shinobu is a program that lets you hide files inside one or more MZPE executables (aka .exe, .dll and .sys).
The input files are compressed, optionally encrypted, and the final buffer is split among the cover files (i.e. the MZPE files that hide the data).
See shinobu help for more details.
You can pass as many input and target files as you want.
shinobu hide file1.txt file2.png ... -- target1.exe target2.exe ...shinobu hide --password mypassword file1.txt file2.png ... -- target1.exe target2.exe ...The hidden files will be extracted to output_dir.
shinobu unhide target1.exe target2.exe ... -o output_dirIf the files were encrypted when hidden, you must also provide the password:
shinobu unhide --password mypassword target1.exe target2.exe ... -o output_dir- the input files are compressed via LZMA, due to its great compression ratio, and are stored inside a ZIP archive; since the zip crate doesn't yet support LZMA, the compression is done manually via xz2 and the resulting buffers are stored as-is (this is why you'll see garbage data if you try to extract this temporary archive with another program)
- if you provide a password, the ZIP archive is encrypted via AES-256 in CBC mode along with PKCS7; for key derivation, shinobu uses Argon2id which is the de facto standard for password hashing
- the archive is split equally among all of the target files; each target file also stores the total number of parts, the part it hides, and other metadata
- the target files are parsed and the metadata is extracted
- all of the metadatas are correlated and checked; if any part is missing or there is a discrepancy, it's not possible to unhide the data
- the buffers hidden inside the files are concatenated to form the original ZIP archive
- if necessary, the archive is decrypted with the user-provided password
- the files are extracted from the archive to the output path
Several techniques came to mind:
- tampering with
e_lfanewand the MS-DOS stub- this breaks the section alignment and renders the file unexecutable, unless they are manually fixed
- creating a new section
- any MZPE parser could detect this special section, so it would be very easy to see that there's something hidden
- this could also break the alignment of the sections that follow it
Shinobu does none of those. Instead, it does the simplest thing that works: it appends all of the data to the end of the file. Yep. This doesn't break the exes in most cases.
There are a few cases in which the EXE won't run after data is appended. Executables that read themselves will obviously be impacted.
MZPE files that are signed with a digital certificate will be affected.
Some files will be seen as self-extracting archives by Windows, even if it's not the case; you can actually spot this by looking in the Properties
of the file.
- support for other file formats, so you can hide files in those as well
- support for hiding entire folders
- pretty printing (errors, progress, etc)
- a
--stripflag that removes the hidden data from the exe after it was unhidden - find another way to hide stuff in MZPE files
shinobu was created by UnexomWid. It is licensed under the MIT license.
I don't own the image shown at the beginning of this readme. That's just Shinobu.