Anti-screen capture (prevent screen captures) screenshots and anti-screenshots

1. Digital Images are displayed in a way similar to animations. Each time a part of a number is displayed, the human eye can distinguish a specific number when it is dynamically displayed. However, you can only take part of it. For more information, see:

Cups.cs.cmu.edu/soups/2007/posters/p147_lim?

2. shield system buttons: Print Screen and ALT + print screen. The main principle is to register the hotkey. For details, refer:

Http://www.vckbase.com/document/viewdoc? Id = 1566

 

3. Global hook, refer:

Screen capture library for Windows:
Http://gpalem.web.officelive.com/screencap.html

Http://topic.csdn.net/u/20090914/00/70e6da83-906b-4db4-a3ee-d79dfd460bd6.html

This method requires not only the GDI method but also the DirectX method. Of course, it does not rule out other methods, such as "Windows Media API for capturing the screen ".

Therefore, the implementation of this method is cumbersome. The first step is to hook up relevant API functions as much as possible, but it is difficult for you to do it comprehensively. On the other hand, stability, scalability and maintainability are also not good.

 

4. Video filter drivers ).

It may be better than hook, but it is technically difficult.

Http://search.codesoso.com/Record/ddf85213-2bdf-bfae-5626-15646cefdf09_446750_1.html

Http://www.codeproject.com/Articles/Toby-Opferman

Driver Development Part 6: Introduction to display drivers

5.Shadowssdt

After experiencing the virtual keyboard function of Kaspersky 2012, we found that it has the anti-screenshot function. When the virtual keyboard is turned on, the screenshots are all black. If the virtual keyboard is not enabled, the main interface of Kaspersky cannot be captured.

When xuetr is used for analysis, Kaspersky does not set "video filter drivers". Instead, it uses shadowssdt to prevent screenshots. The following is the shadowssdt driving klif. SYS:

[Code = C/C ++]

[Xuetr] [shadowssdt]: 21
No. Function Name Current function address Hook Original Function address module where the current function address is located
13 ntgdibitblt 0xb1ee8508 ssdt hook 0xbf809f5f c: \ windows \ system32 \ drivers \ klif. sys
227 ntgdimaskblt 0xb1ee85de ssdt hook 0xbf8384e0 c: \ windows \ system32 \ drivers \ klif. sys
237 ntgdiplgblt 0xb1ee864e ssdt hook 0xbf943b92 c: \ windows \ system32 \ drivers \ klif. sys
292 ntgdistretchblt 0xb1ee8572 ssdt hook 0xbf8738a3 c: \ windows \ system32 \ drivers \ klif. sys
307 ntuserattachthreadinput 0xb1ee8bd6 ssdt hook 0xbf8f7976 c: \ windows \ system32 \ drivers \ klif. sys
312 ntuserbuildhwndlist 0xb1ee86b6 ssdt hook 0xbf835ea1 c: \ windows \ system32 \ drivers \ klif. sys
323 ntusercalloneparam 0xb1ee84d4 ssdt hook 0xbf801067 c: \ windows \ system32 \ drivers \ klif. sys
378 ntuserfind1_wex 0xb1ee82c8 ssdt hook 0xbf8b128c c: \ windows \ system32 \ drivers \ klif. sys
383 ntusergetasynckeystate 0xb1ee80d6 ssdt hook 0xbf8491d4 c: \ windows \ system32 \ drivers \ klif. sys
414 ntusergetkeyboardstate 0xb1ee83d6 ssdt hook 0xbf852661 c: \ windows \ system32 \ drivers \ klif. sys
416 ntusergetkeystate 0xb1ee8122 ssdt hook 0xbf820dec c: \ windows \ system32 \ drivers \ klif. sys
460 ntusermessagecall 0xb1ee821a ssdt hook 0xbf80edeb c: \ windows \ system32 \ drivers \ klif. sys
475 ntuserpostmessage 0xb1ee816e ssdt hook 0xbf808934 c: \ windows \ system32 \ drivers \ klif. sys
476 ntuserpostthreadmessage 0xb1ee81c2 ssdt hook 0xbf8b360c: \ windows \ system32 \ drivers \ klif. sys
490 ntuserregisterhotkey 0xb1ee8c90 ssdt hook 0xbf8adc84 c: \ windows \ system32 \ drivers \ klif. sys
491 ntuserregisterrawinputdevices 0xb1ee835e ssdt hook 0xbf915ceb c: \ windows \ system32 \ drivers \ klif. sys
502 ntusersendinput 0xb1ee827a ssdt hook 0xbf8c3117 c: \ windows \ system32 \ drivers \ klif. sys
529 ntusersetparent 0xb1ee8a88 ssdt hook 0xbf8795b5 c: \ windows \ system32 \ drivers \ klif. sys
549 ntusersetwindowshookex 0xb1ee8026 ssdt hook 0xbf852721 c: \ windows \ system32 \ drivers \ klif. sys
552 ntusersetwineventhook 0xb1ee807e ssdt hook 0xbf8f0099 c: \ windows \ system32 \ drivers \ klif. sys
576 ntuserunregisterhotkey 0xb1ee8db0 ssdt hook 0xbf912a64 c: \ windows \ system32 \ drivers \ klif. sys

[/Code]

Some anti-keyboard records are related to screenshots: ntgdibitblt, ntgdimaskblt, ntgdiplgblt, and ntgdistretchblt. Ntuserbuildhwndlist and ntuserfindincluwex are used to hide the window, so that the protected window cannot be found when the third-party program finds the window, which is also related to the anti-screenshot function.

Address: http://www.zhizihua.com/blog/post/501.html