#!/usr/bin/env python3 """ RAT Finder - Beta steganography detection tool for 2PAC This tool is designed to detect potential steganography in images. It's part of the 2PAC toolkit but focused on security aspects. Author: Richard Young License: MIT """ import os import sys import argparse import concurrent.futures import logging import tempfile import numpy as np from pathlib import Path from PIL import Image import matplotlib.pyplot as plt from scipy import stats import colorama from tqdm import tqdm # Initialize colorama colorama.init() # Version VERSION = "0.2.0" # Set up logging def setup_logging(verbose, no_color=False): level = logging.DEBUG if verbose else logging.INFO # Define color codes if not no_color: # Color scheme COLORS = { 'DEBUG': colorama.Fore.CYAN, 'INFO': colorama.Fore.GREEN, 'WARNING': colorama.Fore.YELLOW, 'ERROR': colorama.Fore.RED, 'CRITICAL': colorama.Fore.MAGENTA + colorama.Style.BRIGHT, 'RESET': colorama.Style.RESET_ALL } # Custom formatter with colors class ColoredFormatter(logging.Formatter): def format(self, record): levelname = record.levelname if levelname in COLORS: record.levelname = f"{COLORS[levelname]}{levelname}{COLORS['RESET']}" record.msg = f"{COLORS[levelname]}{record.msg}{COLORS['RESET']}" return super().format(record) formatter = ColoredFormatter('%(asctime)s - %(levelname)s - %(message)s') else: formatter = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s') handler = logging.StreamHandler() handler.setFormatter(formatter) logging.basicConfig( level=level, handlers=[handler] ) def print_banner(): """Print RAT Finder themed ASCII art banner""" banner = r""" ██████╗ █████╗ ████████╗ ███████╗██╗███╗ ██╗██████╗ ███████╗██████╗ ██╔══██╗██╔══██╗╚══██╔══╝ ██╔════╝██║████╗ ██║██╔══██╗██╔════╝██╔══██╗ ██████╔╝███████║ ██║█████╗█████╗ ██║██╔██╗ ██║██║ ██║█████╗ ██████╔╝ ██╔══██╗██╔══██║ ██║╚════╝██╔══╝ ██║██║╚██╗██║██║ ██║██╔══╝ ██╔══██╗ ██║ ██║██║ ██║ ██║ ██║ ██║██║ ╚████║██████╔╝███████╗██║ ██║ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═══╝╚═════╝ ╚══════╝╚═╝ ╚═╝ ╔═══════════════════════════════════════════════════════════════════════╗ ║ Steganography Detection Tool (v0.2.0) - Part of the 2PAC toolkit ║ ║ "What the eyes see and the ears hear, the mind believes" ║ ╚═══════════════════════════════════════════════════════════════════════╝ """ if 'colorama' in sys.modules: banner_lines = banner.strip().split('\n') colored_banner = [] # Color the RAT part in red, the FINDER part in blue for i, line in enumerate(banner_lines): if i < 6: # The logo lines # Add the RAT part in red part1 = line[:24] # Add the FINDER part in blue part2 = line[24:] colored_line = f"{colorama.Fore.RED}{part1}{colorama.Fore.BLUE}{part2}{colorama.Style.RESET_ALL}" colored_banner.append(colored_line) elif i >= 6 and i <= 9: # The box with text colored_banner.append(f"{colorama.Fore.YELLOW}{line}{colorama.Style.RESET_ALL}") else: colored_banner.append(f"{colorama.Fore.WHITE}{line}{colorama.Style.RESET_ALL}") print('\n'.join(colored_banner)) else: print(banner) print() #------------------------------------------------------------------------------ # STEGANOGRAPHY DETECTION TECHNIQUES #------------------------------------------------------------------------------ def perform_ela_analysis(image_path, quality=75): """ Performs Error Level Analysis (ELA) to detect manipulated areas in an image. ELA works by intentionally resaving an image at a known quality level and analyzing the differences between the original and resaved versions. Areas that have been manipulated often show up as having different error levels. Args: image_path: Path to the image quality: JPEG quality level to use for recompression (default: 75) Returns: (is_suspicious, confidence, details) """ try: # Only perform ELA on JPEG images if not image_path.lower().endswith(('.jpg', '.jpeg', '.jfif')): return False, 0, {"error": "ELA is only effective for JPEG images"} with Image.open(image_path) as original_img: # Convert to RGB if needed if original_img.mode != 'RGB': original_img = original_img.convert('RGB') # Create a temporary file for the resaved image temp_file = tempfile.NamedTemporaryFile(suffix='.jpg', delete=True) resaved_path = temp_file.name # Save the image with the specified quality original_img.save(resaved_path, quality=quality) # Read the resaved image with Image.open(resaved_path) as resaved_img: # Convert both to numpy arrays original_array = np.array(original_img).astype('int32') resaved_array = np.array(resaved_img).astype('int32') # Calculate absolute difference diff = np.abs(original_array - resaved_array) # Calculate statistics from the difference mean_diff = np.mean(diff) std_diff = np.std(diff) max_diff = np.max(diff) # Scale the differences to make them more visible (for visualization) diff_scaled = diff * 10 # Look for suspicious patterns # 1. High variance in error levels can indicate manipulation # 2. Localized areas with significantly different error levels are