Hydan anyone?
Results 1 to 8 of 8

Thread: Hydan anyone?

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019

    Hydan anyone?

    I was just wondering if anybody here has had any experience with this type of steganographic tool? It can be found here: http://www.crazyboy.com/hydan/

    What I found interesting about it is that it will embed text into .exe files, and this is the first one I've heard of that does this. And if I understand correctly, it doesn't change the size of the file.

    The implications of this particular tool are such that a virus, trojan, backdoor, or whatever, could be altered to bypass signature based anti-virus software. Of course we combat that by keeping our integrity checking software updated... and make sure we are thorough with out rulesets for checking all files.

    Not really a question, just seeing if anybody had played with this?

    Btw, there are not to many web sites that discuss this application...be careful when searching...you'll pull up some porno sites that will fire off a bunch of pop-ups if you are not prepared...

  2. #2
    Banned
    Join Date
    Jun 2002
    Posts
    289
    that's a good one groovicus.. thanks for bringing it to my attention..

    now I had posted before about the camouflage program which can embed any file type into any other file type.. but this one has me interested because of it's claim to NOT alter the file size..
    from your link I found the link at securityfocus.com which explains things a bit more..
    http://securityfocus.com/news/2623

    again, thanks..

  3. #3
    Member
    Join Date
    Feb 2003
    Posts
    95
    Are you sure it doesn't alter the file size??? I have heard of another tool similar to this on Tech TV.. But if I remember correctly it changes the file size when you insert another file into the target file... That would be very interesting if it doesn't They'd probably have some kinda restriction on the size of the file you can insert.. either that or one extreamly powerful compression algorithim

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Well, I haven't tested it myself, but that's what it claims. The link jenjen provided takes you to a good discussion of the tool...that's why I came here and asked. If you were to read the article, it explains completely how the compression algorith works. Although it is not as efficient as other stego tools, it is the only stego tool that I know of that will insert into .exe.

    It's on my to do list to play with it.

  5. #5
    Banned
    Join Date
    Jun 2002
    Posts
    289
    from what I read at that link, Hydan is altering the orginal exe to make room to hide the file..

    El-Khalil's research focused on redundancies in the Intel x86 instruction set -- places where at least two different instructions are effectively the same. Each choice between two redundant options can represent a single bit of data. "The problem with program binaries is there is just not a lot of redundancy in them," said El-Khalil.

    He found some of that useful redundancy in the instructions that tell the computer to add or subtract.

    A computer instruction to add the number 50 to another value, for example, can be replaced with an instruction to subtract the number -50 instead. Mathematically, the instructions are the same. In choosing between the two, a stego program can get one bit of covert storage out of each addition or subtraction operation in the executable -- without changing the way the application runs, or adding a single byte to its size. "If we use a scenario in which addition is zero, and subtraction is one, we can just go through and flip them as needed," El-Khalil explained.
    he goes on to say that it's not perfect.. etc.. which probably means that it has failures in some instances either by showing increased size or that the exe get's hosed.

    now groovicus.. you state that Hydan "is the only stego tool that I know of that will insert into .exe. " But I will repeat what I said above.. "the camouflage program which can embed any file type into any other file type" which means exe, flash.. literally any file type..

    you can download the zip file for camouflage here .

  6. #6
    Member
    Join Date
    Jun 2003
    Posts
    57
    IF it changes the file size it's not by much. And it's not a compression algorithm, here's how it works. It goes through the code and changes things like "ADD == 2 + 4" to a functionally equivelant statement like "SUB == 2 - (-4)".

    Maybe not the clearest example, but it replaces statement with others that mean the same thing and get the same results but are different. Now it can be detected if you do a histogram of the functions and statements because, if you accept the example, there will be way more decrements than normal, Vs. Increments. Programers don't normally do statements like those that Hydan uses to hide the Info.

    Hope this is helpful.
    \"If you take a starving dog in off the street and make him prosperous he will not bite you, this is the principle difference between a dog and a man\" - Mark Twain

  7. #7
    Member
    Join Date
    Feb 2003
    Posts
    95
    Hmm, so Gump your saying that it doesn't necessarily "compress" the data... it just shifts it around, so to speak And changes things to make them a little more efficient, when merging the two files. Thats interesting! I haven't played with this program yet.. But I definatly look forward to when I have the spair time to fully explore its capabilities

  8. #8
    Member
    Join Date
    Jun 2003
    Posts
    57
    Turmoil,

    That's it, it is kind of like how S-Tools and other Stego tools use near exact mathches of color to hide info in an image. There is a "Protocol" if you will, buit into the program itself, in this case Hydan, that looks for those particular flags. There might be a slight change in the file size but in most cases there is not.

    But: if you have the original file and compare MD5 hashes of the two (meaning the original and the new one with the data imbedded) they will be WWWWAAAAAAYYYYYYYYYY different. This is because the actual underlying code of the executable has been changed, but it still works because it is functionally equivelant to the original.

    Give that a try and see the results if you test these things.
    \"If you take a starving dog in off the street and make him prosperous he will not bite you, this is the principle difference between a dog and a man\" - Mark Twain

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •