Most trojaning, spyware and keylogger tools have the ability to take screenshots. Is there a way to detect if an app or software is taking a screenshot in Windows? Maybe a Windows API call or dll?
This would be helpful for finding malware.
Asked
Active
Viewed 1.5k times
6
-
7Why would it be helpful for finding malware? I don't know Windows architecture that well, but if there was an API which caught "screenshot" events, and I was a malware author wanting to make screenshots, I'd be intercepting that call! – Matthew Jun 08 '16 at 07:55
-
Damn Matthew with the quick slay... I would assume that high protective applications, like anti-malware/AV would protect against this kind of threat, so I would assume there are many other applications that could defeat the Malware's "hijacking" with their own hijacking or something similar? Also, it might be possible to find screen-shots in the Log/Event-Viewer of Windows. We could assume Malware is able to mess with logs/events as well. I do think that being able to BLOCK screen shots would be important, to stop these apps, but aren't keyloggers for keystrokes? – XaolingBao Jun 08 '16 at 08:14
-
@Matthew I'm not talking about the normal `Screenshot` shortcut. It's rather screenshots by apps. Most keyloggers I experimented with take Screenshots for every few seconds or minutes. – Jun 08 '16 at 08:14
-
@Wally Yes, I know. Either it uses a standard method (if one exists), in which case you can intercept it (but so can they), or it uses a non-standard method, in which case it wouldn't trigger such an API. It's even possible to have a programmatic trigger sending a key press of the PrtScn button. – Matthew Jun 08 '16 at 08:22
-
1Used to be you could trivially take a screenshot by making a borderless no-background fullscreen window with an OpenGL context (almost guaranteed that it works with D3D too) and read back the window's pixels without clearing first. Probably still works 10 years later, why wouldn't it. How do you want to prevent someone from doing that? It's entirely legal to read back the buffer, and it doesn't use any API that is in some way "restricted" or "shady" or that needs elevation or special rights. – Damon Jun 08 '16 at 08:34
-
@Damon so essentially having an "OpenGL Canvas" except it's blank and just shows what's behind it, i.e., desktop? I would assume that you could only screen shot the canvas you are in, i.e., the OpenGL Canvas? From what I've seen The OpenGL Canvas is separated from other windows? This is rather interesting, care to explain more about it? Thanks a lot :). – XaolingBao Jun 08 '16 at 08:38
-
@Lasagna: If you use double buffering, then obviously your "canvas" is separated. If you don't, then, well, it's... something different. Strictly, it's undefined what the contents are if you don't clear (initialize) it. In practice, it used to be just what is in the framebuffer. Mileage may vary with DWM involved, though. – Damon Jun 08 '16 at 10:58
-
I feel this question is better suited for StackOverflow. The answer will come down to coding, and I don't believe that the loosely referenced "helps with malware" is enough to keep it in the security realm. – RoraΖ Jun 08 '16 at 12:19
2 Answers
1
My answer would require writing some code. I'm only posting this answer because you mentioned a programming related solution in your question.
Ever since Window Vista, the windows kernel raises an event for basically every single thing that happens on your computer. Microsoft provides a library called TraceEvent for .NET that makes it absolutely trivial to hook into these events.
For detecting a screenshot, you could monitor memory write events, file write events and so on. You can also hook into notifications for socket IO and the like. You can do all of this in around 30 lines of code.
From there, depending on how invasive and thorough you want to be, you could do a number of things. You could hook calls in the unknown processes such as Winsock's send function, and wind up scraping a copy of all data that the process writes to a socket, and check it. You could look for a JPEG or PNG header in scraped data and fire off the alarm bells if you find one. You could open and analyze files it writes, etc.
It's at this point that things can get complicated, but you could probably hook the send function with a library like EasyHook with a hundred or so LOC.
Another approach would be look at what libraries/WinAPI functions such an application would need to load to perform this function. You can detect when a process starts and when it loads an assembly (.dll) with these kernel events, so you could just look for the right (or wrong) combination of loaded assemblies. You could automatically hook WinAPI or OpenGL or DirectX functions that provide screen capture capability in every process that starts up, and directly monitor when applications access these capabilities.
For more information about this general approach you can see my other answer here.
I'd like to make it clear that the only thing I'm advertising as being easy is the process of hooking right into the heart of the OS and getting notifications about things happening. The art of correctly using this data to effectively catch malicious code is a much, much more difficult task.
0
You can detect it by monitoring free space (very easy) or file writes (not that easy). The screenshots must be stored somewhere so files will have to stack up to a not-so-obvious location.
This is the method I used, and I managed to locate and eliminate a multi-logger just by using a simple file manager.
Overmind
- 8,779
- 3
- 19
- 28
-
3What if it stores the screenshot in memory, sends it to a server and clears it from memory, all within less than a 0.1s? And what if the screenshot quality is deliberately small and poor, such that a screen cap requires only a few kilobytes of space? – Potaito Jun 08 '16 at 08:33
-
Well, they could technically create a temp image of the screen shot, upload it to their servers and deleted it after upload... or even take a screen shot, and send the stream directly to the server, without saving the file at all. Interesting that you were able to find something just by checking out space. – XaolingBao Jun 08 '16 at 08:33
-
It's very unlikely to happen like that. Usually, the link-ups are made quick and well packed data are sent in a shot interval. Continuously transmitting is not at all a good way to hide. – Overmind Jun 08 '16 at 08:37
-
Well, how often does the screen shot get sent to the server is the question, but you could store it in memory, and just stream it up when needed, but that might alert that there's an application using a decent amount of space, especially since screen-shots of bigger monitors BIG, unless the quality is crapped out, but you could also save a much smaller version of the image and get a much smaller sized file/stream. Idk how these applications work, but this is my thoughts. – XaolingBao Jun 08 '16 at 08:42
-
Anything is possible, but these kind of apps want to do the most things possible to evade detection. Memory can fill a lot faster than hard drive and also detection is again way easier if you store in memory under a certain process than dumping a randomly named file somewhere under windows/system folders. – Overmind Jun 08 '16 at 08:51
-
@Lasgana my desktop is 3200 × 1080 (two different monitors gives an odd size). PrintScreen->Gimp-> export as JPG will go down to 100kiB before the text starts to be illegible, with this thread and a desktop photo showing. That's not even optimised. Disk space fluctuations from ordinary use will be greater than that. If the malware writes to your web cache folder for an open browser, you'd have to be looking hard to detect temporary file changes in there – Chris H Jun 08 '16 at 08:57
-
1"*Monitoring free space (very easy)*" - really? Would malware author rely to storing the catch in incrementally growing disk space area, maybe even separate files? Not preallocate and obfuscate a file or even cache the data in free space? – techraf Jun 08 '16 at 09:58
-
Most of the ones I found were storing the logs and screenshots as plain files in locations just deep enough not to be obvious. Usually, it's a folder under windows\system, named similar to legit ones. This is also valid for many official self-declared legit monitoring apps. Over-complicating things is not justified if you do not have a specific target in mind. – Overmind Jun 08 '16 at 10:27