suspicious # 3. Unnaturally low error in complex areas can indicate steganography # Calculate local variation using sliding window approach # We're looking for areas where the difference between neighboring pixels # has unusually high or low variance # Use a simple method - check variance in blocks block_size = 8 # 8x8 blocks, common in JPEG shape = diff.shape block_variance = [] # Sample blocks throughout the image for i in range(0, shape[0] - block_size, block_size): for j in range(0, shape[1] - block_size, block_size): # Extract block for each channel for c in range(3): # RGB channels block = diff[i:i+block_size, j:j+block_size, c] block_var = np.var(block) if block_var > 0: # Avoid divisions by zero block_variance.append(block_var) if not block_variance: return False, 0, {"error": "Could not calculate block variance"} # Calculate statistics on block variances mean_block_var = np.mean(block_variance) max_block_var = np.max(block_variance) std_block_var = np.std(block_variance) # What we're looking for: # 1. Unusually high block variance in some areas (significantly above the mean) # 2. Unusually consistent error levels (too perfect - could indicate manipulation) # Determine suspiciousness based on these factors # Calculate a normalized ratio of max variance to mean variance if mean_block_var > 0: var_ratio = max_block_var / mean_block_var else: var_ratio = 0 # Calculate coefficient of variation for block variances if mean_block_var > 0: coeff_var = std_block_var / mean_block_var else: coeff_var = 0 # Heuristics based on ELA characteristics # Unusually high variation ratio can indicate manipulation is_suspicious_var_ratio = var_ratio > 50 # High coefficient of variation indicates inconsistent error levels is_suspicious_coeff_var = coeff_var > 2.0 # Unusually high mean difference can indicate manipulation is_suspicious_mean_diff = mean_diff > 15 # Combine factors is_suspicious = (is_suspicious_var_ratio or is_suspicious_coeff_var or is_suspicious_mean_diff) # Calculate confidence based on these factors confidence = 0 if is_suspicious_var_ratio: # Scale based on how extreme the ratio is confidence += min(40, var_ratio / 2) if is_suspicious_coeff_var: # Scale based on coefficient of variation confidence += min(30, coeff_var * 10) if is_suspicious_mean_diff: # Scale based on mean difference confidence += min(30, mean_diff) # Cap confidence at 90% confidence = min(confidence, 90) # Save results for return details = { "mean_diff": float(mean_diff), "max_diff": float(max_diff), "var_ratio": float(var_ratio), "coeff_var": float(coeff_var), "diff_image": diff_scaled.astype(np.uint8), # For visualization "quality_used": quality } return is_suspicious, confidence, details except Exception as e: logging.debug(f"Error performing ELA on {image_path}: {str(e)}") return False, 0, {"error": str(e)} def check_lsb_anomalies(image_path, threshold=0.03): """ Detect potential LSB steganography by analyzing bit plane patterns. Args: image_path: Path to the image threshold: Threshold for statistical anomaly detection Returns: (is_suspicious, confidence, details) """ try: with Image.open(image_path) as img: # Convert to RGB if img.mode != 'RGB': img = img.convert('RGB') # Get image data as numpy array img_array = np.array(img) # Extract least significant bits from each channel red_lsb = img_array[:,:,0] % 2 green_lsb = img_array[:,:,1] % 2 blue_lsb = img_array[:,:,2] % 2 # Calculate statistics # Chi-square test to detect non-random patterns in LSB red_chi = stats.chisquare(np.bincount(red_lsb.flatten()))[1] green_chi = stats.chisquare(np.bincount(green_lsb.flatten()))[1] blue_chi = stats.chisquare(np.bincount(blue_lsb.flatten()))[1] # Calculate entropy of the LSB plane red_entropy = stats.entropy(np.bincount(red_lsb.flatten())) green_entropy = stats.entropy(np.bincount(green_lsb.flatten())) blue_entropy = stats.entropy(np.bincount(blue_lsb.flatten())) # Suspicious if chi-square test shows non-random distribution # or if entropy is too high (close to 1 for random, lower for non-random) chi_suspicious = min(red_chi, green_chi, blue_chi) < threshold entropy_suspicious = abs(np.mean([red_entropy, green_entropy, blue_entropy]) - 1.0) > 0.1 # Calculate a confidence score (0-100%) confidence = 0 if chi_suspicious: confidence += 50 if entropy_suspicious: confidence += 30 # Additional checks for common LSB steganography patterns # Check for abnormal color distributions color_distribution = np.std([np.std(red_lsb), np.std(green_lsb), np.std(blue_lsb)]) if color_distribution < 0.1: # Suspicious if too uniform confidence += 20 is_suspicious = confidence > 50 details = { "chi_square_values": [red_chi, green_chi, blue_chi], "entropy_values": [red_entropy, green_entropy, blue_entropy], "color_distribution": color_distribution } return is_suspicious, confidence, details except Exception as e: logging.debug(f"Error analyzing LSB in {image_path}: {str(e)}") return False, 0, {"error": str(e)} def