file but at some point it still has to be extracted and that leaves a trail of instructions how it is done.
The first time I ran into this was in November of 2018 in this Twitter thread https://twitter.com/Ledtech3/status/1060543927470735362
So let’s just take a closer look at the part that decodes the picture file.
Here on the first and second line we see it is creating a new objet for working with bitmaps and then opening the the file from the internet instead of downloading then opening it.
The next line it is getting each pixel byte from 0-427.
If we look at the properties of the downloaded picture we see the width is 428 pixels wide.
It will next extract the RGB values from the pixels and then do the math.
The “B” would be the “B” value and the “G” would be the G” of the RGB in this case.
If we take a look at the “screenshot” of the the picture file it is nothing special and no real indication that it is hiding anything.(I didn’t want to add the real encoded file here)
So we need to open the file extract each pixel and decode them using the function in the PowerShell then output the decoded string. I have seen several different ways of encoding the pixel data this is only 1 of them.
As usual I have built a tool to do this the easy way.
One more thing we need is the string length from the output so we are also not outputting the extra garbage data. We can get that from the get string with a length of 0 to 1907 .
Select the file, Input the output length and click a button.
Dealing with the output is another matter.
This sample uses a function that will reverse a string , then it will do several char replace before the final decoding.
Here it is after the reverse string.
This is what most of the samples I’ve looked at do. They have more layers of encoding usually from Invoke-Obfuscation or a similar tool.
The next question is where did this picture encoding come from ?
It came from here https://github.com/peewpw/Invoke-PSImage we also find a entry in the MITRE | ATT&CK framework here https://attack.mitre.org/software/S0231/
Although the code to decode the picture file remains mostly the same the variables are usually all different including the height and width of the picture file and the variable names for the function calls.
The tool to extract the data can be found on my Github here https://github.com/PCsXcetra/Decode_PS_Stego.
That’s it for this one.
Article Link: https://pcsxcetrasupport3.wordpress.com/2020/07/22/powershell-steganography/