Steg #!/usr/bin/env python3 """ Steganography Extraction Tool This script extracts hidden data from images using various steganography techniques. Usage: python steg_extract.py """ import sys import os import numpy as np from PIL import Image import binascii import re import zlib import struct from bitstring import BitArray def extract_lsb(image_path, bit_depth=1): """Extract data hidden using LSB (Least Significant Bit) steganography.""" try: img = Image.open(image_path) pixels = np.array(img) # Flatten the pixel array and extract LSBs flat_pixels = pixels.flatten() # Get the least significant bits bits = "" for pixel in flat_pixels: # Extract the specified number of least significant bits for i in range(bit_depth): bits += str((pixel >> i) & 1) # Convert bits to bytes bytes_data = BitArray(bin=bits).bytes # Try to find printable text printable_data = "" for i in range(len(bytes_data)): char = bytes_data[i:i+1] if 32 <= ord(char) <= 126 or ord(char) in (10, 13, 9): # Printable ASCII or newline/tab printable_data += char.decode('ascii', errors='ignore') else: printable_data += '.' return { 'raw_bits': bits[:100] + "...", # First 100 bits 'raw_bytes': binascii.hexlify(bytes_data[:50]).decode('ascii') + "...", # First 50 bytes 'possible_text': printable_data[:1000] # First 1000 printable chars } except Exception as e: return {'error': f"LSB extraction failed: {str(e)}"} def extract_metadata(image_path): """Extract metadata from the image that might contain hidden information.""" try: img = Image.open(image_path) metadata = {} # Extract EXIF data if available if hasattr(img, '_getexif') and img._getexif(): metadata['exif'] = str(img._getexif()) # Extract other metadata metadata['format'] = img.format metadata['mode'] = img.mode metadata['info'] = str(img.info) return metadata except Exception as e: return {'error': f"Metadata extraction failed: {str(e)}"} def extract_color_plane(image_path): """Extract data from color planes separately to find potential hidden information.""" try: img = Image.open(image_path) if img.mode != 'RGB' and img.mode != 'RGBA': return {'error': "Not an RGB/RGBA image"} planes = {} pixels = np.array(img) # Extract red, green, blue planes if img.mode == 'RGB' or img.mode == 'RGBA': planes['red'] = pixels[:,:,0] planes['green'] = pixels[:,:,1] planes['blue'] = pixels[:,:,2] # Check for unusual patterns in each plane results = {} for plane_name, plane_data in planes.items(): # Look for unusual distributions (e.g., even/odd patterns) even_count = np.sum(plane_data % 2 == 0) odd_count = np.sum(plane_data % 2 == 1) # If there's a significant imbalance, it might indicate steganography results[f"{plane_name}_analysis"] = { 'even_pixels': even_count, 'odd_pixels': odd_count, 'imbalance': abs(even_count - odd_count) / (even_count + odd_count) } # Extract LSB from this color plane only bits = "".join([str(p & 1) for p in plane_data.flatten()]) results[f"{plane_name}_lsb_sample"] = bits[:100] + "..." return results except Exception as e: return {'error': f"Color plane extraction failed: {str(e)}"} def extract_hidden_files(image_path): """Look for embedded files using common signatures/headers.""" try: with open(image_path, 'rb') as f: data = f.read() # Common file signatures to look for file_signatures = { b'\x50\x4B\x03\x04': 'ZIP', b'\x52\x61\x72\x21\x1A\x07': 'RAR', b'\x25\x50\x44\x46': 'PDF', b'\xFF\xD8\xFF': 'JPG', b'\x89\x50\x4E\x47': 'PNG', b'\x47\x49\x46\x38': 'GIF', b'\x7F\x45\x4C\x46': 'ELF', b'\xD0\xCF\x11\xE0': 'MS Office', b'\x50\x4B\x05\x06': 'ZIP (empty)', b'\x1F\x8B\x08': 'GZIP', b'\x42\x5A\x68': 'BZ2', b'\x75\x73\x74\x61\x72': 'TAR', b'\x49\x44\x33': 'MP3', b'\x4D\x5A': 'EXE', } found_files = [] for signature, filetype in file_signatures.items(): # Find all occurrences of the signature offsets = [m.start() for m in re.finditer(re.escape(signature), data)] for offset in offsets: found_files.append({ 'type': filetype, 'offset': offset, 'signature': binascii.hexlify(signature).decode('ascii') }) return found_files except Exception as e: return {'error': f"Hidden file extraction failed: {str(e)}"} def extract_parity_steganography(image_path): """Check for parity-based steganography.""" try: img = Image.open(image_path) pixels = np.array(img) # Count the parity of pixels in each row and column row_parity = np.sum(pixels.sum(axis=2) % 2, axis=1) % 2 col_parity = np.sum(pixels.sum(axis=2) % 2, axis=0) % 2 # Convert to binary strings (potentially hidden messages) row_message = "".join([str(int(bit)) for bit in row_parity]) col_message = "".join([str(int(bit)) for bit in col_parity]) return { 'row_parity_bits': row_message, 'col_parity_bits': col_message } except Exception as e: return {'error': f"Parity steganography extraction failed: {str(e)}"} def extract_hidden_text(image_path): """Extract text from the image using several methods.""" try: with open(image_path, 'rb') as f: data = f.read() # Look for ASCII/UTF-8 text patterns possible_strings = [] ascii_regex = rb'[ -~\r\n\t]{8,}' # 8+ printable ASCII chars for match in