check_file_size_anomalies(image_path): """ Check if file size is suspicious compared to image dimensions. Args: image_path: Path to the image Returns: (is_suspicious, confidence, details) """ try: # Get file size file_size = os.path.getsize(image_path) with Image.open(image_path) as img: width, height = img.size pixel_count = width * height # Calculate expected file size range based on image type expected_size = 0 if image_path.lower().endswith('.png'): # PNG files have variable compression but generally follow a pattern # This is a very rough estimate expected_min = pixel_count * 0.1 # Minimum expected size expected_max = pixel_count * 3 # Maximum expected size elif image_path.lower().endswith(('.jpg', '.jpeg')): # JPEG files are typically smaller due to compression expected_min = pixel_count * 0.05 # Minimum for very compressed JPEG expected_max = pixel_count * 1.5 # Maximum for high quality JPEG else: # For other formats, use a more generic range expected_min = pixel_count * 0.1 expected_max = pixel_count * 4 # Check if file size is within expected range is_too_small = file_size < expected_min is_too_large = file_size > expected_max is_suspicious = is_too_small or is_too_large # Calculate confidence confidence = 0 if is_too_large: # More likely to contain hidden data if too large ratio = file_size / expected_max confidence = min(int((ratio - 1) * 100), 90) # Cap at 90% elif is_too_small: # Less likely but still suspicious if too small ratio = expected_min / file_size confidence = min(int((ratio - 1) * 50), 70) # Cap at 70% details = { "file_size": file_size, "expected_min": expected_min, "expected_max": expected_max, "pixel_count": pixel_count, "width": width, "height": height } return is_suspicious, confidence, details except Exception as e: logging.debug(f"Error analyzing file size in {image_path}: {str(e)}") return False, 0, {"error": str(e)} def check_histogram_anomalies(image_path): """ Analyze image histogram for unusual patterns that might indicate steganography. Args: image_path: Path to the image Returns: (is_suspicious, confidence, details) """ try: with Image.open(image_path) as img: # Convert to RGB if img.mode != 'RGB': img = img.convert('RGB') # Get image data as numpy array img_array = np.array(img) # Calculate histograms for each color channel hist_r = np.histogram(img_array[:,:,0], bins=256, range=(0, 256))[0] hist_g = np.histogram(img_array[:,:,1], bins=256, range=(0, 256))[0] hist_b = np.histogram(img_array[:,:,2], bins=256, range=(0, 256))[0] # Normalize histograms pixel_count = img_array.shape[0] * img_array.shape[1] hist_r = hist_r / pixel_count hist_g = hist_g / pixel_count hist_b = hist_b / pixel_count # Analyze histogram characteristics # 1. Check for comb patterns (alternating peaks/valleys) which can indicate LSB steganography comb_pattern_r = np.sum(np.abs(np.diff(np.diff(hist_r)))) comb_pattern_g = np.sum(np.abs(np.diff(np.diff(hist_g)))) comb_pattern_b = np.sum(np.abs(np.diff(np.diff(hist_b)))) # 2. Check for unusual peaks at specific values # LSB steganography often causes unusual spikes at even or odd values even_odd_ratio_r = np.sum(hist_r[::2]) / np.sum(hist_r[1::2]) if np.sum(hist_r[1::2]) > 0 else 1 even_odd_ratio_g = np.sum(hist_g[::2]) / np.sum(hist_g[1::2]) if np.sum(hist_g[1::2]) > 0 else 1 even_odd_ratio_b = np.sum(hist_b[::2]) / np.sum(hist_b[1::2]) if np.sum(hist_b[1::2]) > 0 else 1 # Calculate an evenness score - how far from 1.0 (perfect balance) are we? even_odd_deviation = max( abs(even_odd_ratio_r - 1.0), abs(even_odd_ratio_g - 1.0), abs(even_odd_ratio_b - 1.0) ) # 3. Calculate histogram smoothness (natural images tend to have smoother histograms) smoothness_r = np.mean(np.abs(np.diff(hist_r))) smoothness_g = np.mean(np.abs(np.diff(hist_g))) smoothness_b = np.mean(np.abs(np.diff(hist_b))) # Suspicious if large even/odd ratio deviation or high comb pattern values is_suspicious_comb = max(comb_pattern_r, comb_pattern_g, comb_pattern_b) > 0.015 is_suspicious_even_odd = even_odd_deviation > 0.1 is_suspicious_smoothness = max(smoothness_r, smoothness_g, smoothness_b) > 0.01 is_suspicious = is_suspicious_comb or is_suspicious_even_odd or is_suspicious_smoothness # Calculate confidence confidence = 0 if is_suspicious_comb: confidence += 30 if is_suspicious_even_odd: confidence += 40 if is_suspicious_smoothness: confidence += 20 # Cap confidence at 90% confidence = min(confidence, 90) details = { "comb_pattern_values": [comb_pattern_r, comb_pattern_g, comb_pattern_b], "even_odd_ratios": [even_odd_ratio_r, even_odd_ratio_g, even_odd_ratio_b], "smoothness_values": [smoothness_r, smoothness_g, smoothness_b], "even_odd_deviation": even_odd_deviation } return is_suspicious, confidence, details except Exception as e: logging.debug(f"Error analyzing histogram in {image_path}: {str(e)}") return False, 0, {"error": str(e)} def check_metadata_anomalies(image_path): """ Look for unusual metadata or metadata inconsistencies that could indicate