Created
July 24, 2018 11:43
-
-
Save jcarlosroldan/1daa0bbc9d064372a1b533f13792cd2d to your computer and use it in GitHub Desktop.
Find compressed files hidden in images
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from os import listdir | |
from os.path import isdir | |
""" Find images with hidden compressed formats """ | |
ROOT = "path/to/a/folder/with/images" | |
IMAGE_EXTS = ["jpg", "png", "gif", "jpeg", "tiff", "svg", "bmp"] | |
EOF_SIGNATURES = { | |
"" | |
} | |
COMPRESSED_SIGNATURES = { | |
"RNC": b"\x52\x4e\x43\x01", | |
"RNC2": b"\x52\x4e\x43\x02", | |
"lzip": b"\x4c\x5a\x49\x50", | |
"zip": b"\x50\x4b\x03\x04", | |
"zip-spanned": b"\x50\x4b\x07\x08", | |
"rar1.5+": b"\x52\x61\x72\x21\x1a\x07\x00", | |
"rar5.0+": b"\x52\x61\x72\x21\x1a\x07\x01\x00", | |
"iso": b"\x43\x44\x30\x30\x31", | |
"xar": b"\x78\x61\x72\x21", | |
"tar1": b"\x75\x73\x74\x61\x72\x00\x30\x30", | |
"tar2": b"\x75\x73\x74\x61\x72\x20\x20\x00", | |
"7z": b"\x37\x7a\xbc\xaf\x27\x1c", | |
"lz4": b"\x04\x22\x4d\x18", | |
"webm": b"\x1a\x45\xdf\xa3", | |
"xz": b"\xfd\x37\x7a\x58\x5a\x00", | |
"wim": b"\x4d\x53\x57\x49\x4d\x00\x00", | |
# signatures with too many false positives below | |
#"pdf": b"\x25\x50\x44\x46", | |
#"zip-empty": b"\x50\x4b\x05\x06", | |
#"gz": b"\x1f\x8b\x08", | |
#"tar": b"\x1f\x9d", | |
#"bz2": b"\x42\x5a\x68", | |
} | |
def steganfind(image_path): | |
with open(image_path, "rb") as f: | |
data = f.read() | |
signatures = [] | |
for ftype, signature in COMPRESSED_SIGNATURES.items(): | |
if data.find(signature) != -1: | |
signatures.append(ftype) | |
if signatures: | |
print("%s\t%.2fKB" % (image_path, len(data)/1024), end = '') | |
[print(" %s" % ft, end = ' ') for ft in signatures] | |
print("") | |
def navigate(path): | |
for file in listdir(path): | |
full = "%s/%s" % (path, file) | |
if isdir(full): | |
navigate(full) | |
else: | |
split = full.rsplit(".", 1) | |
if len(split)>1 and split[1] in IMAGE_EXTS: | |
steganfind(full) | |
if __name__ == "__main__": | |
navigate(ROOT) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment