Documentos de Académico
Documentos de Profesional
Documentos de Cultura
2
Faculty of Computer Science and Information Technology/University of Malaya
Kuala Lumpur/Malaysia
dr_hamidjalab@yahoo.com, aws.alaa@gmail.com, bilal_bahaa@hotmail.com
Abstract: Nowadays, the rapid development of multimedia and intended to replace cryptography but supplement it. Hiding
internet allows for wide distribution of digital media data. It a message with Steganography methods reduces the chance
becomes much easier to edit, modify and duplicate digital of a message being detected. If the message is also encrypted
information besides that, digital documents are also easy to copy
then it provides another layer of protection [2]. Therefore,
and distribute, therefore it will be faced by many threatens. It’s a
big security and privacy issue with the large flood of information some Steganography methods combine traditional
and the development of the digital format, it become necessary to Cryptography with Steganography; the sender encrypts the
find appropriate protection because of the significance, accuracy secret message prior to the overall communication process,
and sensitivity of the information. Nowadays protection system as it is more difficult for an attacker to detect embedded
classified with more specific as hiding information, encryption cipher text in a cover [3]. In the field of Steganography,
information, and combination between hiding and encryption to some terminology has developed. The adjectives 'cover',
increase information security, the strength of the information
'embedded’ and 'stego' were defined at the information
hiding science is due to the non-existence of standard algorithms
to be used in hiding secret messages. Also there is randomness in hiding workshop held in Cambridge, England. The term
hiding methods such as combining several media (covers) with "cover" refers to description of the original, innocent
different methods to pass a secret message. In addition, there are massage, data, audio, video, and so on. Steganography is not
no formal methods to be followed to discover the hidden data. For a new science; it dates back to ancient times [4]. It has been
this reason, the task of this research becomes difficult. In this used through the ages by ordinary people, spies, rulers,
paper, a new system of information hiding is presented. The
government, and armies [4]. There are many stories about
proposed system aim to hidden information (data file) in any
execution file (EXE) after PE-header and to detect the hidden file
Steganography [5]. For example ancient Greece used
and we will see implementation of steganography system which methods for hiding messages such as hiding it in the belly of
embeds information in an execution file. (EXE) files have been a share (a kind of rabbits), using invisible ink and pigeons.
investigated. The system tries to find a solution to the size of the Another ingenious method was to shave the head of a
cover file and making it undetectable by anti-virus software. The messenger and tattoo a message or image on the messenger
system includes two main functions; first is the hiding of the head. After allowing his hair to grow, the message would be
information in a Portable Executable File (EXE after PE-header),
undetected until the head was shaved again. While the
through the execution of four process (specify the cover file,
specify the information file, encryption of the information, and Egyptian used illustrations to conceal message. Hidden
hiding the information) and the second function is the extraction information in the cover data is known as the "embedded"
of the hiding information through three process (specify the steno data and information hiding is a general term encompassing
file, extract the information, and decryption of the information). many sub disciplines, is a term around a wide range of
The system has achieved the main goals, such as make the relation problems beyond that of embedding message in content. The
of the size of the cover file and the size of information independent term hiding here can refer to either making the information
and the result file does not make any conflict with anti-virus
software.
undetectable or keeping the existence of the information
secret. Information hiding is a technique of hiding secret
Keywords: Cryptography,Steganography,PortableExecutableFile using redundant cover data such as images, audios, movies,
documents, etc. This technique has recently become
1. Introduction important in a number of application areas [5]. For example,
digital video, audio, and images are increasingly embedded
Steganography is the art of hiding and transmitting
with imperceptible marks, which may contain hidden
data through apparently innocuous carriers in an effort to
signatures or watermarks that help to prevent unauthorized
copy [6]. It is a performance that inserts secret messages
conceal the existence of the data, the word Steganography
into a cover file, so that the existence of the messages is not
literally means covered or hiding writing as derived from
apparent [7]. Research in information hiding has
Greek. Steganography has its place in security[1]. It is not
tremendous increased during the past decade with
(IJCNS) International Journal of Computer and Network Security, 47
Vol. 2, No. 1, January 2010
commercial interests driving the field [7]. file offset that's a multiple of 0x200.Once mapped into
memory, sections always start on at least a page boundary.
2. Portable Executable File That is, when a PE section is mapped into memory, the first
byte of each section corresponds to a memory page. On x86
The proposed system uses a portable executable file as
CPUs, pages are 4KB aligned, while on the Intel
a cover to embed an executable program as an example for
Architecture IA-64, they're 8KB aligned [12].
the proposed system [8].