steganography. Args: image_path: Path to the image Returns: (is_suspicious, confidence, details) """ try: with Image.open(image_path) as img: # Extract metadata (EXIF, etc) metadata = {} if hasattr(img, '_getexif') and img._getexif() is not None: metadata = {k: v for k, v in img._getexif().items()} # Check for known steganography software markers steganography_markers = [ 'outguess', 'stegano', 'steghide', 'jsteg', 'f5', 'secret', 'hidden', 'conceal', 'invisible', 'steganography' ] found_markers = [] for key, value in metadata.items(): if isinstance(value, str): value_lower = value.lower() for marker in steganography_markers: if marker in value_lower: found_markers.append((key, marker, value)) # Check for unusual metadata structure is_suspicious = len(found_markers) > 0 confidence = min(len(found_markers) * 30, 90) if is_suspicious else 0 # Check for metadata size anomalies if len(metadata) > 30: # Unusually large metadata is_suspicious = True confidence = max(confidence, 50) details = { "metadata_count": len(metadata), "suspicious_markers": found_markers } return is_suspicious, confidence, details except Exception as e: logging.debug(f"Error analyzing metadata in {image_path}: {str(e)}") return False, 0, {"error": str(e)} def check_trailing_data(image_path): """Detect suspicious data appended after the official end markers.""" try: with open(image_path, 'rb') as f: data = f.read() appended_bytes = 0 lower = image_path.lower() if lower.endswith(('.jpg', '.jpeg', '.jfif')): marker = data.rfind(b'\xFF\xD9') if marker != -1 and marker < len(data) - 2: appended_bytes = len(data) - marker - 2 elif lower.endswith('.png'): marker = data.rfind(b'\x00\x00\x00\x00IEND\xAEB\x60\x82') if marker != -1 and marker < len(data) - 12: appended_bytes = len(data) - marker - 12 else: return False, 0, {"error": "unsupported format"} is_suspicious = appended_bytes > 0 confidence = 0 if is_suspicious: ratio = appended_bytes / len(data) confidence = min(95, 50 + int(ratio * 500)) details = { "appended_bytes": appended_bytes } return is_suspicious, confidence, details except Exception as e: logging.debug(f"Error analyzing trailing data in {image_path}: {str(e)}") return False, 0, {"error": str(e)} def check_visual_noise_anomalies(image_path): """ Analyze visual noise patterns to detect potential steganography. Args: image_path: Path to the image Returns: (is_suspicious, confidence, details) """ try: with Image.open(image_path) as img: # Convert to RGB if img.mode != 'RGB': img = img.convert('RGB') # Resize if image is too large for faster processing width, height = img.size if width > 1000 or height > 1000: ratio = min(1000 / width, 1000 / height) new_width = int(width * ratio) new_height = int(height * ratio) img = img.resize((new_width, new_height)) # Get image data as numpy array img_array = np.array(img) # Apply noise detection # Calculate noise in each channel by looking at differences between adjacent pixels red_noise = np.mean(np.abs(np.diff(img_array[:,:,0], axis=0))) + np.mean(np.abs(np.diff(img_array[:,:,0], axis=1))) green_noise = np.mean(np.abs(np.diff(img_array[:,:,1], axis=0))) + np.mean(np.abs(np.diff(img_array[:,:,1], axis=1))) blue_noise = np.mean(np.abs(np.diff(img_array[:,:,2], axis=0))) + np.mean(np.abs(np.diff(img_array[:,:,2], axis=1))) # Calculate noise ratio between channels # In natural images, noise should be roughly similar across channels # Large differences might indicate steganographic content avg_noise = (red_noise + green_noise + blue_noise) / 3 noise_diffs = [abs(red_noise - avg_noise), abs(green_noise - avg_noise), abs(blue_noise - avg_noise)] max_diff_ratio = max(noise_diffs) / avg_noise if avg_noise > 0 else 0 # Suspicious if significant differences between channels is_suspicious = max_diff_ratio > 0.2 confidence = min(int(max_diff_ratio * 100), 90) if is_suspicious else 0 details = { "red_noise": red_noise, "green_noise": green_noise, "blue_noise": blue_noise, "max_diff_ratio": max_diff_ratio } return is_suspicious, confidence, details except Exception as e: logging.debug(f"Error analyzing visual noise in {image_path}: {str(e)}") return False, 0, {"error": str(e)} def analyze_image(image_path, sensitivity='medium'): """ Perform comprehensive steganography detection on an image. Args: image_path: Path to the image sensitivity: 'low', 'medium', or 'high' Returns: (is_suspicious, overall_confidence, detection_details) """ # Set threshold based on sensitivity thresholds = { 'low': 0.01, # More likely to find steganography but more false positives 'medium': 0.03, # Balanced detection 'high': 0.05 # Fewer false positives but might miss some steganography } confidence_required = { 'low': 60, # Lower bar for detection 'medium': 70, # Moderate confidence required 'high': 80 # High confidence required to report } threshold = thresholds.get(sensitivity, 0.03) min_confidence = confidence_required.get(sensitivity, 70) try: results = {} # Run all detection methods lsb_result = check_lsb_anomalies(image_path, threshold) results['lsb_analysis'] = { 'suspicious': lsb_result[0], 'confidence': lsb_result[1], 'details': lsb_result[2] } size_result = check_file_size_anomalies(image_path) results['file_size_analysis'] = { 'suspicious': size_result[0], 'confidence': size_result[1], 'details': size_result[2] } metadata_result = check_metadata_anomalies(image_path) results['metadata_analysis'] = { 'suspicious': metadata_result[0], 'confidence': metadata_result[1], 'details': metadata_result[2] } trailing_result = check_trailing_data(image_path) results['trailing_data_analysis'] = { 'suspicious': trailing_result[0], 'confidence': trailing_result[1], 'details': trailing_result[2] } noise_result = check_visual_noise_anomalies(image_path) results['visual_noise_analysis'] = { 'suspicious': noise_result[0], 'confidence': noise_result[1], 'details': noise_result[2] } # Add the new histogram analysis histogram_result = check_histogram_anomalies(image_path) results['histogram_analysis'] = { 'suspicious': histogram_result[0], 'confidence': histogram_result[1], 'details': histogram_result[2] } # Add Error Level Analysis (ELA) for JPEG images if image_path.lower().endswith(('.jpg', '.jpeg', '.jfif')): ela_result = perform_ela_analysis(image_path) results['ela_analysis'] = { 'suspicious': ela_result[0], 'confidence': ela_result[1], 'details': ela_result[2] } # Calculate overall confidence # Weight the different tests weights = { 'lsb_analysis': 0.25, # LSB is a common technique 'histogram_analysis': 0.20, # Histogram patterns are strong indicators 'file_size_analysis': 0.10, # Size can be indicative 'metadata_analysis': 0.10, # Metadata less common but useful indicator 'trailing_data_analysis': 0.10, # Detects data after EOF markers 'visual_noise_analysis': 0.15, # Visual noise can be a good indicator 'ela_analysis': 0.20 # Error Level Analysis is effective for JPEG manipulation } # Only include weights for methods that were actually run used_weights = {k: v for k, v in weights.items() if k in results} # Normalize the weights to ensure they sum to 1.0 weight_sum = sum(used_weights.values()) if weight_sum > 0: used_weights = {k: v/weight_sum for k, v in used_weights.items()} # Calculate weighted confidence overall_confidence = sum( results[key]['confidence'] * used_weights[key] for key in used_weights ) # Determine if image is suspicious overall is_suspicious = overall_confidence >= min_confidence return is_suspicious, overall_confidence, results except Exception as e: logging.debug(f"Error analyzing {image_path}: {str(e)}") return False, 0, {"error": str(e)} def process_file(args): """Process a single image file.""" image_path, sensitivity, output_dir = args try: is_suspicious, confidence, details = analyze_image(image_path, sensitivity) result = { 'path': image_path, 'suspicious': is_suspicious, 'confidence': confidence, 'details': details } # Create visual report if output directory is specified if output_dir and is_suspicious: create_visual_report(image_path, confidence, details, output_dir) return result except Exception as e: logging.debug(f"Error processing {image_path}: {str(e)}") return { 'path': image_path, 'suspicious': False, 'confidence': 0, 'details': {'error': str(e)} } def create_visual_report(image_path, confidence, details, output_dir): """ Create a visual report showing the analysis of a suspicious image. Args: image_path: Path to the analyzed image confidence: Detection confidence details: Analysis details output_dir: Directory to save report """ try: # Create output directory if it doesn't exist os.makedirs(output_dir, exist_ok=True) # Create a figure with 3x3 subplots to accommodate ELA visualization fig, axs = plt.subplots(3, 3, figsize=(15, 15)) fig.suptitle(f"Steganography Analysis: {os.path.basename(image_path)}\nConfidence: {confidence:.1f}%", fontsize=16) # Original image with Image.open(image_path) as img: axs[0, 0].imshow(img) axs[0, 0].set_title("Original Image") axs[0, 0].axis('off') # LSB visualization img_array = np.array(img.convert('RGB')) lsb_img = np.zeros_like(img_array) # Amplify LSB data by 255 for visibility lsb_img[:,:,0] = (img_array[:,:,0] % 2) * 255 lsb_img[:,:,1] = (img_array[:,:,1] % 2) * 255 lsb_img[:,:,2] = (img_array[:,:,2] % 2) * 255 axs[0, 1].imshow(lsb_img) axs[0, 1].set_title("LSB Visualization") axs[0, 1].axis('off') # ELA visualization (NEW) if 'ela_analysis' in details and 'details' in details['ela_analysis']: ela_data = details['ela_analysis']['details'] if 'diff_image' in ela_data and not isinstance(ela_data.get('error', ''), str): # Display the ELA image axs[0, 2].imshow(ela_data['diff_image']) axs[0, 2].set_title("Error Level Analysis (ELA)") axs[0, 2].axis('off') # Add annotation with key metrics metrics = [] if 'var_ratio' in ela_data: metrics.append(f"Variance ratio: {ela_data['var_ratio']:.2f}") if 'coeff_var' in ela_data: metrics.append(f"Coefficient of var: {ela_data['coeff_var']:.2f}") if 