Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


privacy filter from kernel

jshepherdjshepherd Member Posts: 9
edited October 2023 in NTDEV

Hi,

I am working on a real time video processing application, as a result I am doing some processing of sensitive information in my driver, and then displaying that information on the screen. However, due to security reasons, I would like to prevent this information from being accessed directly from the host PC and thus looking to create some sort of privacy filter. For example, anytime a screenshot is happening (Print Screen, BitBlt, etc) then my driver will need to detect this and then either turn off the information OR add a black screen overlay etc. In terms of the drawing and functions, I know how to do this but I am not too familiar with how I would create the actual hook or sensing mechanism to detect WHEN a screenshot or specific function is happening from kernel. I presume this must be done with some sort of kernel hook?

Is this any example online or tutorial online that I can follow through to do this properly?

Thank you in advance

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,836
    edited October 2023

    How will you stop cell phone cameras? What you're talking about is fake security. A Direct3D app can get a pointer to the frame buffer and read whatever they want.

    Tim Roberts, [email protected]
    Software Wizard Emeritus

  • jshepherdjshepherd Member Posts: 9

    @Tim_Roberts said:
    How will you stop cell phone cameras? What you're talking about is fake security. A Direct3D app can get a pointer to the frame buffer and read whatever they want.

    Preventing all forms of unauthorized screen capture is truly challenging, but it's not accurate to label this security measure as 'fake.' In specific scenarios, such as proctored exams where auditors are present, external screen capture can be effectively monitored and mitigated. There are various other instances where similar precautions can be taken. In any case, I'm interested in exploring ways to enhance monitoring capabilities as in my example above, as there are useful applications in certain environments. That's why I'm seeking advice here. If you have insights on this matter, please do share

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    via Email
    Giving people a false sense of full security is both wrong and illegal (?).
    But "fake security" has been sold and actually prevented a lot. It's enough
    that it makes a difference.
    I am against killing people's ideas that early in this particular field (of
    "fake" security), originally (early 2000s) I agreed, but since then I have
    become quite against it.

    Some added securiry is better than none. Same as with the law - it does not
    detter all against doing something, but even if a few are detterred, it is
    worth it.
  • jshepherdjshepherd Member Posts: 9

    Any suggestions or tips here how to proceed? After some research it seems I would need to do some sort of detour hook, but is there some example code or tutorial I can follow as this topic is more specialized and I am unfamiliar with it

  • MBond2MBond2 Member Posts: 708

    Is your super sensitive information displayed to the use by an application that you control? If not, and it is displayed using GDI or GDI+, your task is impossible without making the program harder to use because the security boundary in Windows for GDI objects allows arbitrary communication between applications in the same desktop. The notes on MSDN for SendMessage / PostMessage are very clear on this. Also look at WindowStation and Desktop objects.

    You can also look at UM message hooking. But remember that any admin can disable or bypass your solution, and any user can disable / bypass your solution in the same desktop as the application. Software that reduces / inhibits the normal function of the OS does not help anyone.

  • jshepherdjshepherd Member Posts: 9

    @MBond2 can you elaborate? The info I'll be displaying involves a blend of text and windows GDI graphics, with most of the control coming from the driver that I developed. I'm interested in knowing if there's a method to identify the time when specific functions are invoked (such as Print Screen or alternative methods of capturing a screenshot using Windows API functions). If such a detection method exists, then I can try to hook that function so that I could would grant my driver the capability to activate a privacy filter until the screenshot is captured.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,836

    There is no "Print Screen" function. It's done by doing a BitBlt from the desktop window, or a BitBlt from your application's window. However, it can also be done by using DirectDraw or Direct3D to grab a pointer to the main frame buffer, or by using the fancy Alt-Tab processing, which displays a smaller version of the window, plus probably a half-dozen other methods. And if the user has a shadow display, like VNC, then there's another driver involved that you don't own.

    I'm telling you, what you're attempting is hopeless. If this is in a corporate environment, then you TELL your users "don't PrintScreen this or you will be fired."

    Tim Roberts, [email protected]
    Software Wizard Emeritus

  • jshepherdjshepherd Member Posts: 9
    edited October 2023

    Hi Tim, I appreciate your input, but I'm struggling to grasp why you consider this method hopeless. In fact, there are many examples where I feel this could add value. For example, don't most reputable antivirus companies already employ measures to thwart screen capture attempts? This could be accomplished by intercepting API calls or functions associated with screen capture, as you pointed out, thereby deterring such efforts. Additionally, I can think of some more scenarios where implementing this could be beneficial in safeguarding or managing the environment... (anti-virus programs, anti-cheating applications, safeguarding proprietary information, preventing piracy, copyrighting, and more...)

    Anyways, assuming I want to just limit just a specific function (e.g. BitBlt), as opposed to ALL of them, I feel this should be possible. Any guidance or direction on this matter would be appreciated.

  • jshepherdjshepherd Member Posts: 9

    Hi @Tim_Roberts

    I appreciate your input, but I'm struggling to grasp why you feel this endeavor is hopeless. In fact, I feel there are many applications where this would be useful. For example, don't most reputable antivirus companies already employ measures to thwart screen capture attempts? This could be accomplished by intercepting API calls associated with screen capture, as you pointed out, thereby deterring such efforts. Additionally, I can think of numerous other scenarios where implementing this could be beneficial in safeguarding or managing the environment (anti-virus programs, anti-cheating applications, anti-piracy efforts, copyrighting and trademarking, safeguarding proprietary information, and more...).