2.2.2Relative Virtual Addresses
2.1 Concept Related with PE- File
In an executable file, there are many places where
The addition of the Microsoft® windows NT™
an in-memory address needs to be specified. For instance,
operating system to the family of windows™ operating
the address of a global variable is needed when referencing
systems brought many changes to the development
it. PE files can load just about anywhere in the process
environment and more than a few changes to applications
address space. While they do have a preferred load address,
themselves. One of the more significant changes is the
you can't rely on the executable file actually loading there.
introduction of the Portable Executable (PE) file format. The
For this reason, it's important to have some way of
name "Portable Executable" refers to the fact that the format
specifying addresses that are independent of where the
is not architecture specific [9].In other words, the term
executable file loads [12].To avoid having hard coded
"Portable Executable" was chosen because the intent was to
memory addresses in PE files, RVAs are used. An RVA is
have a common file format for all versions of Windows, on
simply an offset in memory, relative to where the PE file
all supported CPUs [11].The PE files formats drawn
was loaded. For instance, consider an .EXE file loaded at
primarily from the Common Object File Format (COFF)
address 0x400000, with its code section at address
specification that is common to UNIX® operating systems.
0x401000. The RVA of the code section would be:
Yet, to remain compatible with previous versions of the MS-
DOS® and windows operating systems, the PE file format
(Target address) 0x401000 – (load address) 0x400000 =
also retains the old familiar MZ header from MS-DOS
(RAV) (1)
[11].The PE file format for Windows NT introduced a
completely new structure to developers familiar with the To convert an RVA to an actual address, simply reverse
windows and MS-DOS environments. Yet developers the process: add the RVA to the actual load address to find
familiar with the UNIX environment will find that the PE the actual memory address. Incidentally, the actual memory
file format is similar to, if not based on, the COFF address is called a Virtual Address (VA) in PE parlance.
specification [10].The entire format consists of an MS-DOS Another way to think of a VA is that it's an RVA with the
MZ header, followed by a real-mode stub program, the PE preferred load address added in [11],[12].
file signature, the PE file header, the PE optional header, all
of the section headers, and finally, all of the section bodies 2.2.3Importing Functions
[12].
When we use code or data from another DLL, we're
importing it. When any PE files loads, one of the jobs of the
2.2 Techniques Related with PE
windows loader is to locate all the imported functions and
Before looking inside the PE file, we should know data and make those addressees available to the file being
special techniques some of which are [12]: loaded [13],[14].
3. Methodology
2.2.1General view of PE files sections 3.1 System Concept
A PE file section represents code or data of some
sort. While code is just code, there are multiple types of Concept of this system can be summarized as hiding
data. Besides read/write program data (such as global the data or any information data in the Section header
variables), other types of data in sections include application within executable file so there is no function or routine
(open-file, read, write, and close-file) in the operating
program interface (API) import and export tables, resources,
system to extract it. This operation can be performed in two
and relocations. Each section has its own set of in-memory
alternative methods: Building the file handling procedure
attributes, including whether the section contains code,
independently of the operating system file handling
whether it's read-only or read/write, and whether the data in routines. In this case we need canceling the existing file
the section is shared between all processes using the handling routines and developing a new function which can
executable file[8].Sections have two alignment values, one perform our need, with the same names. The advantage of
within the desk file and the other in memory. The PE file these methods is it doesn't need any additional functions,
header specifies both of these values, which can differ. Each which can be identified by the analysts. And it can be
section starts at an offset that's some multiple of the executed remotely and suitable for networks and the internet
alignment value. For instance, in the PE file, a typical applications. The disadvantage of these methods is it needs
alignment would be 0x200. Thus, every section begins at a to be installed (can not be operated remotely). So we choose
48 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 1, January 2010
start when writing test cases, with the functional approach Version or Vista).
to test case identification; the only information that is used • Installation (JDK).
is the specification of the software. • Installation (Java Editor)
• Installation (Microsoft Excel Worksheet 2003
Or 2007)
• Installation (Microsoft Office Word
Document 2003 or 2007).
• Installation (Software Antivirus 2010).
• Installation (Real Player Programme).
• Installation (Jet Audio Programme).
• Installation (ACDSEE Programme).
• System application for this research.
4.2.2 Inputs
Figure 6. Black box The system has two types of inputs:
• Inputs for cover (EXE Files), there are five types of cover (EXE
Files) for different size.
4.1 Process of the Test • Inputs for information hidden, four text for different size, four
image for different size, four video for different size. four audio
for different size.
4.1.1 Test Case One
Make compare between cover files size after and Table 1: Inputs for Test Cases.
before hiding operation. Four tables to compare between size
after and before hiding operation, table 2: different size for
cover with different type of the EXE files and same size for
information of each type for multimedia files (text, video,
audio and image), table 3: same size for cover with same
type of the EXE files and different size for information of
each type for multimedia files (text, video, audio and
image), table 4: different size for cover with same type of
the EXE files and Same Size for information of each type
for multimedia files (text, video, audio and image), table 5:
different size for cover with same type of the EXE files and
different size for information of each type for multimedia
files (text, video, audio and image).
Table 5:
Table 2: Different Size for Cover with Same Type of the EXE Files
Different Size for Cover with Different Type of the EXE and Different Size for Information of Each Type for
Files and Same Size for Information of Each Type for Multimedia Files (Text, image, audio and video).