'mean_diff' in ela_data: metrics.append(f"Mean diff: {ela_data['mean_diff']:.2f}") if metrics: axs[0, 2].text(0.05, 0.05, "\n".join(metrics), transform=axs[0, 2].transAxes, fontsize=9, verticalalignment='bottom', bbox=dict(boxstyle='round,pad=0.5', facecolor='white', alpha=0.7)) else: axs[0, 2].text(0.5, 0.5, "ELA data not available", horizontalalignment='center', verticalalignment='center') axs[0, 2].axis('off') else: axs[0, 2].text(0.5, 0.5, "ELA analysis not available", horizontalalignment='center', verticalalignment='center') axs[0, 2].axis('off') # Histogram visualization if 'histogram_analysis' in details: # Create histograms for each channel hist_r = np.histogram(img_array[:,:,0], bins=256, range=(0, 256))[0] hist_g = np.histogram(img_array[:,:,1], bins=256, range=(0, 256))[0] hist_b = np.histogram(img_array[:,:,2], bins=256, range=(0, 256))[0] # Plot the histograms bin_edges = np.arange(0, 257) axs[1, 0].plot(bin_edges[:-1], hist_r, color='red', alpha=0.7) axs[1, 0].plot(bin_edges[:-1], hist_g, color='green', alpha=0.7) axs[1, 0].plot(bin_edges[:-1], hist_b, color='blue', alpha=0.7) axs[1, 0].set_title("Color Channel Histograms") axs[1, 0].set_xlabel("Pixel Value") axs[1, 0].set_ylabel("Frequency") axs[1, 0].legend(['Red', 'Green', 'Blue']) # Show odd/even distribution analysis histogram_data = details['histogram_analysis']['details'] # Get even/odd ratio values if 'even_odd_ratios' in histogram_data: even_odd_ratios = histogram_data['even_odd_ratios'] # Plot as bar chart axs[1, 1].bar(['Red', 'Green', 'Blue'], even_odd_ratios, color=['red', 'green', 'blue'], alpha=0.7) axs[1, 1].axhline(y=1.0, linestyle='--', color='gray') axs[1, 1].set_title("Even/Odd Value Ratios") axs[1, 1].set_ylabel("Ratio (1.0 = balanced)") # Annotate with explanatory text deviation = histogram_data.get('even_odd_deviation', 0) assessment = "SUSPICIOUS" if deviation > 0.1 else "NORMAL" axs[1, 1].annotate(f"Deviation: {deviation:.3f}\nAssessment: {assessment}", xy=(0.05, 0.05), xycoords='axes fraction') else: axs[1, 1].text(0.5, 0.5, "Histogram ratio data not available", horizontalalignment='center', verticalalignment='center') axs[1, 1].axis('off') else: axs[1, 0].text(0.5, 0.5, "Histogram analysis not available", horizontalalignment='center', verticalalignment='center') axs[1, 0].axis('off') axs[1, 1].axis('off') # Noise visualization if 'visual_noise_analysis' in details: noise_data = details['visual_noise_analysis']['details'] noise_values = [noise_data.get('red_noise', 0), noise_data.get('green_noise', 0), noise_data.get('blue_noise', 0)] axs[1, 2].bar(['Red', 'Green', 'Blue'], noise_values, color=['red', 'green', 'blue']) axs[1, 2].set_title("Noise Levels by Channel") axs[1, 2].set_ylabel("Noise Level") else: axs[1, 2].text(0.5, 0.5, "Noise analysis not available", horizontalalignment='center', verticalalignment='center') axs[1, 2].axis('off') # File size analysis visualization if 'file_size_analysis' in details and 'details' in details['file_size_analysis']: size_data = details['file_size_analysis']['details'] if ('file_size' in size_data and 'expected_min' in size_data and 'expected_max' in size_data and 'pixel_count' in size_data): # Create a simple bar chart comparing actual vs expected size sizes = [size_data['file_size'], size_data['expected_min'], size_data['expected_max']] labels = ['Actual Size', 'Min Expected', 'Max Expected'] colors = ['blue', 'green', 'green'] axs[2, 0].bar(labels, sizes, color=colors, alpha=0.7) axs[2, 0].set_title("File Size Analysis") axs[2, 0].set_ylabel("Size (bytes)") # Format y-axis to show human-readable sizes axs[2, 0].get_yaxis().set_major_formatter( plt.FuncFormatter(lambda x, loc: f"{x/1024:.1f}KB" if x >= 1024 else f"{x}B")) # Is it suspiciously large? is_too_large = size_data['file_size'] > size_data['expected_max'] is_too_small = size_data['file_size'] < size_data['expected_min'] if is_too_large: assessment = f"SUSPICIOUS: {(size_data['file_size'] - size_data['expected_max'])/1024:.1f}KB larger than expected" elif is_too_small: assessment = f"SUSPICIOUS: {(size_data['expected_min'] - size_data['file_size'])/1024:.1f}KB smaller than expected" else: assessment = "NORMAL: Size within expected range" axs[2, 0].annotate(assessment, xy=(0.05, 0.05), xycoords='axes fraction', fontsize=9, verticalalignment='bottom') if 'trailing_data_analysis' in details: tdata = details['trailing_data_analysis']['details'] if tdata.get('appended_bytes', 0) > 0: axs[2, 0].annotate( f"Appended data: {tdata['appended_bytes']} bytes", xy=(0.05, 0.85), xycoords='axes fraction', fontsize=9, verticalalignment='bottom', color='red' ) else: axs[2, 0].text(0.5, 0.5, "Size analysis data not available", horizontalalignment='center', verticalalignment='center') axs[2, 0].axis('off') else: axs[2, 0].text(0.5, 0.5, "Size analysis not available", horizontalalignment='center', verticalalignment='center') axs[2, 0].axis('off') # Metadata analysis visualization if 'metadata_analysis' in