    Anyways, with all that being said, it should be feasible and possible to be able to detect when a certain screen capture api or sys call is happening (such as BitBlt). I was hoping to receive some direction on this matter.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,836

    don't most reputable antivirus companies already employ measures to thwart screen capture attempts?

    No. Why would they? Antivirus products are about keeping bad things out, not preventing access to data I already have.

    Anti-cheating is an interesting subplot, but games are Direct3D applications that own and strictly control the frame buffer, so normal things (like BitBlt) don't work anyway.

    Tim Roberts, [email protected]
    Software Wizard Emeritus

  • jshepherdjshepherd Member Posts: 9
    edited October 2023

    @Tim_Roberts said:

    don't most reputable antivirus companies already employ measures to thwart screen capture attempts?

    No. Why would they? Antivirus products are about keeping bad things out, not preventing access to data I already have.

    Anti-cheating is an interesting subplot, but games are Direct3D applications that own and strictly control the frame buffer, so normal things (like BitBlt) don't work anyway.

    Some antivirus products do indeed incorporate measures to thwart screenshots. In the event of a malicious installation, such as a trojan or rootkit, unauthorized screenshots of the entire desktop (including sensitive information like banking details) can be taken. Intercepting this action from an antivirus perspective could effectively prevent the transmission of such data.

    As for BitBlt, we can capture the entire Desktop screen, not necessarily the window handle of the game application. Of course, I agree that there are many alternative methods for someone to access this sensitive information, but ultimately, blocking these screenshots could prove to be a valuable defensive measure under many circumstances..

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,754

    Anti-cheating tools are generally drivers that protect game executables from unwanted program access by filtering file open access requests. That approach does not work at all for screen shots of graphics displayed on the desktop. Every user has access to stuff visible on the desktop, it is more or less essential to a gui based system.

    So out of curiosity I looked to see what hideous shite was available. LockLizard (https://www.locklizard.com/stop-screenshots-grabbers/) works by tracking when the mouse leaves your protected application window(s) and slapping a mask image on top of the normal window. My guess is that this is easily defeated by using, for example, snippy's timer based snapshot, or any other mechanism that can be invoked while the mouse is 'inside' the protected window.

  • MBond2MBond2 Member Posts: 708

    It should be noted that many 'useful' things are impossible. For example, I would love to plan a money tree in my garden, but somehow it never quite works.

  • jshepherdjshepherd Member Posts: 9

    Just FYI, if you install Kaspersky and go to your banking website, click on the username field, it will use HV and hook bitblt in the kernel. This will result in every screenshot appearing as black.

    I am looking for guidance on how to implement this similar kernel hook to bitblt.

  • MBond2MBond2 Member Posts: 708

    Lots of anti-virus and 'security' software including Kaspersky implement lots of 'features' that are useless at best and more commonly plain malware. Many of these are worse than useless because they provide an illusion of security that does not exist. And they interfere with normal operations, and often have bugs that causes crashes or data corruption.

    In this example, I expect they use GDI hooks. But it is basically useless since the contents of that box can be captured via ReadProcessMemory, a memory dump created from task manager, and many other ways

  • jshepherdjshepherd Member Posts: 9

    Okay got it, let me ask another question then: Is there a more effective way to protect sensitive information displayed by my application from being accessed by other drivers or applications?

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,754
    via Email
    As an indication of how complicated this problem is, and how it generally
    doesn't involve device drivers at all, see this write up:
    https://www.undocumented-features.com/2022/07/20/blocking-screen-capture/


    Mark Roddy
  • MBond2MBond2 Member Posts: 708

    Also, I suggest that you read up on how UAC works. You need some kind of security boundary between your special process and you can't just invent one. You have to work within the security model of the OS

  • Gregory_G._DyessGregory_G._Dyess Member - All Emails Posts: 386
    via Email
    Netflix, Amazon Prime and others do very similar to what you're wanting.  Maybe research that.
     


    On Mon, 30 Oct 2023 23:04:28 +0000 (UTC), MBond2 wrote:

    OSR https://community.osr.com/

    MBond2 commented on privacy filter from kernel

    Also, I suggest that you read up on how UAC works. You need some kind of security boundary between your special process and you can't just invent one. You have to work within the security model of the OS
  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    via Email
    Note the difference between:
    - best hackers in the world can beat it
    - good admins will find a way to beat it
    - average tiktik-clicker worker will find ways around it

    Rarely is anything other than the last needed. Even the second one makes no
    sense, because admins need way to fix things.. so they must have ways to
    bypass your security.

    And hackers - need to work in the company first :) They are way more likely
    to phish stuff out of employees than even hack this stuff, unless it's
    worth Pegasus level.


    This is not to OP, I agree with making even obscurity apps, as long as the
    BUYER is not dooped into thinking it does way more. Companies understand
    this and buy such software. And they see that most employees are blocked in
    simple attempts - which is all they can ask for.



    I did such software for massive companies where even secretaries have local
    Admin rights (and could install even unsigned drivers..), but they needed
    to secure as much as possible. And were happy - even though I explicitly
    told them any admin aware of how Windows works can break it.

    Regards, Dejan.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online