Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Which way is best to implement anti-screen-capture?

blknitblknit Member Posts: 21

I want find a ways to implement anti-screen-capture. but have no idea how and which is the best way to implement. I google a long time with on answer people mentioned about HOOK GDI/DX API, Video Fileter Driver, Miniport video driver, WDDM, WDM Class filter Driver, I am not familiar with video driver. So any idea about it? Thanks so much.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,496

    Forget it. It's impossible. You cannot prevent screen capture without breaking applications. I could do GetPixel one pixel at a time. How would know know that wasn't a legitimate use?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • MBond2MBond2 Member Posts: 144

    It is even less possible to prevent me from using my smart phone to take photos / video of the screen infront of me

    but, if you are not intending to prevent screen capture of all possible things, but of portions of a specific application that you control the source of, then there are some things that can be done. not against the smart phone of course, but certian types of software for cheating at video games etc. yes.

  • blknitblknit Member Posts: 21

    Hi MBond2. Yes I don't care smart phone of course. Just want to prevent portions of a specific application. How to implement that? I hope we can do it in driver. is that possible?

  • MBond2MBond2 Member Posts: 144

    you certianly must do some in KM as well as modify your application to cooperate. As Tim says, you will certianly break applications with legitimate goals. The methods are too likely to be used to create malware, so i won't elborate further except to suggest you look at how you can (mis)use direct x.

  • anton_bassovanton_bassov Member Posts: 5,162

    What I would advise you to do is to get yourself a copy of the following book

    https://www.amazon.com/Windows-Graphics-Programming-Hewlett-Packard-Professional/dp/0130869856

    I would say that this is, apparently, the only source in existence that attempts to investigate the internals of win32k.sys. Although it is not
    going to provide you with a precise recipe, it will at least show you the directions to investigate. In any case, it will give you much more info on the subject than you may possibly get in this NG....

    Anton Bassov

  • anton_bassovanton_bassov Member Posts: 5,162

    I could do GetPixel one pixel at a time.

    What about the scenario when the target app does not make any use of Win32 GDI/USER functions, and relies upon DirectX instead?

    Anton Bassov

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,496

    Just want to prevent portions of a specific application. How to implement that?

    Delete the application. (Insert half smiley here.)

    How do you know the application is reading the screen? You should reverse engineer the application and figure out how they're doing it. Once you know that, the mitigation is easy.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • anton_bassovanton_bassov Member Posts: 5,162

    How do you know the application is reading the screen?

    The way I understand the OP's question, he wants to guard himself against the possible presence of some hypothetical
    malicious app that may try to capture the screen while his app is running, effectively getting some sensitive data.
    Therefore, if this is, indeed, the case, his solution has to be a generic one.....

    Assuming that the target malware is in a position to load a helper driver, such a solution is, in practical terms, simply infeasible,
    If it is in a position to gain an access to the kernel address space, there is already nothing that prevents the target malware from guarding itself against the possible deactivation attempts, and doing it by whatever means. Therefore, it is always going to be a cat-and-mouse game no matter what.....

    Anton Bassov

  • blknitblknit Member Posts: 21

    Hi @anton_bassov, @MBond2 Thank you so much. At least you let me know a directory that can implement it. I will take a look at the book Windows Graphics Programming: Win32 GDI and DirectDraw. Hope I can make it ASAP. Thanks. In the before I am going to use APC Queue to inject a Dll into application then hook all the related api eg: bitblt, but the APC is undocumented. So I am try to directly load dll into the application memory to let it work but it need a lot of work and I am not sure it is the best way to do it. Anyway hope I can find a solution in that book. thanks.

  • MBond2MBond2 Member Posts: 144

    a design like this I would consider malware

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,496

    The way I understand the OP's question, he wants to guard himself against the possible presence of some
    hypothetical malicious app that may try to capture the screen while his app is running, effectively getting
    some sensitive data.

    That's just you answering the question you think he SHOULD have asked. In fact, the OP explicitly stated that he has one specific application that he wants to block. I even quoted that line in my reply.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • blknitblknit Member Posts: 21

    Actually most of AntiVirus works like a malware.

  • MBond2MBond2 Member Posts: 144

    Yes, malware people pay for. The privilege of making your machine work less well certainly can't be free.

  • anton_bassovanton_bassov Member Posts: 5,162

    In fact, the OP explicitly stated that he has one specific application that he wants to block. I even quoted that line in my reply.

    Well, the very phrase " I want to prevent portions of a specific application" does not really seem to make that much sense, does it.
    Therefore, I assumed that this was just the question of the OP's level of English.

    If your interpretation is, indeed, correct ....well, then this very thread right from the original post seems to be as "meaningful" as the above mentioned phrase. Therefore, I made an assumption about the OP that was, apparently, a way too optimistic. More on it below.

    That's just you answering the question you think he SHOULD have asked.

    Please note that I made the post in question before the OP had started his "Is it legal to patch the windows binary self" jewel. Now I already think that your interpretation must be, indeed, correct ....

    Anton Bassov

  • blknitblknit Member Posts: 21

    Thanks for your reply but seems some product already implement the feature. eg: https://www.spyshelter.com/screen-capture-protection/

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,912

    @blknit is there some reason you posted that last reply THREE TIMES... requiring me to delete two of them?

    I’ve warned you about your behavior before. You’re not being a good citizen, and your sloppiness is putting you at risk of being banned.

    Figured you’d want to know, before I get further annoyed.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 81

    Well, Ithink some antiviruses (e.g. Kaspersky) attempted to prevent screen capture by hooking the Win32k system service table. Since this is considered ilegal by the Patchguard on Windows 8 and later, they took advantage of the hardware-assisted virtualization (e.g. masking their changes to the model specific registers).

    I do not know whether this approach is in use still today (or whether it actually can be used on current Windows versions). It is definitely difficult to implementand unreliable by design.

    Martin Dráb

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA