
What is LSB Steganography?
--------------------------
  Steganography is the art or science of making the existence of information
undetectable by normal means. LSB is an acronym for "Least Significant Bit,"
and it is the last bit (the farthest right in little-endian systems) in an
8-bit byte, which modifies the value of the byte by only 1 if changed. This has
little effect in many cases such as in data sections of image files where
changing the LSB will result in a slight change in the color of a single pixel,
which is generally undetectable just by looking at. If you modify the LSB of 8
sequential bytes, you can hide one byte of data. Given a large image, quite a
lot of data can be hidden inside of the file without much or any degrade in
quality.


What is Shade?
--------------
  Shade - Steganographically Hide and Analyze Data Entries.
Shade is a versatile and feature-rich program designed to analyze and
manipulate LSB's of files, attempting to either hide or retrieve hidden data.
This is achieved by writing the contents of a payload file to the LSB's of
an inconspicuous host file.
  Shade is open oource software released under the terms and conditions of the
GNU General Public License. See the features Page on the website
(http://shade.sourceforge.net) for details as to what Shade is or will be
capable of.


Program Modes
-------------
  Shade consists of three modes of operation. Each mode takes one argument: the
path to a host file. The mode is specified by an argument passed to shade. All
of these modes will acknowledge all other optional parameters passed, but are
mutually exclusive with one another. Program modes are as follows:

  Evaluation mode - Determine how much data, in bytes, the passed host file can
hold and print it to standard output.
Example: shade -e host

  Write mode - Inject payload file into host file. This mode requires that the
argument '-p [payload]' be supplied, and will the hide 'payload' file inside
the host host file. It is important to note that the host file will NOT be
modified, but instead the output will be printed to standard output. You can
output to a file with the '-o' option.
Example: shade -w host -p payload

  Read mode - Extract payload data from host file.
Example: shade -r host


Program Operations
------------------

  Note: In all examples, 'hfile' referse to a host file, 'pfile' refers to a
payload file, and 'ofile' referse to an output file.

First you must specify an operation mode:

    -r [hfile]               Read mode: Extract payload from hfile.
    -w [hfile] -p [pfile]    Write mode: Inject pfile into hfile. 
    -e [hfile]               Evaluate mode: Determine how much data host can
                             hold.

All data is written to standard output. To write it to a file, you must use the
'-o' argument as follows:

    -o [ofile]               Output to file.

By default, shade will output messages about operations it performs. You can
also suppress messages with the argument '-m off' as follows:

    -m off                   Suppress Messages

  There are options that only affect the way data is displayed in read mode.
Supplying them in another mode will not affect the behavior of the program in
any way. they are as follows:

    -c                       Do not print non-printing characters.
    -y                       Output 1's and 0's instead of chars.

  There are many operations that can be done to a host file. There are two
kinds of operations, and they are either applied per-host or per-byte. We will
first look at per-host arguments:

    -E                       Perform on big-endian 8-bit bytes. This is has not
                             been tested, and is probably useless anyhow.
                             normal payload bits by the '-s' option.
    -l [#]                   Limit amount of payload to write to [#] bytes.
    -b [#]                   Use [#] bits per host byte to hold payload. Must
                             be between 1 and 8.
    -B [#]                   Perform only [#] bytes of host.
    -s [#]                   Skip [#] host bytes after performing each one.
    -h [#]                   Skip [#] bytes at head of host.
    -t [#]                   Skip [#] bytes at tail of host.
    -f [x]                   Perform using pre-defined arguments for a
                             specified file-type.

  The '-f' argument tells shade to use a specified preset collection of these
arguments to operate on a host file. Currently, the only supported methods are
for 24-bit and 8-bit Windows bitmaps. The file-type [x] can be any of the
following:

    bmp8     Windows 8-bit bitmap format. It's presets are '-h 1078'. If the
             argument -h is supplied elsewhere, it's argument will be added to
             the preset value of 1078.

    bmp24    Windows 24-bit bitmap format. It's presets are '-h 75 -t 1'. If
             the argument -h is supplied, it's argument will be added to the
             preset value of 75. If '-t' is supplied, it override the preset
             value.

  Now we'll look at the per-byte arguments, which can be specified multiple times:

    -R BIT1 BIT2             Reverse order of bits from BIT1 to BIT2. Both must
                             be between 1 and 8, and BIT2 must be larger than
                             BIT1.
    -i BIT                   Invert a bit. Using this option multiple times on
                             the same bit will invert it accordingly
    -T BIT1 BIT2             Transpose two bites. Both must be between 1 and 8.

  The order in which these are specified is crucial. If you inject a host with
options "-R 34 -i 1357 -T 47" then you must specify these options backwards
when extracting that payload in order to get the correct data. Example:

shade -w host.bmp -p payload.txt -o output.bmp -f bmp24 -R 34 -i 1357 -T 47
shade -r output.bmp -f bmp24 -o payload.txt -T 47 -i 1357 -R 34

  Notice that we are only focusing on the last three options. You can have
quite a bit of fun throwing different options into the mix, crypting your
payload so that it is virtually impossible to retrieve without knowledge of how
it is stored.

  To further elaborate on the syntax of Shade, we will examine the previous
commands:

shade -w host.bmp -p payload.txt -o output.bmp -f bmp24 -R 3 4 -i 1 -i 3 -i 5
-i 7 -T 4 7

shade -r output.bmp -f bmp24 -o payload.txt -T 4 7 -i 1 -i 3 -i 5 -i 7 -R 3 4

  The first command injects payload.txt into host.bmp using 24-bit Windows
bitmap format presets and scrambles each byte of payload with the last three
options by first reversing payload bits 3 to 4, then inverting bits 1, 3, 5,
and 7, andthen transposing bits 4 and 7. The product of this is output.bmp.
payload.txt and host.bmp are not altered in any way.

  The second command reads output.bmp using 24-bit Windows bitmap format
presets and unscrambles the payload data with the last three options which are
now supplied in reverse order. Shade writes it all to extracted.txt, which in
the end is identical to payload.txt, assuming that payload.txt was small enough
to fit insidehost.bmp.


Contacting the Author(s)
------------------------

Website: http://shade.sourceforge.net
Project Page: http://www.sourceforge.net/projects/shade

Brandon Captain
 * Project Founder/Leader 
 * Developer
 * Website Maintainer
 AIM: Zeroth404
 IRC: zeroth404 irc.freenode.net
 EMail: Zeroth404@gmail.com