PNG文件结构与CTF攻防技术详解<\/h1>

一、PNG文件基础结构<\/h2>

1. PNG文件签名<\/h3>
PNG文件以固定的8字节签名开头，用于标识文件类型：<\/p>
89 50 4E 47 0D 0A 1A 0A
<\/code><\/pre>
这8个字节是PNG文件的标识符，任何合法的PNG文件都必须以此开头。<\/p>
2. 数据块(Chunks)结构<\/h3>
PNG文件由多个数据块组成，每个数据块包含以下4个部分：<\/p>

长度(Length)<\/strong>：4字节，大端序存储，指定数据段的字节数(不包括长度、类型和CRC)<\/li>
块类型(Chunk Type)<\/strong>：4字节ASCII码，标识数据块的功能(如IHDR、IDAT等)<\/li>
数据(Chunk Data)<\/strong>：长度指定的数据内容<\/li>
CRC校验(CRC)<\/strong>：4字节，循环冗余校验码，确保数据块完整性<\/li>
<\/ol>

注意：CRC计算范围只包括块类型和数据，不包括长度字段<\/p>
<\/blockquote>
二、关键数据块详解<\/h2>
1. IHDR块(文件头数据块)<\/h3>

每个PNG图片有且只有一个IHDR块<\/li>
固定长度：13字节<\/li>
结构内容：

宽度(4字节，大端序)<\/li>
高度(4字节，大端序)<\/li>
位深度(1字节)：1、2、4、8、16<\/li>
颜色类型(1字节)：

0=灰度<\/li>
2=RGB<\/li>
3=索引颜色<\/li>
4=灰度+Alpha<\/li>
6=RGB+Alpha<\/li>
<\/ul>
<\/li>
压缩方法(1字节)：通常为0(deflate)<\/li>
滤波方法(1字节)：通常为0<\/li>
隔行扫描方法(1字节)：0=非隔行，1=Adam7隔行<\/li>
<\/ul>
<\/li>
<\/ul>
示例分析：<\/p>
00 00 00 0D 49 48 44 52 00 00 05 DA 00 00 08 8D 08 02 00 00 00 1C 4C 11 E6
<\/code><\/pre>

长度：00 00 00 0D → 13字节<\/li>
类型：49 48 44 52 → "IHDR"<\/li>
数据：

宽度：00 00 05 DA → 1498像素<\/li>
高度：00 00 08 8D → 2189像素<\/li>
位深度：08 → 8位<\/li>
颜色类型：02 → RGB模式<\/li>
压缩方式：00 → deflate<\/li>
滤波方式：00<\/li>
隔行扫描：00<\/li>
<\/ul>
<\/li>
CRC：1C 4C 11 E6<\/li>
<\/ul>
2. IDAT块(图像数据块)<\/h3>

存储压缩后的图像像素数据，使用deflate算法<\/li>
一张PNG可能有多个IDAT块，解码时按顺序拼接<\/li>
常见IDAT块大小限制为65536字节(64KB)，但理论上最大可达2GB<\/li>
DEFLATE算法：

LZ77算法：查找和替换重复的数据序列<\/li>
Huffman编码：对符号进行变长编码<\/li>
<\/ul>
<\/li>
预处理过滤器(5种类型)：

类型0：无过滤<\/li>
类型1：Sub(当前值减前一个像素值)<\/li>
类型2：Up(当前值减上一行对应位置值)<\/li>
类型3：Average(当前值减前一个和上一行像素的平均值)<\/li>
类型4：Paeth预测器<\/li>
<\/ul>
<\/li>
<\/ul>
3. IEND块(文件尾数据块)<\/h3>

固定结构：<\/li>
<\/ul>
00 00 00 00 49 45 4E 44 AE 42 60 82
<\/code><\/pre>

数据长度为0，类型为"IEND"，CRC固定为AE 42 60 82<\/li>
<\/ul>
三、辅助数据块<\/h2>
1. PLTE块(调色板)<\/h3>

