Skip to content

ZipToMalware

stegobox.codec.ZipToMalware

Bases: BaseCodec

This module implements steganography of executable file in zip file.

with code shamelessly taken from abdulkadir-gungor/ZIPtoMalware

Source code in stegobox/codec/zip_to_malware.py 
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
class ZipToMalware(BaseCodec):
    """This module implements steganography of executable file in `zip` file.

    with code shamelessly taken from
    [abdulkadir-gungor/ZIPtoMalware](https://github.com/abdulkadir-gungor/ZIPtoMalware)
    """

    def __init__(self) -> None:
        super().__init__()

    def encode(self, carrier: bytes, payload: bytes) -> bytes:
        """Encoder requires the carrier to be `zip` file in bytes and the payload to be
        executable file in bytes. The executable can be Windows `exe`s or Linux ELFs.

        Args:
            carrier: `zip` file bytes. Read with `stegobox.io.txt.read_bytes()`.
            payload: Executable file bytes. Payload (secret executable file) to be
                encoded. Also read with `stegobox.io.txt.read_bytes()`.

        Returns:
            Encrypted `zip` file bytes.
        """
        file_1 = "buffer_0.bin"
        file_2 = "buffer_1.bin"
        file_3 = "buffer_2.bin"
        fill_bytes = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        end_signature_bytes = (
            fill_bytes
            + b"\xff\xff\xff\xff\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xff\xff\xff\xff"
            + fill_bytes
        )  # 48 byte(s)

        with open(file=file_1, mode="wb") as wfile:
            rfile_size = len(payload)
            tmp = payload
            wfile.write(tmp)
            for tmp in range(int(((DeSettings.fill_size - rfile_size) / 16) - 1)):
                wfile.write(fill_bytes)

        with open(file_1, mode="rb") as rfile:
            with bz2.open(file_2, mode="wb") as wifile:
                while True:
                    data = rfile.read(DeSettings.buffer)
                    if data == b"":
                        break
                    wifile.write(data)
        os.remove(file_1)

        with open(file_2, mode="rb") as rfile:
            with open(file_3, mode="wb") as wfile:
                while True:
                    data = rfile.read(DeSettings.buffer)
                    if data == b"":
                        break
                    wfile.write(
                        self.bytesxor(
                            data, DeSettings.public_key, DeSettings.private_number
                        )
                    )
        os.remove(file_2)

        wfile = carrier
        wfile += end_signature_bytes
        with open(file=file_3, mode="rb") as rfile:
            while True:
                data = rfile.read(DeSettings.buffer)
                if data == b"":
                    break
                wfile += data
        os.remove(file_3)

        return wfile

    def decode(self, carrier: bytes) -> bytes:
        """Decode the secret executable file from the carrier `zip` file in bytes.

        Args:
            carrier: Encrypted `zip` file bytes. Read with
                `stegobox.io.txt.read_bytes()`.

        Returns:
            The decoded executable file in bytes (secret executable file).
        """
        cd = RandomTmp()
        buffer0 = cd.createfilename()[1]
        buffer1 = cd.createfilename()[1]
        fill_bytes = (
            b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
            # 16 byte(s)
        )
        end_signature_bytes = (
            fill_bytes
            + b"\xff\xff\xff\xff\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xff\xff\xff\xff"
            + fill_bytes  # 48 byte(s)
        )
        del fill_bytes

        rb_list = carrier.split(sep=end_signature_bytes)
        payload = rb_list[1]
        del rb_list
        del end_signature_bytes

        with open(file=buffer0, mode="wb") as wfile:
            wfile.write(payload)
            del payload

        with open(file=buffer0, mode="rb") as rfile:
            with open(file=buffer1, mode="wb") as wfile:
                while True:
                    data = rfile.read(SETTINGS.BUFFER)
                    if data == b"":
                        break
                    wfile.write(
                        self.bytesxor(
                            data, SETTINGS.PUPLIC_KEY, SETTINGS.PRIVATE_NUMBER
                        )
                    )
        os.remove(buffer0)

        wfile = bytes()
        with bz2.open(filename=buffer1, mode="rb") as rfile:
            while True:
                data = rfile.read(SETTINGS.BUFFER)
                if data == b"":
                    break
                wfile += data
        os.remove(buffer1)
        cd.finish()
        return wfile

    def bytesxor(self, plain_text, public_key, private_number):
        public_number = 3
        private_key = rb"#$0aSpYt3ehR7%|\&/*QVzX12}-"
        len_key = len(public_key)
        public_encoded = []
        result_encoded = []
        return_encoded = []
        for i in range(0, len(plain_text)):
            public_encoded.append(
                plain_text[i] ^ public_key[(i + public_number) % len_key]
            )
        private_encoded = bytes([b ^ len(private_key) for b in (bytes(public_encoded))])
        for i in range(0, len(private_encoded)):
            result_encoded.append(
                private_encoded[i] ^ private_key[(i + private_number) % len_key]
            )
        for i in range(0, len(result_encoded)):
            return_encoded.append(
                result_encoded[i] ^ public_key[(i + public_number) % len_key]
            )
        return bytes(return_encoded)

encode(carrier, payload)

Encoder requires the carrier to be zip file in bytes and the payload to be executable file in bytes. The executable can be Windows exes or Linux ELFs.

