Jump to content

- - - - -

A handfull of tricks for manipulating ooXML / zip files

zip steganography ooxml docx xlsx pptx encryption compression

  • Please log in to reply
3 replies to this topic

#1 joakim


    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen

Posted 14 December 2011 - 11:26 AM

Just wanted to share here some of the interesting stuff I've posted at forensicfocus the last months. It's a collection of tricks and tools for hiding data (also known as steganography) inside zip based files. It can be pure zip files or ooXML documents like docx, pptx, xlsx, odf, odp etc. ooXML documents are the "newstyle" Office document format, and it is basically just a bunch of xml files zipped together in a special way (according to the specification).

The tools so far:
  • Use the zip's Extra Field to hide data. This toolsuite will inject data in many ways, and supports compression, encryption, fragmentation and timestamp manipulation. The extracter tool will autodetect such hidden content and optionally decrypt the data by a specified key. Of course, no error messages are shown when opening such documents in Office (Word, Excel, Powerpoint..), or OpenOffice... Even more interesting is it to notice that digitally signed documents still appear genuine, after manipulations. Follow the referenced thread at bottom to read more details about this toolsuit. This method seems to work with most zip based stuff, and are not limited to ooXML solutions. Download; http://reboot.pro/fi...-steganography/
  • Use the signature of signed documents to hide the data. This method is taking advantage of the fact that the way MS Office have implemented their signing scheme is limited by what document content is actually protected. This method is different to method 1, in that it is not the zip specification that is (ab)used, but the ooXML specification and MS Office's implementation of it. This toolsuit will compress and encode the data before injecting it into the signature file. By following the referenced thread at forensicfocus, you notice more ways to manipulate signed documents like in this method. This method is untested on documents not signed by MS Office. But I suspect it will also work for OpenOffice etc, since the method is in accordance with the ooXML specification. Seriously, the way I see it, at least MS Office's implementation seems flawed, because document metadata (for example) can be changed without invalidating the signature. Download; http://reboot.pro/fi...gnaturetweaker/
  • Make an encrypted docx (Word document) invisible. This method really uses a flaw in Word (yes I can't imagine anything but a flaw!). By some manipulation of the file header, Word will decrypt and open an empty document, keeping the original document hidden. Also described in detail in the referenced thread. Download tool; http://reboot.pro/fi...ypteddocxhider/ For the fun, you can also download an encrypted test document; http://www.mediafire...4xsp2fw24alhxp7 Verify the empty document by using the decryption key "joakim". Then use the tool to repatch the header, and verify that a non-empty document now became visible. Will require Office (Word) 2007 or 2010 though. Excel and Powerpoint seems not affected by this flaw.
All tools now have separate x64 compiled binaries and are tested working OK in both x86 and x64 environments. Files also found in my mediafire account's shared folder.

If you have other interesting tricks in the same category, then let me know.

Related and interesting reading on the subject;

My original thread; http://www.forensicf...iewtopic&t=7918

I will also attach the files in the download section shortly. Edit: Now done.
  • Brito likes this

#2 Brito


    Platinum Member

  • .script developer
  • 10565 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
    European Union

Posted 14 December 2011 - 12:06 PM


Thank you for the consideration, I was really thinking how the media fire links get broken so easily after a few years.


#3 AceInfinity


    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.

Posted 17 December 2011 - 04:30 AM

I've been checking into these programs, they look really good. I created an application similar to SetMACE however it didn't use UTC as a timezone standard, it would use the system time, therefore it wouldn't even have to compare it's time to a Timzone standard. These are some great tools though Joakim, amazing stuff...

#4 joakim


    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen

Posted 17 December 2011 - 10:19 AM

Since the 3 abovementioned tools are now also hosted in the local download section (Security), I will update to the correct links in the first post.

A little warning:
Just felt like mentioning, because maybe not too obvious, that steganography in general (ie hidden data), can (if executable code) be executed from within its container without having been written decrypted to disk. In other words, the hidden executable code is decrypted/unpacked into memory and executed there. I'm not going to post such code, but anyways worth a note. So hidden data, don't need to be a secret document. And I suppose it's a general stego issue with malware in general.

Regarding your timestamp tool, I would guess your tool uses the api SetFileTime..? Anyways, timestamps are a somewhat comprehensive topic on its own. The point of using UTC was to make it a NTFS specialized tool (which is UTC based and with a timestamp precision at 100 nanoseconds since 1601).

Also tagged with one or more of these keywords: zip, steganography, ooxml, docx, xlsx, pptx, encryption, compression

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users