Living of f the land with python

I recently came across a powershell malware that used steganography and living of the land techniques . It was cool so i decided to make a similar poc with python . Lets clear the basics first . I will use a png image . A png image contains three compulsory channels (RGB) and an Alpha channel for transparency . I wont touch the RGB channels . I will modify the alpha channel to hide the payload

  1. First lets find an image with Alpha channel . I will use an image that that blender rendered . Blender renders by default conatain the alpha channel . You can use this image if you want
A CG version of my workspace

2. Read the image as a numpy array . I will use PIL library for this and get the size of the array

3.Read the file and store it in a string . Convert each element of the string to ASCII and store it in a list

4.Read the list and store the ascii in the alpha channel . The numpy array that we got had a size of (1920,1080,4) . Here 1920*1080 is the number of pixels where as 4 is the number of channels . Since 4th element from 0 is 3 we have to access the array something like this:img_arr[[i],[j],[3]] . A pixel value with alpha channel has a size of 32 bits or 4 bytes . We can pack 25 % of the total image size . Now loop through the array using nested for loops and modify the value of the array with the value from the list . Since my poc code was not that big i used a single loop and modified the first row in the array arr[[i],[0],[3]]. The first row had 1920 elements so at max i can cram up 1920 characters

Decoding

To decode i did the reverse of the algorithm and used the exec function to run the code in memory

The poc malware code

Note: In real world download the image from the internet and dont save it . Here is the malicious image:https://i.imgur.com/1xQiFx5.png

I am a hacker and ex-web developer . I sometime work as a freelance dev/hacker . Sometime I hunt bugs