{"id":17383377,"url":"https://github.com/farinap5/bitmap4shell","last_synced_at":"2025-04-15T07:31:14.672Z","repository":{"id":216859630,"uuid":"721426211","full_name":"farinap5/bitmap4shell","owner":"farinap5","description":"A (quite) simple steganography algorithm to hide shellcodes within bitmap image.","archived":false,"fork":false,"pushed_at":"2024-05-04T18:48:14.000Z","size":222,"stargazers_count":21,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-28T18:21:23.591Z","etag":null,"topics":["image-processing","pentest","shellcode","steganography"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/farinap5.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-21T03:12:20.000Z","updated_at":"2024-10-16T15:54:56.000Z","dependencies_parsed_at":"2024-01-13T09:18:55.731Z","dependency_job_id":"984aa3c8-1902-4b8b-991f-86bbd064d30d","html_url":"https://github.com/farinap5/bitmap4shell","commit_stats":null,"previous_names":["farinap5/bitmap4shell"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/farinap5%2Fbitmap4shell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/farinap5%2Fbitmap4shell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/farinap5%2Fbitmap4shell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/farinap5%2Fbitmap4shell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/farinap5","download_url":"https://codeload.github.com/farinap5/bitmap4shell/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249026752,"owners_count":21200502,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["image-processing","pentest","shellcode","steganography"],"created_at":"2024-10-16T07:41:25.422Z","updated_at":"2025-04-15T07:31:13.824Z","avatar_url":"https://github.com/farinap5.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Bitmap Shellcode Encoder\n\n\u003e **Did you use this project during an assignment? Let me know!**\n\nA simple steganography algorithm to obfuscate shellcode (or other data) within bitmap images.\n\nSecurity analysts employ diverse techniques to obfuscate codes in order to evade detection by anti-malware solutions. These methods include the utilization of symmetric block encryption, UUIDs, and various other obfuscation strategies.\n\nThe objective of this project is to obscure shellcodes within bitmap images. It is important to note that this process does not entail backdorization of the image; instead, it mandates the presence of a suitable decoder for reading and subsequent execution. This approach effectively mitigates the risk of the shellcode being detected during static scans.\n\nOther algorithms for obfuscations, such as AES, may also be flagged when using some libs, since it became very common for this type of application.\n\nIt still may be detected by behavior analysis.\n\nThe loader may be modified to avoid its detection, but the technique will keep working as the same protocol to decode is used.\n\n`datavisualizer-lin.c` Loader for linux.\n\n`datavisualizer-win.c` Loader for windows.\n\n`bitmapvis-win.cpp` Loader for windows. Loads also a window showing the bitmap to look like a normal image visualizer.\n\nYou may customize the loader to fit your use case.\n\n![Loader for Linux](img/termtosvg_m0fudx6r.svg)\n\n### How To Use\n\nCompile:\n\n```\nx86_64-w64-mingw32-gcc datavisualizer-win.c\ngcc datavisualizer-lin.c\ngcc -o main main.c\n```\n\nHaving a bitmap image of 32 bits and the shellcode in raw format, encode the shellcode over the pixel array of the image:\n\n```\n╰─$ gcc main -b 32bit.bmp -r infected.bmp -f shellcode.bin -s\nMagic Number: BM\nSize: 118\nOffset: 54\n100wpx x 100hpx of 32bits\nOff Size: 40000\nImage may hold 5000b -\u003e 4Kb\n5704 bits written and bytes modified\ninfected.bmp modified\n```\n\nThe image `infected.bmp` has been create with the shellcode encoded in it.\n\nExecute the shellcode:\n\n```\n\u003e .\\a.exe -b .\\infected.bmp -e\nData hidden -\u003e Magic: 0xDEAD\nHidden data length 707b\n707b: fc4883e4f0e8cc00\n```\n\nType `-h` to see the full help menu.\n\n### Studing\n\nThe following block is the dump of a bitmap header and dib header.\n\n```\n00000000: 424d 7600 0000 0000 0000 3600 0000 2800  BMv.......6...(.\n00000010: 0000 6400 0000 6400 0000 0100 2000 0000  ..d...d..... ...\n00000020: 0000 4000 0000 0000 0000 0000 0000 0000  ..@.............\n00000030: 0000 0000 0000 4080 c000 4080 c000 4080  ......@...@...@.\n```\n\nBitmap Header: 14 Bytes\n\n```\n     424d -\u003e BM magic numbs\n7600 0000 -\u003e BM file size\n     0000 -\u003e No use \n     0000 -\u003e No use\n0000 3600 -\u003e Offset start byte array\n```\n\nDIB Header\n\n```\n2800 0000 -\u003e DIB head length\n6400 0000 -\u003e Width pixels\n6400 0000 -\u003e Height pixels\n     0100 -\u003e Number of color planes\n     2000 -\u003e Bits per pixel = 32\n0000 0000 -\u003e Pixel array compression used\n4000 0000 -\u003e Size of the raw bitmap data (including padding)\n0000 0000 -\u003e Pixels per meter\n0000 0000 -\u003e Pixels per meter\n0000 0000 -\u003e Colors in pallet\n0000 0000 -\u003e Important colors (all colors)\n```\n\nStart bit array\n\n```\n4080 c000 -\u003e 40 -\u003e blue\n             80 -\u003e gren\n             c0 -\u003e red\n             00 -\u003e padding / alpha\n```\n\nI have i pixel as the following array `4080c000`, the binary representation would be:\n```\n01000000 10000000 11000000 00000000\n```\n\nIf I want to store four bits like `1111`, I may place it ending each byte.\n\n```\n0100000`1 1000000`1 1100000`1 0000000`1\n```\n\nI would have a varition of one bit for the color in the worst case, probably not humanly noticeable.\n\nFor each byte to store I need 8 bytes since the last bit will be taken to compile one byte. I need one way to get my stored data from a array of bytes.\n\nFor a given array of bytes, get the last bit of each of these bytes and compile a unique byte.\n\n```\n11011010 00101001 10110101 01001011 \n11111100 00000001 10010010 01010101\n\nResult: 01110101\n```\n\nThe oposit, saving the data as did before.\n\nFor a given byte and array of bytes, take each bit from the byte and place ending each corresponding byte from the array.\n\n```\nByte: 10101010\n\nResult:\n00000001 00000000 00000001 00000000\n00000001 00000000 00000001 00000000\n\n```\n\nFor instance, the fisrt byte is 0x03 (00000011) the swapt occurs with 0 (the corresponding bit), so the resulting byte should be 0x02 (00000010).\n\nFirst we clear the last bit of a byte by performing a bitwise AND (\u0026) against the byte 0xFE (11111110). Take 0x03 as example.\n\n```\n      11111110 0xFE\n    \u0026 00000011 0x03\n      ========\n      00000010 result 0x02\n```\n\nThen we do a bitwise OR (|) with the byte and 0x01 (00000001) passing the bit to it.\n\n\nBit operations\nhttp://www.inf.puc-rio.br/~noemi/eda-19.1/bitwise.pdf\n\nGet each bit from byte\nhttps://stackoverflow.com/questions/8695945/c-get-a-bit-from-a-byte\n\nTurn int into array of bytes\nhttps://stackoverflow.com/questions/3784263/converting-an-int-into-a-4-byte-char-array-c\n\nhttps://www.ripublication.com/ijaer17/ijaerv12n21_19.pdf","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffarinap5%2Fbitmap4shell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffarinap5%2Fbitmap4shell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffarinap5%2Fbitmap4shell/lists"}