jcarlosroldan/steganfind.py

## steganfind.py
from os import listdir
from os.path import isdir

""" Find images with hidden compressed formats """

ROOT = "path/to/a/folder/with/images"
IMAGE_EXTS = ["jpg", "png", "gif", "jpeg", "tiff", "svg", "bmp"]
EOF_SIGNATURES = {
	""
}
COMPRESSED_SIGNATURES = {
	"RNC": b"\x52\x4e\x43\x01",
	"RNC2": b"\x52\x4e\x43\x02",
	"lzip": b"\x4c\x5a\x49\x50",
	"zip": b"\x50\x4b\x03\x04",
	"zip-spanned": b"\x50\x4b\x07\x08",
	"rar1.5+": b"\x52\x61\x72\x21\x1a\x07\x00",
	"rar5.0+": b"\x52\x61\x72\x21\x1a\x07\x01\x00",
	"iso": b"\x43\x44\x30\x30\x31",
	"xar": b"\x78\x61\x72\x21",
	"tar1": b"\x75\x73\x74\x61\x72\x00\x30\x30",
	"tar2": b"\x75\x73\x74\x61\x72\x20\x20\x00",
	"7z": b"\x37\x7a\xbc\xaf\x27\x1c",
	"lz4": b"\x04\x22\x4d\x18",
	"webm": b"\x1a\x45\xdf\xa3",
	"xz": b"\xfd\x37\x7a\x58\x5a\x00",
	"wim": b"\x4d\x53\x57\x49\x4d\x00\x00",
	# signatures with too many false positives below
	#"pdf": b"\x25\x50\x44\x46",
	#"zip-empty": b"\x50\x4b\x05\x06",
	#"gz": b"\x1f\x8b\x08",
	#"tar": b"\x1f\x9d",
	#"bz2": b"\x42\x5a\x68",
}

def steganfind(image_path):
	with open(image_path, "rb") as f:
		data = f.read()
		signatures = []
		for ftype, signature in COMPRESSED_SIGNATURES.items():
			if data.find(signature) != -1:
				signatures.append(ftype)
		if signatures:
			print("%s\t%.2fKB" % (image_path, len(data)/1024), end = '')
			[print(" %s" % ft, end = ' ') for ft in signatures]
			print("")

def navigate(path):
	for file in listdir(path):
		full = "%s/%s" % (path, file)
		if isdir(full):
			navigate(full)
		else:
			split = full.rsplit(".", 1)
			if len(split)>1 and split[1] in IMAGE_EXTS:
				steganfind(full)

if __name__ == "__main__":
	navigate(ROOT)
	from os import listdir
	from os.path import isdir

	""" Find images with hidden compressed formats """

	ROOT = "path/to/a/folder/with/images"
	IMAGE_EXTS = ["jpg", "png", "gif", "jpeg", "tiff", "svg", "bmp"]
	EOF_SIGNATURES = {
	""
	}
	COMPRESSED_SIGNATURES = {
	"RNC": b"\x52\x4e\x43\x01",
	"RNC2": b"\x52\x4e\x43\x02",
	"lzip": b"\x4c\x5a\x49\x50",
	"zip": b"\x50\x4b\x03\x04",
	"zip-spanned": b"\x50\x4b\x07\x08",
	"rar1.5+": b"\x52\x61\x72\x21\x1a\x07\x00",
	"rar5.0+": b"\x52\x61\x72\x21\x1a\x07\x01\x00",
	"iso": b"\x43\x44\x30\x30\x31",
	"xar": b"\x78\x61\x72\x21",
	"tar1": b"\x75\x73\x74\x61\x72\x00\x30\x30",
	"tar2": b"\x75\x73\x74\x61\x72\x20\x20\x00",
	"7z": b"\x37\x7a\xbc\xaf\x27\x1c",
	"lz4": b"\x04\x22\x4d\x18",
	"webm": b"\x1a\x45\xdf\xa3",
	"xz": b"\xfd\x37\x7a\x58\x5a\x00",
	"wim": b"\x4d\x53\x57\x49\x4d\x00\x00",
	# signatures with too many false positives below
	#"pdf": b"\x25\x50\x44\x46",
	#"zip-empty": b"\x50\x4b\x05\x06",
	#"gz": b"\x1f\x8b\x08",
	#"tar": b"\x1f\x9d",
	#"bz2": b"\x42\x5a\x68",
	}

	def steganfind(image_path):
	with open(image_path, "rb") as f:
	data = f.read()
	signatures = []
	for ftype, signature in COMPRESSED_SIGNATURES.items():
	if data.find(signature) != -1:
	signatures.append(ftype)
	if signatures:
	print("%s\t%.2fKB" % (image_path, len(data)/1024), end = '')
	[print(" %s" % ft, end = ' ') for ft in signatures]
	print("")

	def navigate(path):
	for file in listdir(path):
	full = "%s/%s" % (path, file)
	if isdir(full):
	navigate(full)
	else:
	split = full.rsplit(".", 1)
	if len(split)>1 and split[1] in IMAGE_EXTS:
	steganfind(full)

	if __name__ == "__main__":
	navigate(ROOT)