Multimedia Files (Text, image, audio and video).
Table 3: For all tables above in test case one can be concluding:
Same Size for Cover with Same Type of the EXE Files and There are no change on the hidden files size inside the cover
Different Size for Information of Each Type for Multimedia files , so can be hide different size inside the EXE files as
Files (Text, image, audio and video) shown in the Table 2 and Table 3 and the attacker can't be
attack the information hiding that's because can't guess the
EXE files size because the EXE files size don't have
constant size as shown in the Table 4 and Table 5, where it
can be different size for the same type of EXE files like
cover file number 5 they have three sizes in same type of
cover file.
Table 4:
Different Size for Cover with Same Type of the EXE Files
and Same Size For Information of Each Type for
Multimedia Files (Text, image, audio and video).
• Text
Table 7:
Inputs and Outputs for Test Case Three.
• Text
• Video
• Image
Figure 9. After Hiding Operation inside the (Hiding Folder) that
Executable File (Cover 3) Still Working
• Audio
Figure 10. After Hiding Operation inside the (Hiding Folder) that
Executable File (Cover 5) Still Working
Acknowledgement
This research was partially supported by “King Saud
University”, Riyadh, Saudi Arabia. The author would like to
acknowledge all workers involved in this project that had
given their support in many ways, also he would like to
thank in advance Dr. Ali Abdullah Al-Afnan, Dr. Musaed
AL-Jrrah, Dr. Abdullah Alsbail, Dr. Abdullah Alsbait,
Dr.Khalid Alhazmi, Dr.Ali, Dr.Ibrahim Al-Dubaian and all
the staff in king Saud University especially in Applied
Figure 13. Shows that the Executable (Cover 3) File Inside Medical Science In “Al-Majmah” for thier unlimited
(Hiding Folder) Immune by Anti-virus program support, without thier notes and suggestion this research
would not be appear.
• Audio
References
[1] A.A.Zaidan, B.B.Zaidan, Fazidah Othman, “New
Technique of Hidden Data in PE-File with in Unused
Area One”, International Journal of Computer and
Electrical Engineering (IJCEE), Vol.1, No.5, ISSN:
1793-8198, pp 669-678.
[2] A.A.Zaidan, B.B.Zaidan, Fazidah Othman, “New
Technique of Hidden Data in PE-File with in Unused
Area One”, International Journal of Computer and
Electrical Engineering (IJCEE), Vol.1, No.5, ISSN:
1793-8198, p.p 669-678.
[3] A.A.Zaidan, B.B.Zaidan, Anas Majeed, "High
Securing Cover-File of Hidden Data Using Statistical
Technique and AES Encryption Algorithm",
World Academy of Science Engineering and
Technology (WASET), Vol.54, ISSN: 2070-3724, P.P
Figure 14. Shows that the Executable (Cover 5) File Inside 468-479.
(Hiding Folder) Immune to Anti-virus Program [4] A.A.Zaidan, B.B.Zaidan, “Novel Approach for High
Secure Data Hidden in MPEG Video Using Public Key
Infrastructure”, International Journal of Computer and
5. Conclusion Network Security, 2009, Vol.1, No.1, ISSN: 1985-
1553, P.P 71-76.
The .EXE files are one of the most important files in [5] A.W.Naji, A.A.Zaidan, B.B.Zaidan, Shihab A,
operating systems and in most systems designed by Othman O. Khalifa, “ Novel Approach of Hidden Data
developers (programmers/software engineers), and then in the (Unused Area 2 within EXE File) Using
hiding information in these file is the basic goal for this Computation Between Cryptography and
research, because most users of any system cannot alter or Steganography ”, International Journal of Computer
modify the content of these files. So the PE files structure is Science and Network Security (IJCSNS) , Vol.9, No.5 ,
very complex because they depend on multi headers and ISSN : 1738-7906, pp. 294-300.
addressing, and then insertion of data to PE files without [6] Anas Majed Hamid, Miss Laiha Mat Kiah, Hayan .T.
full understanding of their structure may damage them, so Madhloom, B.B Zaidan, A.A Zaidan,” Novel
the choice is to hide the information beyond the structure of Approach for High Secure and High Rate Data Hidden
these files. Most anti virus systems do not allow direct write in the Image Using Image Texture Analysis”,
in executable file, so the approach of the proposed system is International Journal of Engineering and Technology
to prevent the hidden information to observation of these (IJET) , Published by: Engg Journals Publications,
ISSN:0975-4042, Vol.1,NO.2,P.P 63-69.
systems. One of the important conclusions in
[7] A.A.Zaidan, Fazidah. Othman, B.B.Zaidan, R.Z.Raji,
implementation of the proposed system is the solving of the
Ahmed.K.Hasan, and A.W.Naji," Securing Cover-File
problems that are related to the size of cover file, so the
without Limitation of Hidden Data Size Using
hiding method makes the relation between the cover and the
54 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 1, January 2010