Sign In

  • Username:
  • Password:

Upload File

  •  

Concealing Backdoor Payloads into BMP Pixels

Inspired by Transferring Backdoor Payloads with BMP Image Pixels, I write a Go version demo
Although it seems not as new and dangerous as can be, concealing payload into bmp pixels to bypass AV is really insteresting.

Why BMP?

  • not everyone scan bmp files
  • forbid image transmission is unrealistic
  • bmp pixels and payloads are easily interchanged
  • payloads can even be splited to more than one images

Why Go?

  • Cross Platform
  • Easily compile
  • I like it
  • C is diffcult :)

How to conceal?

1.convert base64 encoded payload to bytes

sEnc := base64.StdEncoding.EncodeToString([]byte(payload))
data := []byte(sEnc)

2.store the length in the first pixel’s R value

encryptedBar.Pix[0] = uint8(len(sEnc))

3.put every 3 bytes to 1 pixel’s RGB value

x := 1
for i := 0; i < len(sEnc); i += 3 {
    var r, g, b uint8 = 0, 0, 0
    r = data[i]
    if i+1 < len(sEnc) {
        g = data[i+1]
        if i+2 < len(sEnc) {
            b = data[i+2]
        }
    }
    encryptedBar.SetRGBA(x, 0, color.RGBA{
        R: r,
        G: g,
        B: b,
    })
    x++
}

4.create a .bmp

bmp.Encode(outputFile, encryptedBar)

Example

whoami -> d2hvYW1p -> [100 50 104 118 89 87 49 112] ->

We can also combine this encrypted bar with a normal bmp to be more undetectable.

notice the upper left corner.