定义调色板(索引颜色模式)的颜色表<\/li>
每3字节表示一个颜色(RGB)，最多256个颜色(768字节)<\/li>
必须在IDAT块之前出现<\/li>
仅当颜色类型为3时必须存在<\/li>
<\/ul>
2. 其他辅助块<\/h3>

图像显示：tRNS、bKGD、sRGB、pHYs<\/li>
颜色管理：cHRM、gAMA、iCCP、sRGB、sBIT<\/li>
元数据：tEXt、zTXt、iTXt、tIME<\/li>
调色板优化：hIST、sPLT<\/li>
<\/ul>
四、PNG攻击技术汇总<\/h2>
1. 文件插入字符信息<\/h3>

直接附加：在IEND块后添加任意数据<\/li>
使用辅助块隐藏信息：

tEXt块：存储未压缩文本，格式[关键字]\0[文本内容]<\/code><\/li>
zTXt块：存储压缩文本，格式[关键字]\0[压缩标志]\0[压缩数据]<\/code><\/li>
iTXt块：支持国际化文本，格式[关键字]\0[压缩标志]\0[压缩方式]\0[语言标签]\0[翻译关键字]\0[文本]<\/code><\/li>
自定义辅助块：块类型为小写字母开头<\/li>
<\/ul>
<\/li>
<\/ul>
2. 结构缺失\/混乱攻击<\/h3>

多个IHDR块：可能隐藏多个图像<\/li>
异常数据块顺序：可能导致解析异常<\/li>
解决方法：使用工具分析并重组合法结构<\/li>
<\/ul>
3. IDAT块隐写<\/h3>

异常IDAT块大小或数量<\/li>
隐藏额外数据在IDAT块中<\/li>
工具：TweakPNG分析处理<\/li>
<\/ul>
4. CRC宽高爆破<\/h3>

IHDR块宽高被修改但CRC未更新<\/li>
爆破原理：已知CRC和部分数据，爆破宽高值<\/li>
脚本示例：<\/li>
<\/ul>
import<\/span> zlib
<\/span><\/span>import<\/span> struct
<\/span><\/span>
<\/span><\/span>def<\/span> crc32<\/span>(data):
<\/span><\/span>    return<\/span> zlib.<\/span>crc32(data) &<\/span> 0xffffffff<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> brute_force_crc<\/span>(png_file):
<\/span><\/span>    with<\/span> open(png_file, 'rb'<\/span>) as<\/span> f:
<\/span><\/span>        data =<\/span> f.<\/span>read()
<\/span><\/span>    
<\/span><\/span>    # 定位IHDR块<\/span>
<\/span><\/span>    ihdr_pos =<\/span> data.<\/span>find(b<\/span>'IHDR'<\/span>) -<\/span> 4<\/span>
<\/span><\/span>    ihdr_data =<\/span> data[ihdr_pos:ihdr_pos+<\/span>29<\/span>]
<\/span><\/span>    
<\/span><\/span>    original_crc =<\/span> struct.<\/span>unpack('>I'<\/span>, ihdr_data[21<\/span>:25<\/span>])[0<\/span>]
<\/span><\/span>    
<\/span><\/span>    # 常见分辨率组合<\/span>
<\/span><\/span>    common_sizes =<\/span> [(800<\/span>, 600<\/span>), (1024<\/span>, 768<\/span>), (1920<\/span>, 1080<\/span>), (1280<\/span>, 720<\/span>)]
<\/span><\/span>    
<\/span><\/span>    for<\/span> width, height in<\/span> common_sizes:
<\/span><\/span>        # 构造IHDR数据<\/span>
<\/span><\/span>        new_data =<\/span> ihdr_data[8<\/span>:12<\/span>]  # IHDR<\/span>
<\/span><\/span>        new_data +=<\/span> struct.<\/span>pack('>I'<\/span>, width)
<\/span><\/span>        new_data +=<\/span> struct.<\/span>pack('>I'<\/span>, height)
<\/span><\/span>        new_data +=<\/span> ihdr_data[20<\/span>:21<\/span>]  # 剩余字段<\/span>
<\/span><\/span>        
<\/span><\/span>        # 计算CRC<\/span>
<\/span><\/span>        crc =<\/span> crc32(new_data)
<\/span><\/span>        if<\/span> crc ==<\/span> original_crc:
<\/span><\/span>            return<\/span> width, height
<\/span><\/span>    
<\/span><\/span>    return<\/span> None<\/span>
<\/span><\/span><\/code><\/pre>5. 颜色通道隐写<\/h3>
LSB隐写(最低有效位)<\/h4>