details and 'details' in details['metadata_analysis']: metadata = details['metadata_analysis']['details'] metadata_text = f"Total metadata entries: {metadata.get('metadata_count', 0)}\n\n" if 'suspicious_markers' in metadata and metadata['suspicious_markers']: metadata_text += "Suspicious markers found:\n" for key, marker, value in metadata['suspicious_markers'][:3]: # Show top 3 metadata_text += f"- '{marker}' in {key}\n" if len(metadata['suspicious_markers']) > 3: metadata_text += f"...and {len(metadata['suspicious_markers'])-3} more\n" else: metadata_text += "No suspicious metadata markers found" axs[2, 1].text(0.1, 0.5, metadata_text, fontsize=10, verticalalignment='center', horizontalalignment='left') axs[2, 1].set_title("Metadata Analysis") axs[2, 1].axis('off') else: axs[2, 1].text(0.5, 0.5, "Metadata analysis not available", horizontalalignment='center', verticalalignment='center') axs[2, 1].axis('off') # Overall analysis metrics axs[2, 2].axis('off') metrics_text = "Detection Confidence by Method:\n\n" for analysis_type, results in details.items(): if isinstance(results, dict) and 'confidence' in results: confidence_value = results['confidence'] if confidence_value > 70: highlight = " 🚨 HIGH" elif confidence_value > 40: highlight = " ⚠️ MEDIUM" else: highlight = "" metrics_text += f"{analysis_type.replace('_', ' ').title()}: {confidence_value:.1f}%{highlight}\n" axs[2, 2].text(0.1, 0.5, metrics_text, fontsize=10, verticalalignment='center') axs[2, 2].set_title("Overall Analysis Results") # Adjust layout plt.tight_layout(rect=[0, 0, 1, 0.95]) # Save figure report_filename = os.path.join(output_dir, f"steganalysis_{os.path.basename(image_path)}.png") plt.savefig(report_filename) plt.close() logging.debug(f"Created visual report: {report_filename}") return report_filename except Exception as e: logging.debug(f"Error creating visual report for {image_path}: {str(e)}") return None def find_image_files(directory, recursive=True): """Find all image files in a directory.""" image_extensions = ('.jpg', '.jpeg', '.png', '.bmp', '.gif', '.tiff', '.tif', '.webp') image_files = [] if recursive: for root, _, files in os.walk(directory): for file in files: if file.lower().endswith(image_extensions): image_files.append(os.path.join(root, file)) else: for file in os.listdir(directory): if os.path.isfile(os.path.join(directory, file)) and file.lower().endswith(image_extensions): image_files.append(os.path.join(directory, file)) return image_files def analyze_images(directory, sensitivity='medium', recursive=True, output_dir=None, max_workers=None): """ Analyze all images in a directory for steganography. Args: directory: Directory to scan sensitivity: 'low', 'medium', or 'high' recursive: Whether to scan subdirectories output_dir: Directory to save visual reports max_workers: Number of worker processes Returns: List of suspicious image details """ # Find all image files image_files = find_image_files(directory, recursive) if not image_files: logging.warning("No image files found!") return [] logging.info(f"Found {len(image_files)} image files to analyze") # Create output directory if specified if output_dir: os.makedirs(output_dir, exist_ok=True) logging.info(f"Visual reports will be saved to: {output_dir}") # Prepare input arguments for workers input_args = [(file_path, sensitivity, output_dir) for file_path in image_files] suspicious_images = [] # Process files in parallel with concurrent.futures.ProcessPoolExecutor(max_workers=max_workers) as executor: # Colorful progress bar results = [] futures = {executor.submit(process_file, arg): arg[0] for arg in input_args} with tqdm( total=len(image_files), desc=f"{colorama.Fore.RED}Analyzing images for steganography{colorama.Style.RESET_ALL}", unit="file", bar_format="{desc}: {percentage:3.0f}%|{bar:30}| {n_fmt}/{total_fmt} [{elapsed}<{remaining}, {rate_fmt}]", colour="red" ) as pbar: for future in concurrent.futures.as_completed(futures): file_path = futures[future] try: result = future.result() results.append(result) # Update progress pbar.update(1) # Add to suspicious images if applicable if result['suspicious']: suspicious_images.append(result) logging.info(f"Suspicious image found: {file_path} (confidence: {result['confidence']:.1f}%)") except Exception as e: logging.error(f"Error analyzing {file_path}: {str(e)}") pbar.update(1) # Sort suspicious images by confidence suspicious_images.sort(key=lambda x: x['confidence'], reverse=True) logging.info(f"Analysis complete. Found {len(suspicious_images)} suspicious images") return suspicious_images def main(): print_banner() # Check for 'q' command to quit if len(sys.argv) == 2 and sys.argv[1].lower() == 'q': print(f"{colorama.Fore.YELLOW}Exiting RAT Finder. Stay vigilant!