From 51bd1265cd4f50ddd19adff664ee6e941cb10d39 Mon Sep 17 00:00:00 2001 From: akh7177 Date: Mon, 24 Feb 2025 22:08:30 +0530 Subject: [PATCH 1/4] Improve screenshot detection by modifying capture-screenshot.yml to include GDI, GDIP and DirectX API calls --- collection/screenshot/capture-screenshot.yml | 49 ++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index 75ceb5537..fa879a85f 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -6,6 +6,7 @@ rule: - moritz.raabe@mandiant.com - "@_re_fox" - michael.hunhoff@mandiant.com + - "Abhyuday K Hegde" scopes: static: function dynamic: span of calls @@ -17,7 +18,10 @@ rule: - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314610A - 7204e3efc2434012e13ca939db0d0b02:0x414070 - 50D5EE1CE2CA5E30C6B1019EE64EEEC2:0x406E07 + - 333cf4a403f2dbd56e2509eb2f1d8922:0x140002180 + - de5f2dd641b3e75eea6e4575b0ba4a48:0x140002180 features: + # Classic GDI Capture - or: - and: - or: @@ -43,3 +47,48 @@ rule: - and: - api: BitBlt - api: System.Drawing.Graphics::CopyFromScreen + + - and: + - or: + - api: "GetDC" + - and: + - api: "CreateDC" + - optional: + - string: "DISPLAY" + - or: + - and: + - api: "SelectObject" + - api: "DrawText" + - and: + - api: "CreateCompatibleDC" + - api: "CreateCompatibleBitmap" + - or: + - api: "BitBlt" + - api: "StretchBlt" + - api: "PrintWindow" + + # GDI+ Graphics API chain + - and: + - api: "GdipCreateBitmapFromScan0" + - api: "GdipGetImageGraphicsContext" + - api: "GdipGetDC" + + # Direct GDI+ screen copy + + - and: + - api: "Gdiplus::Graphics::FromHDC" + - api: "Gdiplus::Graphics::CopyFromScreen" + + # DirectX method of screen capture + - and: + - or: + - api: "PrintWindow" + - api: "StretchBlt" + - and: + - api: "DwmGetDxSharedSurface" + - optional: + - string: "DXGI" + - or: + - api: "Direct3DCreate9" + - api: "IDirect3DDevice9::GetFrontBufferData" + - string: "IDirect3DSurface9::GetDC" From 52e3a3bf97b5d29aa2f49ab59557c42a431781bf Mon Sep 17 00:00:00 2001 From: Abhyuday Hegde Date: Wed, 26 Feb 2025 01:00:32 +0530 Subject: [PATCH 2/4] Refactor screenshot rule to remove duplication --- collection/screenshot/capture-screenshot.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index fa879a85f..0dbf75f25 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -22,14 +22,15 @@ rule: - de5f2dd641b3e75eea6e4575b0ba4a48:0x140002180 features: # Classic GDI Capture - - or: + - or: - and: - or: - api: user32.GetWindowDC - api: user32.GetDC - and: - api: gdi32.CreateDC - - string: "DISPLAY" + - optional: + - string: "DISPLAY" - or: - api: gdi32.BitBlt - api: gdi32.GetDIBits @@ -47,26 +48,18 @@ rule: - and: - api: BitBlt - api: System.Drawing.Graphics::CopyFromScreen - - and: - - or: - - api: "GetDC" - - and: - - api: "CreateDC" - - optional: - - string: "DISPLAY" - or: - and: - api: "SelectObject" - api: "DrawText" - and: - - api: "CreateCompatibleDC" - - api: "CreateCompatibleBitmap" - or: - api: "BitBlt" - api: "StretchBlt" - api: "PrintWindow" + # GDI+ Graphics API chain - and: - api: "GdipCreateBitmapFromScan0" From bb5a21f28478095b9bf126d90d37102d0cfb2ea4 Mon Sep 17 00:00:00 2001 From: Abhyuday Hegde Date: Tue, 11 Mar 2025 07:37:44 +0530 Subject: [PATCH 3/4] Improve screenshot detection by modifying capture-screenshot.yml to include GDI, GDIP and DirectX API calls --- collection/screenshot/capture-screenshot.yml | 25 +++++++------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index c6a9397a5..58467d7c5 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -21,7 +21,7 @@ rule: - 0a30182ff3a6b67beb0f2cda9d0de678:0x407910 features: # Classic GDI Capture - - or: + - or: - and: - or: - api: user32.GetWindowDC @@ -29,7 +29,7 @@ rule: - and: - api: gdi32.CreateDC - optional: - - string: "DISPLAY" + - string: "DISPLAY" - or: - api: gdi32.BitBlt - api: gdi32.GetDIBits @@ -47,30 +47,23 @@ rule: - and: - api: BitBlt - api: System.Drawing.Graphics::CopyFromScreen - - and: + - or: + - and: + - api: "SelectObject" + - api: "DrawText" - or: - - and: - - api: "SelectObject" - - api: "DrawText" - - and: - - or: - - api: "BitBlt" - - api: "StretchBlt" - - api: "PrintWindow" - - + - api: "BitBlt" + - api: "StretchBlt" + - api: "PrintWindow" # GDI+ Graphics API chain - and: - api: "GdipCreateBitmapFromScan0" - api: "GdipGetImageGraphicsContext" - api: "GdipGetDC" - # Direct GDI+ screen copy - - and: - api: "Gdiplus::Graphics::FromHDC" - api: "Gdiplus::Graphics::CopyFromScreen" - # DirectX method of screen capture - and: - or: From aaebf44b292de0640d5c191ece9ad197087c2de3 Mon Sep 17 00:00:00 2001 From: Abhyuday Hegde Date: Wed, 12 Mar 2025 17:43:35 +0530 Subject: [PATCH 4/4] Improve screen-capture detection --- collection/screenshot/capture-screenshot.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index 58467d7c5..e9b580138 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -20,8 +20,8 @@ rule: - 50D5EE1CE2CA5E30C6B1019EE64EEEC2:0x406E07 - 0a30182ff3a6b67beb0f2cda9d0de678:0x407910 features: - # Classic GDI Capture - or: + # Classic GDI Capture - and: - or: - api: user32.GetWindowDC @@ -47,10 +47,8 @@ rule: - and: - api: BitBlt - api: System.Drawing.Graphics::CopyFromScreen - - or: - - and: - - api: "SelectObject" - - api: "DrawText" + - and: + - api: "SelectObject" - or: - api: "BitBlt" - api: "StretchBlt"