修改像素通道的最低位(第0位)<\/li>
人眼几乎无法察觉变化<\/li>
工具：stegsolve、zsteg<\/li>
<\/ul>
MSB隐写(最高有效位)<\/h4>

修改像素通道的最高位<\/li>
变化较明显但仍有隐蔽性<\/li>
<\/ul>
通道组合爆破<\/h4>

当隐写通道未知时，可爆破所有可能的通道组合<\/li>
示例脚本：<\/li>
<\/ul>
from<\/span> PIL import<\/span> Image
<\/span><\/span>import<\/span> itertools
<\/span><\/span>
<\/span><\/span>def<\/span> extract_from_channels<\/span>(image_path, dict_words):
<\/span><\/span>    img =<\/span> Image.<\/span>open(image_path)
<\/span><\/span>    pixels =<\/span> img.<\/span>load()
<\/span><\/span>    width, height =<\/span> img.<\/span>size
<\/span><\/span>    
<\/span><\/span>    # 所有可能的通道和位组合<\/span>
<\/span><\/span>    channels =<\/span> ['R'<\/span>, 'G'<\/span>, 'B'<\/span>]
<\/span><\/span>    bits =<\/span> range(8<\/span>)
<\/span><\/span>    
<\/span><\/span>    for<\/span> combo in<\/span> itertools.<\/span>product(channels, bits):
<\/span><\/span>        channel, bit =<\/span> combo
<\/span><\/span>        extracted =<\/span> []
<\/span><\/span>        
<\/span><\/span>        for<\/span> y in<\/span> range(height):
<\/span><\/span>            for<\/span> x in<\/span> range(width):
<\/span><\/span>                pixel =<\/span> pixels[x, y]
<\/span><\/span>                if<\/span> channel ==<\/span> 'R'<\/span>:
<\/span><\/span>                    val =<\/span> pixel[0<\/span>]
<\/span><\/span>                elif<\/span> channel ==<\/span> 'G'<\/span>:
<\/span><\/span>                    val =<\/span> pixel[1<\/span>]
<\/span><\/span>                else<\/span>:
<\/span><\/span>                    val =<\/span> pixel[2<\/span>]
<\/span><\/span>                
<\/span><\/span>                extracted.<\/span>append(str((val >><\/span> bit) &<\/span> 1<\/span>))
<\/span><\/span>        
<\/span><\/span>        binary =<\/span> ''<\/span>.<\/span>join(extracted)
<\/span><\/span>        # 检查是否包含字典中的关键词<\/span>
<\/span><\/span>        for<\/span> word in<\/span> dict_words:
<\/span><\/span>            if<\/span> word in<\/span> binary:
<\/span><\/span>                return<\/span> combo, binary
<\/span><\/span>    
<\/span><\/span>    return<\/span> None<\/span>
<\/span><\/span><\/code><\/pre>五、实用工具推荐<\/h2>