{colorama.Style.RESET_ALL}") sys.exit(0) parser = argparse.ArgumentParser( description='RAT Finder: Steganography Detection Tool (v0.2.0)', epilog='Part of the 2PAC toolkit - Created by Richard Young' ) # Main action parser.add_argument('directory', nargs='?', help='Directory to search for images') parser.add_argument('--check-file', type=str, help='Check a specific file for steganography') # Options parser.add_argument('--sensitivity', type=str, choices=['low', 'medium', 'high'], default='medium', help='Set detection sensitivity level (default: medium)') parser.add_argument('--non-recursive', action='store_true', help='Only search in the specified directory, not subdirectories') parser.add_argument('--output', type=str, help='Save list of suspicious files to this file') parser.add_argument('--visual-reports', type=str, help='Directory to save visual analysis reports') parser.add_argument('--workers', type=int, default=None, help='Number of worker processes (default: CPU count)') parser.add_argument('--verbose', '-v', action='store_true', help='Enable verbose logging') parser.add_argument('--no-color', action='store_true', help='Disable colored output') parser.add_argument('--version', action='version', version=f'RAT Finder v{VERSION} by Richard Young') args = parser.parse_args() # Setup logging setup_logging(args.verbose, args.no_color) # Handle specific file check mode if args.check_file: file_path = args.check_file if not os.path.exists(file_path): logging.error(f"Error: File not found: {file_path}") sys.exit(1) print(f"\n{colorama.Style.BRIGHT}Analyzing file for steganography: {file_path}{colorama.Style.RESET_ALL}\n") is_suspicious, confidence, details = analyze_image(file_path, args.sensitivity) # Print results if is_suspicious: print(f"{colorama.Fore.RED}[!] SUSPICIOUS: This image may contain hidden data{colorama.Style.RESET_ALL}") print(f"Confidence: {confidence:.1f}%\n") else: print(f"{colorama.Fore.GREEN}[✓] No steganography detected in this image{colorama.Style.RESET_ALL}") print(f"Confidence: {(100 - confidence):.1f}% clean\n") # Details of analysis print(f"{colorama.Fore.CYAN}Detection Details:{colorama.Style.RESET_ALL}") for analysis_type, results in details.items(): if isinstance(results, dict) and 'confidence' in results: detection_status = f"{colorama.Fore.RED}[DETECTED]" if results['suspicious'] else f"{colorama.Fore.GREEN}[OK]" print(f"{detection_status} {analysis_type.replace('_', ' ').title()}: {results['confidence']:.1f}%{colorama.Style.RESET_ALL}") # Print specific findings if 'details' in results and isinstance(results['details'], dict): for key, value in results['details'].items(): if key != 'error': print(f" - {key}: {value}") # Create visual report if requested if args.visual_reports: report_path = create_visual_report(file_path, confidence, details, args.visual_reports) if report_path: print(f"\n{colorama.Fore.CYAN}Visual report saved to: {report_path}{colorama.Style.RESET_ALL}") sys.exit(0) # Check if directory is specified if not args.directory: logging.error("Error: You must specify a directory to scan or use --check-file for a specific file") sys.exit(1) directory = Path(args.directory) # Verify the directory exists if not directory.exists() or not directory.is_dir(): logging.error(f"Error: {directory} is not a valid directory") sys.exit(1) # Begin analysis logging.info(f"Starting steganography analysis with {args.sensitivity} sensitivity") logging.info(f"Scanning for images in {directory}") try: suspicious_images = analyze_images( directory, sensitivity=args.sensitivity, recursive=not args.non_recursive, output_dir=args.visual_reports, max_workers=args.workers ) # Print summary if suspicious_images: count_str = f"{colorama.Fore.RED}{len(suspicious_images)}{colorama.Style.RESET_ALL}" logging.info(f"Found {count_str} suspicious images that may contain hidden data") # Print top findings print("\nTop suspicious images:") for i, result in enumerate(suspicious_images[:10]): # Show top 10 confidence_color = colorama.Fore.RED if result['confidence'] > 80 else colorama.Fore.YELLOW print(f"{i+1}. {result['path']} - Confidence: {confidence_color}{result['confidence']:.1f}%{colorama.Style.RESET_ALL}") if len(suspicious_images) > 10: print(f"... and {len(suspicious_images) - 10} more") else: logging.info(f"{colorama.Fore.GREEN}No suspicious images found{colorama.Style.RESET_ALL}") # Save output if requested if args.output and suspicious_images: with open(args.output, 'w') as f: for result in suspicious_images: f.write(f"{result['path']},{result['confidence']:.1f}\n") logging.info(f"Saved list of suspicious files to {args.output}") except KeyboardInterrupt: logging.info("Operation cancelled by user") sys.exit(130) except Exception as e: logging.error(f"Error: {str(e)}") if args.verbose: import traceback traceback.print_exc() sys.exit(1) # Add signature at the end if not args.no_color: signature = f"\n{colorama.Fore.RED}RAT Finder v{VERSION} by Richard Young{colorama.Style.RESET_ALL}" tagline = f"{colorama.Fore.YELLOW}\"Uncovering what's hidden in plain sight.\"{colorama.Style.RESET_ALL}" print(signature) print(tagline) if __name__ == "__main__": main()