re.finditer(ascii_regex, data): possible_strings.append(match.group(0).decode('ascii', errors='ignore')) return { 'possible_strings': possible_strings[:20] # Return first 20 found strings } except Exception as e: return {'error': f"Text extraction failed: {str(e)}"} def analyze_bit_distribution(image_path): """Analyze bit distribution for statistical anomalies.""" try: img = Image.open(image_path) pixels = np.array(img) # Analyze distribution of each bit position bit_counts = [] for bit_pos in range(8): mask = 1 << bit_pos bit_count = np.sum((pixels & mask) > 0) bit_counts.append(bit_count) total_bits = pixels.size * 8 bit_frequencies = [count / total_bits for count in bit_counts] # Calculate deviation from expected 0.5 frequency deviations = [abs(freq - 0.5) for freq in bit_frequencies] return { 'bit_frequencies': bit_frequencies, 'deviations': deviations, 'analysis': "High deviation in LSBs may indicate steganography" } except Exception as e: return {'error': f"Bit distribution analysis failed: {str(e)}"} def extract_stegano_data(image_path): """Main function to extract steganographic data from an image.""" results = { 'filename': os.path.basename(image_path), 'filesize': os.path.getsize(image_path) } # Run all extraction methods results['lsb_extraction'] = extract_lsb(image_path) results['lsb_extraction_2bit'] = extract_lsb(image_path, bit_depth=2) results['metadata'] = extract_metadata(image_path) results['color_planes'] = extract_color_plane(image_path) results['hidden_files'] = extract_hidden_files(image_path) results['parity_data'] = extract_parity_steganography(image_path) results['text_data'] = extract_hidden_text(image_path) results['bit_distribution'] = analyze_bit_distribution(image_path) return results def save_extracted_data(results, original_image_path): """Save extracted data to files.""" base_name = os.path.splitext(os.path.basename(original_image_path))[0] output_dir = f"{base_name}_extracted" # Create directory if it doesn't exist if not os.path.exists(output_dir): os.makedirs(output_dir) # Save main results as text with open(f"{output_dir}/results.txt", 'w') as f: f.write(f"Steganography Extraction Results for {results['filename']}\n") f.write(f"File size: {results['filesize']} bytes\n\n") # Write metadata f.write("=== METADATA ===\n") for k, v in results['metadata'].items(): f.write(f"{k}: {v}\n") # Write LSB extraction results f.write("\n=== LSB EXTRACTION ===\n") f.write(f"LSB sample: {results['lsb_extraction']['raw_bits']}\n") f.write(f"Bytes: {results['lsb_extraction']['raw_bytes']}\n") f.write(f"Possible text:\n{results['lsb_extraction']['possible_text']}\n") # Write 2-bit LSB extraction f.write("\n=== 2-BIT LSB EXTRACTION ===\n") f.write(f"LSB sample: {results['lsb_extraction_2bit']['raw_bits']}\n") f.write(f"Bytes: {results['lsb_extraction_2bit']['raw_bytes']}\n") f.write(f"Possible text:\n{results['lsb_extraction_2bit']['possible_text']}\n") # Write color plane analysis f.write("\n=== COLOR PLANE ANALYSIS ===\n") for k, v in results['color_planes'].items(): f.write(f"{k}: {v}\n") # Write hidden files f.write("\n=== POSSIBLE HIDDEN FILES ===\n") for file_info in results['hidden_files']: f.write(f"Type: {file_info['type']}, Offset: {file_info['offset']}, Signature: {file_info['signature']}\n") # Write parity data f.write("\n=== PARITY STEGANOGRAPHY ===\n") f.write(f"Row parity: {results['parity_data']['row_parity_bits']}\n") f.write(f"Column parity: {results['parity_data']['col_parity_bits']}\n") # Write found text strings f.write("\n=== POSSIBLE HIDDEN TEXT ===\n") for s in results['text_data']['possible_strings']: f.write(f"{s}\n") f.write("---\n") # Write bit distribution analysis f.write("\n=== BIT DISTRIBUTION ANALYSIS ===\n") f.write("Bit position frequencies (0-7, LSB to MSB):\n") for i, freq in enumerate(results['bit_distribution']['bit_frequencies']): f.write(f"Bit {i}: {freq:.4f} (deviation: {results['bit_distribution']['deviations'][i]:.4f})\n") # If we found potential embedded files, try to extract them if results['hidden_files']: with open(original_image_path, 'rb') as f: data = f.read() for i, file_info in enumerate(results['hidden_files']): # Create a name for the extracted file ext = file_info['type'].lower().split()[0] # Use the first word of the type as extension output_file = f"{output_dir}/extracted_file_{i}.{ext}" # Get start position from offset start_pos = file_info['offset'] # Write the data to a file, up to 10MB maximum with open(output_file, 'wb') as out_f: out_f.write(data[start_pos:start_pos + 10*1024*1024]) return output_dir def main(): if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} ") sys.exit(1) image_path = sys.argv[1] if not os.path.exists(image_path): print(f"Error: File '{image_path}' not found.") sys.exit(1) print(f"Analyzing {image_path} for steganographic data...") results = extract_stegano_data(image_path) # Save results to files output_dir = save_extracted_data(results, image_path) print(f"Analysis complete. Results saved to {output_dir}/") if __name__ == "__main__": main()