010 Editor<\/strong>：强大的十六进制编辑器<\/li>
TweakPNG<\/strong>：分析处理PNG数据块<\/li>
exiftool<\/strong>：提取PNG元信息<\/li>
stegsolve<\/strong>：分析颜色通道隐写<\/li>
zsteg<\/strong>：检测LSB隐写数据<\/li>
<\/ol>
六、开发脚本示例<\/h2>
1. PNG数据块分析脚本<\/h3>
import<\/span> struct
<\/span><\/span>
<\/span><\/span>def<\/span> analyze_png_chunks<\/span>(png_file):
<\/span><\/span>    with<\/span> open(png_file, 'rb'<\/span>) as<\/span> f:
<\/span><\/span>        data =<\/span> f.<\/span>read()
<\/span><\/span>    
<\/span><\/span>    # 检查PNG签名<\/span>
<\/span><\/span>    if<\/span> data[:8<\/span>] !=<\/span> b<\/span>'<\/span>\x89<\/span>PNG<\/span>\r\n\x1a\n<\/span>'<\/span>:
<\/span><\/span>        print("Not a valid PNG file"<\/span>)
<\/span><\/span>        return<\/span>
<\/span><\/span>    
<\/span><\/span>    pos =<\/span> 8<\/span>  # 跳过签名<\/span>
<\/span><\/span>    
<\/span><\/span>    while<\/span> pos <<\/span> len(data):
<\/span><\/span>        # 读取块长度<\/span>
<\/span><\/span>        length =<\/span> struct.<\/span>unpack('>I'<\/span>, data[pos:pos+<\/span>4<\/span>])[0<\/span>]
<\/span><\/span>        pos +=<\/span> 4<\/span>
<\/span><\/span>        
<\/span><\/span>        # 读取块类型<\/span>
<\/span><\/span>        chunk_type =<\/span> data[pos:pos+<\/span>4<\/span>]
<\/span><\/span>        pos +=<\/span> 4<\/span>
<\/span><\/span>        
<\/span><\/span>        # 读取块数据<\/span>
<\/span><\/span>        chunk_data =<\/span> data[pos:pos+<\/span>length]
<\/span><\/span>        pos +=<\/span> length
<\/span><\/span>        
<\/span><\/span>        # 读取CRC<\/span>
<\/span><\/span>        crc =<\/span> struct.<\/span>unpack('>I'<\/span>, data[pos:pos+<\/span>4<\/span>])[0<\/span>]
<\/span><\/span>        pos +=<\/span> 4<\/span>
<\/span><\/span>        
<\/span><\/span>        print(f<\/span>"Chunk: <\/span>{<\/span>chunk_type.<\/span>decode()}<\/span>"<\/span>)
<\/span><\/span>        print(f<\/span>"Length: <\/span>{<\/span>length}<\/span>"<\/span>)
<\/span><\/span>        print(f<\/span>"CRC: <\/span>{<\/span>hex(crc)}<\/span>"<\/span>)
<\/span><\/span>        
<\/span><\/span>        # 特殊处理IHDR块<\/span>
<\/span><\/span>        if<\/span> chunk_type ==<\/span> b<\/span>'IHDR'<\/span>:
<\/span><\/span>            width, height =<\/span> struct.<\/span>unpack('>II'<\/span>, chunk_data[:8<\/span>])
<\/span><\/span>            print(f<\/span>"Image size: <\/span>{<\/span>width}<\/span>x<\/span>{<\/span>height}<\/span>"<\/span>)
<\/span><\/span>        
<\/span><\/span>        print("---"<\/span>)
<\/span><\/span><\/code><\/pre>2. 自定义IDAT块生成脚本<\/h3>
import<\/span> zlib
<\/span><\/span>import<\/span> struct
<\/span><\/span>from<\/span> PIL import<\/span> Image
<\/span><\/span>
<\/span><\/span>def<\/span> create_png_with_custom_idat<\/span>(output_path, width, height, idat_sizes):
<\/span><\/span>    # 创建空白图像<\/span>
<\/span><\/span>    img =<\/span> Image.<\/span>new('RGB'<\/span>, (width, height), (255<\/span>, 255<\/span>, 255<\/span>))
<\/span><\/span>    
<\/span><\/span>    # 准备IHDR数据<\/span>
