Which way is best to implement anti-screen-capture?

I want find a ways to implement anti-screen-capture. but have no idea how and which is the best way to implement. I google a long time with on answer people mentioned about HOOK GDI/DX API, Video Fileter Driver, Miniport video driver, WDDM, WDM Class filter Driver, I am not familiar with video driver. So any idea about it? Thanks so much.

Forget it. It’s impossible. You cannot prevent screen capture without breaking applications. I could do GetPixel one pixel at a time. How would know know that wasn’t a legitimate use?

It is even less possible to prevent me from using my smart phone to take photos / video of the screen infront of me

but, if you are not intending to prevent screen capture of all possible things, but of portions of a specific application that you control the source of, then there are some things that can be done. not against the smart phone of course, but certian types of software for cheating at video games etc. yes.

1 Like

Hi MBond2. Yes I don’t care smart phone of course. Just want to prevent portions of a specific application. How to implement that? I hope we can do it in driver. is that possible?

you certianly must do some in KM as well as modify your application to cooperate. As Tim says, you will certianly break applications with legitimate goals. The methods are too likely to be used to create malware, so i won’t elborate further except to suggest you look at how you can (mis)use direct x.

What I would advise you to do is to get yourself a copy of the following book

https://www.amazon.com/Windows-Graphics-Programming-Hewlett-Packard-Professional/dp/0130869856

I would say that this is, apparently, the only source in existence that attempts to investigate the internals of win32k.sys. Although it is not
going to provide you with a precise recipe, it will at least show you the directions to investigate. In any case, it will give you much more info on the subject than you may possibly get in this NG…

Anton Bassov

I could do GetPixel one pixel at a time.

What about the scenario when the target app does not make any use of Win32 GDI/USER functions, and relies upon DirectX instead?

Anton Bassov

Just want to prevent portions of a specific application. How to implement that?

Delete the application. (Insert half smiley here.)

How do you know the application is reading the screen? You should reverse engineer the application and figure out how they’re doing it. Once you know that, the mitigation is easy.

How do you know the application is reading the screen?

The way I understand the OP’s question, he wants to guard himself against the possible presence of some hypothetical
malicious app that may try to capture the screen while his app is running, effectively getting some sensitive data.
Therefore, if this is, indeed, the case, his solution has to be a generic one…

Assuming that the target malware is in a position to load a helper driver, such a solution is, in practical terms, simply infeasible,
If it is in a position to gain an access to the kernel address space, there is already nothing that prevents the target malware from guarding itself against the possible deactivation attempts, and doing it by whatever means. Therefore, it is always going to be a cat-and-mouse game no matter what…

Anton Bassov

Hi @anton_bassov, @MBond2 Thank you so much. At least you let me know a directory that can implement it. I will take a look at the book Windows Graphics Programming: Win32 GDI and DirectDraw. Hope I can make it ASAP. Thanks. In the before I am going to use APC Queue to inject a Dll into application then hook all the related api eg: bitblt, but the APC is undocumented. So I am try to directly load dll into the application memory to let it work but it need a lot of work and I am not sure it is the best way to do it. Anyway hope I can find a solution in that book. thanks.

a design like this I would consider malware

The way I understand the OP’s question, he wants to guard himself against the possible presence of some
hypothetical malicious app that may try to capture the screen while his app is running, effectively getting
some sensitive data.

That’s just you answering the question you think he SHOULD have asked. In fact, the OP explicitly stated that he has one specific application that he wants to block. I even quoted that line in my reply.

Actually most of AntiVirus works like a malware.

Yes, malware people pay for. The privilege of making your machine work less well certainly can’t be free.

In fact, the OP explicitly stated that he has one specific application that he wants to block. I even quoted that line in my reply.

Well, the very phrase " I want to prevent portions of a specific application" does not really seem to make that much sense, does it.
Therefore, I assumed that this was just the question of the OP’s level of English.

If your interpretation is, indeed, correct …well, then this very thread right from the original post seems to be as “meaningful” as the above mentioned phrase. Therefore, I made an assumption about the OP that was, apparently, a way too optimistic. More on it below.

That’s just you answering the question you think he SHOULD have asked.

Please note that I made the post in question before the OP had started his “Is it legal to patch the windows binary self” jewel. Now I already think that your interpretation must be, indeed, correct …

Anton Bassov

Thanks for your reply but seems some product already implement the feature. eg: https://www.spyshelter.com/screen-capture-protection/

@blknit is there some reason you posted that last reply THREE TIMES… requiring me to delete two of them?

I’ve warned you about your behavior before. You’re not being a good citizen, and your sloppiness is putting you at risk of being banned.

Figured you’d want to know, before I get further annoyed.

Peter

Well, Ithink some antiviruses (e.g. Kaspersky) attempted to prevent screen capture by hooking the Win32k system service table. Since this is considered ilegal by the Patchguard on Windows 8 and later, they took advantage of the hardware-assisted virtualization (e.g. masking their changes to the model specific registers).

I do not know whether this approach is in use still today (or whether it actually can be used on current Windows versions). It is definitely difficult to implementand unreliable by design.