Mount encrypted, hidden storage inside innocent media files.
Installation • Usage • Hybrid RAID • Technical Details • Disclaimer
MirageFS is a high-stealth steganographic filesystem built in Rust. It allows you to format and mount standard media files (.png, .jpg, .webp, .mp4, .mov, .mp3) as fully functional read/write drives.
Unlike traditional steganography tools that simply hide a static payload, MirageFS implements a virtual block device inside the media. This means you can interact with your hidden files in real-time using your OS's native file explorer (cp, mv, vim, mkdir, rmdir, etc.) without extracting them first.
Your data is secured with state-of-the-art authenticated encryption.
- Cipher: XChaCha20-Poly1305 (Extended Nonce + MAC authentication).
- KDF: Argon2id (Resistant to GPU/ASIC brute-force attacks).
- Nonce Randomization: Every block write generates a unique nonce; writing the same file twice produces completely different ciphertext.
MirageFS supports Playlist Leveling, allowing you to treat an entire album or folder of media files as a single logical drive.
- Smart JBOD: Instead of passing files individually, point MirageFS to a folder of MP3s or photos. It will automatically expand and pool them into a RAID array.
- Capacity Pooling: Transparently slice large files across multiple carrier files in a folder.
MirageFS now includes a built-in cloud uploader powered by srapi-rs to share your hidden carriers anonymously.
- Anonymous Hosting: Upload carrier files to Filebin, Temp.sh, Tmpfiles.org, or Jumpshare directly from the CLI.
- Automated Binning: Automatically create buckets/bins for your uploads and receive shareable URLs instantly.
MirageFS now ships with a stunning, self-hosted Web Management UI served directly from the binary.
- Visual File Manager: Navigate folders, view file details, and manage storage with a modern web UI.
- Drag & Drop Upload: Encrypt files instantly by dragging them into the browser window.
- Zero Client Setup: Works on any device with a web browser (Mobile/Desktop) without installing WebDAV clients.
MirageFS includes an embedded WebDAV Server.
- No Drivers Required: Works on restricted systems (corporate laptops, public computers) where you cannot install FUSE or kernel drivers.
- Network Capable: Mount your hidden drive over the LAN or VPN.
- Cross-Platform: Native integration with Windows Explorer, macOS Finder, iOS, and Android.
MirageFS freezes filesystem timestamps to a fixed value to avoid revealing activity.
- FUSE + WebDAV: Report a fixed timestamp for files and directories.
- Carrier Files: Original atime/mtime are restored after access and writes.
Note
Linux ctime cannot be user-set; MirageFS minimizes updates by restoring carrier timestamps after IO.
MirageFS introduces a sophisticated Tiered RAID 0 system that automatically balances stealth and capacity.
- Zone 1 (High Stealth): Stripes data across ALL devices (e.g., Image + Video). This maximizes entropy dilution, making the payload harder to detect forensically.
- Zone 2 (Overflow): Once static carriers (like PNGs) are full, the controller seamlessly transitions to Overflow Mode, writing remaining data exclusively to expandable carriers (MP4s).
- Result: You get the forensic safety of striping plus the massive capacity of video files in a single logical volume.
MirageFS employs distinct, format-optimized strategies to defeat forensic analysis.
| Media Format | Strategy | Stealth Technique |
|---|---|---|
| MP3 | Phantom-Sync Engine | Injects data into APIC tags using Sync-Safe Base128 encoding. This mathematically prevents audio glitches by ensuring no MP3 "Sync Words" are generated in the payload. |
| MP4 / MOV | Shadow mdat Injection |
Appends a secondary mdat atom ignored by standard players. Data is encapsulated in valid H.264 NAL Units (Type 12 "Filler Data") to look like video stream padding. |
| PNG | Feistel Bijective Mapping | Uses a Feistel Network and Cycle Walking to map logical blocks to physical pixels in |
| JPEG | DNG Morphing | Data is injected into APP1 segments mimicking valid Adobe DNG Private Data (Tag 0xC634) inside a standard TIFF structure. |
| WebP | RIFF Morphing | Similar to JPEG, data is disguised as vendor-specific metadata inside the EXIF chunk of the RIFF container. |
MirageFS is not just a key-value store; it is a compliant POSIX-like filesystem.
- Directory Support: Create nested folders (
mkdir), remove them (rmdir), and organize your data hierarchy. - Atomic Renames: Move and rename files/folders instantly (
mv). - Auto-Shrink: Deleting files triggers a "swap-and-pop" compaction. The MP4 container physically shrinks on disk to reflect the deleted data, leaving no "slack space" evidence.