<\/span><\/span>    ihdr_data =<\/span> struct.<\/span>pack('>IIBBBBB'<\/span>, width, height, 8<\/span>, 2<\/span>, 0<\/span>, 0<\/span>, 0<\/span>)
<\/span><\/span>    ihdr_crc =<\/span> zlib.<\/span>crc32(b<\/span>'IHDR'<\/span> +<\/span> ihdr_data) &<\/span> 0xffffffff<\/span>
<\/span><\/span>    
<\/span><\/span>    # 准备IDAT数据<\/span>
<\/span><\/span>    raw_data =<\/span> img.<\/span>tobytes()
<\/span><\/span>    compressed =<\/span> zlib.<\/span>compress(raw_data)
<\/span><\/span>    
<\/span><\/span>    # 分割IDAT数据<\/span>
<\/span><\/span>    idat_chunks =<\/span> []
<\/span><\/span>    pos =<\/span> 0<\/span>
<\/span><\/span>    for<\/span> size in<\/span> idat_sizes:
<\/span><\/span>        chunk_data =<\/span> compressed[pos:pos+<\/span>size]
<\/span><\/span>        pos +=<\/span> size
<\/span><\/span>        if<\/span> not<\/span> chunk_data:
<\/span><\/span>            continue<\/span>
<\/span><\/span>        
<\/span><\/span>        idat_chunks.<\/span>append({
<\/span><\/span>            'length'<\/span>: len(chunk_data),
<\/span><\/span>            'type'<\/span>: 'IDAT'<\/span>,
<\/span><\/span>            'data'<\/span>: chunk_data,
<\/span><\/span>            'crc'<\/span>: zlib.<\/span>crc32(b<\/span>'IDAT'<\/span> +<\/span> chunk_data) &<\/span> 0xffffffff<\/span>
<\/span><\/span>        })
<\/span><\/span>    
<\/span><\/span>    # 构建PNG文件<\/span>
<\/span><\/span>    with<\/span> open(output_path, 'wb'<\/span>) as<\/span> f:
<\/span><\/span>        # 写入签名<\/span>
<\/span><\/span>        f.<\/span>write(b<\/span>'<\/span>\x89<\/span>PNG<\/span>\r\n\x1a\n<\/span>'<\/span>)
<\/span><\/span>        
<\/span><\/span>        # 写入IHDR<\/span>
<\/span><\/span>        f.<\/span>write(struct.<\/span>pack('>I'<\/span>, 13<\/span>))
<\/span><\/span>        f.<\/span>write(b<\/span>'IHDR'<\/span>)
<\/span><\/span>        f.<\/span>write(ihdr_data)
<\/span><\/span>        f.<\/span>write(struct.<\/span>pack('>I'<\/span>, ihdr_crc))
<\/span><\/span>        
<\/span><\/span>        # 写入IDAT块<\/span>
<\/span><\/span>        for<\/span> chunk in<\/span> idat_chunks:
<\/span><\/span>            f.<\/span>write(struct.<\/span>pack('>I'<\/span>, chunk['length'<\/span>]))
<\/span><\/span>            f.<\/span>write(chunk['type'<\/span>].<\/span>encode())
<\/span><\/span>            f.<\/span>write(chunk['data'<\/span>])
<\/span><\/span>            f.<\/span>write(struct.<\/span>pack('>I'<\/span>, chunk['crc'<\/span>]))
<\/span><\/span>        
<\/span><\/span>        # 写入IEND<\/span>
<\/span><\/span>        f.<\/span>write(struct.<\/span>pack('>I'<\/span>, 0<\/span>))
<\/span><\/span>        f.<\/span>write(b<\/span>'IEND'<\/span>)
<\/span><\/span>        f.<\/span>write(struct.<\/span>pack('>I'<\/span>, 0xAE426082<\/span>))
<\/span><\/span><\/code><\/pre>七、总结<\/h2>
PNG文件结构复杂但规范，为CTF比赛提供了丰富的出题点。掌握PNG的核心结构和常见攻击技术，能够有效解决大多数PNG相关的CTF题目。关键点包括：<\/p>

理解PNG数据块结构和校验机制<\/li>
熟悉IHDR、IDAT等关键块的解析方法<\/li>
掌握CRC宽高爆破、IDAT隐写等攻击技术<\/li>
熟练使用相关分析工具和脚本开发<\/li>
<\/ol>
通过系统学习和实践，可以逐步掌握PNG文件的深入分析和攻击技术。<\/p>