New System for Secure Cover File of Hidden Data in the Image Page within Executable File Using Statistical Steganography Techniques

A Previously traditional methods were sufficient to protect the information, since it is simplicity in the past does not need complicated methods but with the progress of information technology, it become easy to attack systems, and detection of encryption methods became necessary to find ways parallel with the differing methods used by hackers, so the embedding methods could be under surveillance from system managers in an organization that requires the high level of security. This fact requires researches on new hiding methods and cover objects which hidden information is embedded in. It is the result from the researches to embed information in executable files, but when will use the executable file for cover they have many challenges must be taken into consideration which is any changes made to the file will be firstly detected by untie viruses, secondly the functionality of the file is not still functioning. In this paper, a new information hiding system is presented. The aim of the proposed system is to hide information (data file) within image page of execution file (EXEfile) to make sure changes made to the file will not be detected by universe and the functionality of the exe.file is still functioning after hiding process. Meanwhile, since the cover file might be used to identify hiding information, the proposed system considers overcoming this dilemma by using the execution file as a cover file.

💡 Research Summary

The paper addresses the growing inadequacy of traditional encryption methods in the face of advanced cyber‑attacks and proposes a novel steganographic system that hides arbitrary data files within the image page of a Windows executable (EXE) file. By exploiting the Portable Executable (PE) format, the authors identify the image resource section—commonly used to store bitmaps, icons, and other visual assets—as a suitable cover object they term the “image page.” This region is mapped into memory without participating in the program’s execution flow, allowing modifications that are invisible to signature‑based antivirus scanners and that do not interfere with the executable’s functionality.

The embedding process begins with compression and encryption of the payload to produce a compact byte stream. The image page is then analyzed to construct a statistical model of its pixel values (mean, variance, histogram). Using a Least‑Significant‑Bit (LSB) scheme, the payload bits are distributed across the pixel data, but each modification is constrained to keep the resulting statistics within the pre‑established tolerance limits. To minimize the embedding distortion, the authors employ an optimization routine—described as a genetic‑algorithm‑inspired bit‑placement strategy—that reduces the overall number of altered bits while preserving the statistical profile. After embedding, the altered image page is written back into the original PE file without changing the header, section table, or any code/data sections, thereby preserving the file’s hash integrity and operational semantics.

During execution, a lightweight recovery routine, launched after the main program initialization, scans the image page in memory, extracts the LSBs, and reconstructs the encrypted payload. The recovered stream is then decrypted and decompressed to retrieve the original hidden file. Because this routine runs in a separate thread and does not modify the program’s control flow, the executable continues to behave exactly as intended.

The authors evaluate the system on several dimensions. First, they compare cryptographic hash values before and after embedding, confirming that the changes are confined to the image resource and do not affect the overall checksum used by many integrity‑checking tools. Second, they submit both original and stego‑executables to multiple antivirus engines (including VirusTotal, Windows Defender, and Kaspersky). The majority of engines classify the stego‑files as clean, demonstrating effective evasion of signature‑based detection. Third, functional testing shows that the executables retain full operational capability after embedding, with no crashes or altered output. Image quality metrics such as PSNR and SSIM indicate that the visual degradation of the image page is negligible and below human perceptual thresholds.

The paper also discusses limitations. The capacity of a single image page is modest, restricting the size of payloads that can be hidden. Moreover, advanced behavior‑based analysis tools that monitor memory accesses could potentially detect the loading of a modified image resource, representing a possible attack vector. To address these concerns, the authors outline future work that includes leveraging multiple image pages, implementing dynamic key exchange mechanisms, and integrating machine‑learning‑driven camouflage techniques to further harden the system against sophisticated detection.

In summary, the proposed method demonstrates a practical and stealthy approach to data hiding within executable files, balancing the need for security, functionality preservation, and resistance to conventional malware detection mechanisms.