MirageFS supports two modes: Native FUSE (High Performance) and WebDAV (High Compatibility).
Requires FUSE (Filesystem in Userspace) drivers installed on the host.
- Debian/Ubuntu/WSL2:
sudo apt update && sudo apt install fuse3 libfuse3-dev pkg-config - Fedora:
sudo dnf install fuse3 fuse3-devel pkg-config
- macOS: Install macFUSE.
No dependencies required! MirageFS will automatically fallback to WebDAV mode if FUSE is not detected.
# Clone the repository
git clone https://github.com/SSL-ACTX/mirage-fs.git
cd mirage-fs
# Build Release Binary
cargo build --release
# (Optional) Install globally
sudo cp target/release/mirage /usr/local/bin/mirage
Create a new secret drive inside a carrier image or video (or a combination).
Warning
This overwrites any data previously hidden in the carrier. It does not destroy the visible image/video playback, but modifies the internal bit structure.
# Syntax: mirage <MOUNT_POINT> <MEDIA_FILES...> --format
# Video Mode (Massive Capacity)
mirage /tmp/secret holiday_video.mp4 --format
# Hybrid Mode (Best Stealth: Image + Video Striping)
mirage /tmp/secret cover.png movie.mp4 --format
Run the command normally. MirageFS will attempt to mount via FUSE. If FUSE is unavailable (e.g., on Windows or restricted Linux), it will automatically start the WebDAV server.
mirage /tmp/secret cover.png movie.mp4
You can also force a local mount to be read-only:
mirage /tmp/secret cover.png --read-onlyYou can mount a remote carrier by passing an http:// or https:// URL. URL media is read-only and runs in WebDAV mode if FUSE is unavailable.
# Read-only mount from a remote image URL
mirage /tmp/secret https://example.com/secret.jpeg
# Read-only mount from a remote MP4 URL (streamed via HTTP range requests)
mirage /tmp/secret https://example.com/secret.mp4Notes:
- Remote images are downloaded to a temporary cache (read-only). Remote MP4/MOV files are streamed using byte-range reads.
--formatis not allowed with URL media.- You can set a safety cap for remote downloads with
MIRAGE_URL_MAX_BYTES(default: 2 GiB). - You can increase read-ahead for MP4 URL streaming with
MIRAGE_URL_READAHEAD(bytes, default: 524288). - Optional URL disk cache: set
MIRAGE_URL_CACHE_DIRandMIRAGE_URL_CACHE_MAX(bytes, default: 512 MiB). - Async cache writes: set
MIRAGE_URL_WRITEBACK=1. - Prefetch next range: set
MIRAGE_URL_PREFETCH=1(disabled by default).
You can access the new graphical interface by opening the server address in any web browser.
Link: http://127.0.0.1:8080 (Default)
- Authentication: Secured with Basic Auth. Use
--userand--passto customize (Default:admin/ your carrier password). - System Dashboard: A new real-time status dashboard showing filesystem health, block usage, and carrier integrity.
- File Management: Full support for Search, Instant Rename, and improved folder navigation.
- Drag & Drop: Upload files instantly to your hidden drive.
- Stats & Metrics: Real-time JSON data via
/__stats(Filesystem) and/__metrics(Network/Carrier). - Security: All web access is now protected by Basic Authentication.
You can force WebDAV mode (bypassing FUSE) to mount the drive as a Network Share. This is useful for systems without FUSE drivers or for remote access.
# Start Server on Port 8080 with custom credentials
mirage /mnt/point cover.png movie.mp4 --webdav --port 8080 --user myuser --pass mysecretHow to Access:
- Windows: Open File Explorer -> Right Click "This PC" -> "Map Network Drive" ->
http://127.0.0.1:8080 - macOS: Finder -> Go -> Connect to Server (
Cmd+K) ->http://127.0.0.1:8080 - Linux (GNOME/Nautilus): Files App -> Other Locations -> Connect to Server ->
dav://127.0.0.1:8080 - Linux (CLI):
mount -t davfs http://127.0.0.1:8080 /mnt/mountpoint
Note
When mounting as a network drive, your OS will prompt for the Username and Password configured via the CLI (Default: admin and your encryption password).
Note
Visiting the root URL (http://127.0.0.1:8080) in a browser loads the Web UI. To mount the filesystem as a native drive in your OS, you must use the "Connect to Server" / "Map Network Drive" feature of your file manager, not a web browser.
To close the drive and flush all data:
- Press
Ctrl + Cin the terminal. - Or run:
fusermount -u /tmp/secret(FUSE mode only)
Share your hidden carriers by uploading them to anonymous file hosting providers directly from MirageFS.
