Embedding and Hiding Files in PDF Documents

admin | Jul 01, 2009 | Comments 0

From Didier Stevens: http://hacksec.blisque.com/

Filed under: My Software, PDF — Didier Stevens @ 6:28

My corrupted PDF quip inspired me to program another steganography trick: embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader.

The PDF specification provides ways to embed files in PDF documents. I’m releasing my Python program to create a PDF file with embedded file (I used make-pdf-embedded.py to create my EICAR.pdf).

Here’s how a PDF document with an embedded file looks like:

1

/EmbeddedFiles points to the dictionary with the embedded files:

2

As names defined in the PDF specification are case sensitive, changing the case changes the semantics: /Embeddedfiles has no meaning, and thus the PDF reader ignores it and doesn’t find the embedded file.

3

4

Actually, I used this trick in my Brucon puzzle. I used the –stego option of make-pdf-embedded.py:

5

Of course, once you know the stego trick, it’s easy to recover the embedded file: edit the PDF document with an hex editor and change the case back to /EmbeddedFiles.

But if you want to make it harder to detect, use PDF obfuscation techniques. Or embed the file twice with incremental updates. First version is the file you want to hide, second version is a decoy…

The PDF language offers so many features to hide and obfuscate data!

Download:

make-pdf_V0_1_2.zip (150)
Feel free to share:
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Furl
  • LinkedIn
  • StumbleUpon
  • Technorati
  • TwitThis
  • Digg
  • MySpace
  • Ping.fm
  • Slashdot

Filed Under: Tech

Tags:

About the Author: I am the I.T. Director and Information Security Officer for an ecommerce / production company. I'm also a graphic designer; musician; martial arts instructor; pilot and all around creative genius.

RSSComments (0)

Trackback URL

Leave a Reply

You must be logged in to post a comment.