Parameters:

Name Type Description Default
carrier bytes

zip file bytes. Read with stegobox.io.txt.read_bytes().

 required
payload bytes

Executable file bytes. Payload (secret executable file) to be encoded. Also read with stegobox.io.txt.read_bytes().

 required

Returns:

Type Description
bytes

Encrypted zip file bytes.
Source code in stegobox/codec/zip_to_malware.py 
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
def encode(self, carrier: bytes, payload: bytes) -> bytes:
    """Encoder requires the carrier to be `zip` file in bytes and the payload to be
    executable file in bytes. The executable can be Windows `exe`s or Linux ELFs.

    Args:
        carrier: `zip` file bytes. Read with `stegobox.io.txt.read_bytes()`.
        payload: Executable file bytes. Payload (secret executable file) to be
            encoded. Also read with `stegobox.io.txt.read_bytes()`.

    Returns:
        Encrypted `zip` file bytes.
    """
    file_1 = "buffer_0.bin"
    file_2 = "buffer_1.bin"
    file_3 = "buffer_2.bin"
    fill_bytes = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    end_signature_bytes = (
        fill_bytes
        + b"\xff\xff\xff\xff\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xff\xff\xff\xff"
        + fill_bytes
    )  # 48 byte(s)

    with open(file=file_1, mode="wb") as wfile:
        rfile_size = len(payload)
        tmp = payload
        wfile.write(tmp)
        for tmp in range(int(((DeSettings.fill_size - rfile_size) / 16) - 1)):
            wfile.write(fill_bytes)

    with open(file_1, mode="rb") as rfile:
        with bz2.open(file_2, mode="wb") as wifile:
            while True:
                data = rfile.read(DeSettings.buffer)
                if data == b"":
                    break
                wifile.write(data)
    os.remove(file_1)

    with open(file_2, mode="rb") as rfile:
        with open(file_3, mode="wb") as wfile:
            while True:
                data = rfile.read(DeSettings.buffer)
                if data == b"":
                    break
                wfile.write(
                    self.bytesxor(
                        data, DeSettings.public_key, DeSettings.private_number
                    )
                )
    os.remove(file_2)

    wfile = carrier
    wfile += end_signature_bytes
    with open(file=file_3, mode="rb") as rfile:
        while True:
            data = rfile.read(DeSettings.buffer)
            if data == b"":
                break
            wfile += data
    os.remove(file_3)

    return wfile

decode(carrier)

Decode the secret executable file from the carrier zip file in bytes.

Parameters:

Name Type Description Default
carrier bytes

Encrypted zip file bytes. Read with stegobox.io.txt.read_bytes().

 required

Returns:

Type Description
bytes

The decoded executable file in bytes (secret executable file).
Source code in stegobox/codec/zip_to_malware.py 
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
def decode(self, carrier: bytes) -> bytes:
    """Decode the secret executable file from the carrier `zip` file in bytes.

    Args:
        carrier: Encrypted `zip` file bytes. Read with
            `stegobox.io.txt.read_bytes()`.

    Returns:
        The decoded executable file in bytes (secret executable file).
    """
    cd = RandomTmp()
    buffer0 = cd.createfilename()[1]
    buffer1 = cd.createfilename()[1]
    fill_bytes = (
        b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        # 16 byte(s)
    )
    end_signature_bytes = (
        fill_bytes
        + b"\xff\xff\xff\xff\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xff\xff\xff\xff"
        + fill_bytes  # 48 byte(s)
    )
    del fill_bytes

    rb_list = carrier.split(sep=end_signature_bytes)
    payload = rb_list[1]
    del rb_list
    del end_signature_bytes

    with open(file=buffer0, mode="wb") as wfile:
        wfile.write(payload)
        del payload

    with open(file=buffer0, mode="rb") as rfile:
        with open(file=buffer1, mode="wb") as wfile:
            while True:
                data = rfile.read(SETTINGS.BUFFER)
                if data == b"":
                    break
                wfile.write(
                    self.bytesxor(
                        data, SETTINGS.PUPLIC_KEY, SETTINGS.PRIVATE_NUMBER
                    )
                )
    os.remove(buffer0)

    wfile = bytes()
    with bz2.open(filename=buffer1, mode="rb") as rfile:
        while True:
            data = rfile.read(SETTINGS.BUFFER)
            if data == b"":
                break
            wfile += data
    os.remove(buffer1)
    cd.finish()
    return wfile