This is a demonstration for a computer security class. I am not responsible for anything you do with it. I simply wrote this as an educational tool for myself. For the time being it only works with images that are in a lossless, RGB format.
This uses Python 3.
This will inject the contents of malware.sh into image.bmp, and save the output as injected.bmp. The result is visually noticeable.
./inject.py image.bmp malware.sh injected.bmpThis will subtract the pixel values of image.bmp and injected.bmp and write the difference to standard output. Essentially you should be able to retrieve the text you had originally injected.
./subtract.py image.bmp injeted.bmpBe careful when copy-pasting scripts from the internet. They could be malicious. Always avoid piping directly to bash when you have not directly read the script.
Theoretically, an attacker could ask you to do something like this (Don't do it unless you know what you are about to run!):
./subtract.py image.bmp injected.bmp | bash