# Upload a single file to temp.sh (default)
mirage upload ./carrier.mp3
# Upload an entire folder of carriers to Filebin
# If no --bin-id is provided, a new one will be created automatically.
mirage upload --provider filebin ./album_folder/
# Upload to Jumpshare
mirage upload --provider jumpshare ./video_carrier.mp4Supported Providers: temp-sh, tmpfiles, jumpshare, filebin.
The MP3 format presents a unique challenge: encrypted ciphertext can accidentally generate the 12-bit "Sync Word" (0xFFE), causing audio decoders to crash or produce horrific static.
- Sync-Safe Encoding: MirageFS passes all encrypted blocks through a Base128 (Sync-Safe) expander. By forcing the Most Significant Bit (MSB) of every byte to
0, we mathematically guarantee that the byte0xFFcan never exist in the payload, ensuring 100% glitch-free playback. - Metadata Morphing: The encoded payload is hidden within a massive ID3v2
APIC(Attached Picture) frame. - Camouflage: To forensic scanners, the high-entropy data is justified by a fake JPEG header, making the payload appear to be a large, possibly corrupted, high-resolution album cover.
- VBR Spoofing: MirageFS locates and updates the
XingorInfoVBR headers to lock the track duration, ensuring the media player's seek bar remains accurate and unaffected by the injected data.
MirageFS exploits the atom structure of ISO Base Media Files (MP4/MOV).
Standard players read the moov (Movie) atom to find the location of video frames in the mdat (Media Data) atom.
- Injection: We append a second
mdatatom to the end of the file. Standard players stop reading after the firstmdat, making our payload invisible to playback. - Camouflage: Raw encrypted data looks like random noise (high entropy), which is suspicious. We wrap every encrypted block in H.264 NAL Unit headers (specifically
Type 12: Filler Data). - Result: To a forensic tool or packet inspector, the hidden data appears to be valid video stream padding/bitrate filler.
MirageFS treats the PNG pixels as a domain of size . A custom Feistel Network creates a bijective (1-to-1) permutation between the Logical Block Address and the Physical Pixel Index.
- Zero Memory Overhead: No mapping table is stored. Locations are calculated mathematically on the fly.
- Collision Avoidance: The engine smartly skips "Salt" pixels during the permutation step to ensure the RAID header is never overwritten.
When mixing static carriers (PNG/JPG) with dynamic carriers (MP4), a standard RAID 0 would be limited by the smallest drive. MirageFS uses a Tiered Controller:
- Zone 1: Data is striped across both the PNG and the MP4. This dilutes the entropy.
- Zone 2: When the PNG fills up (reaching the "Symmetric Stripe Limit"), the controller automatically detects the MP4 is expandable. It continues writing data to the MP4 only.
- Read/Write Logic: The controller calculates
Logical_Index % Device_Countfor Zone 1 addresses, and transparently re-maps higher addresses to the remaining dynamic devices.
Compressed formats like JPEG destroy LSB data. MirageFS exploits the metadata layer instead.
- Dilution: High-entropy encrypted data is expanded (7 bits → 8 bytes) to lower its statistical randomness.
- Camouflage: Data is wrapped in valid TIFF headers and labeled as
DNGPrivateData(Tag0xC634). - Result: Forensic tools ignore the data, identifying it as "proprietary Adobe metadata" rather than a suspicious payload.
Linux (Native)
Works out of the box with standard FUSE installation.Windows (WSL2 / Native)
MirageFS works perfectly on Windows via the new WebDAV Mode.- Run MirageFS:
mirage.exe X: video.mp4 --webdav - Map the drive in Explorer to
http://127.0.0.1:8080 - Enjoy your hidden drive as letter
Z:(or similar).
Legacy WSL2 FUSE: If you prefer FUSE inside WSL2, ensure
/etc/fuse.confhasuser_allow_otheruncommented.
macOS
- Preferred: Use WebDAV mode (
Cmd+K->http://127.0.0.1:8080) for zero-configuration access. - FUSE: Requires macFUSE and manual approval of kernel extensions in System Settings.
Important
For Educational and Research Use Only. MirageFS is a proof-of-concept tool designed to demonstrate advanced steganography and filesystem concepts.
- Do not use this for critical data storage without backups.
- While the encryption is strong, steganography is an arms race; a sufficiently motivated forensic adversary with knowledge of this specific tool could potentially detect the modification artifacts.
Author: Seuriin (SSL-ACTX)
v1.6.0