Sign in to follow this  
Followers 0
Xibalba

Detect PrintScreen and PixelSearch From Remote?

5 posts in this topic

I've been trying to figure out how to detect this for months without any real progress. Whatever road I'll try out testing scripts in AutoIt, or programs in C++/C#, all turns out to be dead ends.

The problem:

I have two computers, Comp1 and Comp2. The first is remotely administered by Comp2 (via local network).

Now, on Comp1 i want to be able to detect if Comp2 are running code similar to PixelSearch, or taking screen shots, of this computer, via the remote administration window on that machine.

Is this totally impossible? (if infecting Comp2 with some sort of Trojan or virus is out of the question - which it definitely is!)

I can relatively easy get detailed information about the state of the remote administration itself (if being administered or not at this time) as well as other stuff (such as who is administering atm) but not what I actually want.

My next step is to see what the .dll files can tell me (that the remote software are using). My insight in this is very limited though.

What information could I get by hooking the "video driver" that was installed and is being used by the remote administration software? Is that also a dead end?

Another thing that struck me would be to monitor the actual data traffic on specific ports (in use by the remote software), but that should fail as well because only data of what's being sent to Comp2 ca be obtained (?)

As mentioned, I'd appreciate all ideas, suggestions or links. Points to other languages (i.e C++/C#) is just as welcome as with AutoIt.

Thanks in advance

Share this post


Link to post
Share on other sites



bump

Share this post


Link to post
Share on other sites

My first idea is to hook on User32.dll, default screen capture functions are handled by this library . But form the other hand PixelGetColor and so one are handled by gdi32.dll i think, You have to check that also. Good luck.

p.s-I could tell more and more preciselly if you would show what administration tool is that, what libraries it uses, what ports it uses (you can check data sended by those ports, searching for, ex. .jpg header pattern). You can even hook on to the incomming port and find the command that is triggering on the screenshot command.


Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

My first idea is to hook on User32.dll, default screen capture functions are handled by this library . But form the other hand PixelGetColor and so one are handled by gdi32.dll i think, You have to check that also. Good luck.

p.s-I could tell more and more preciselly if you would show what administration tool is that, what libraries it uses, what ports it uses (you can check data sended by those ports, searching for, ex. .jpg header pattern). You can even hook on to the incomming port and find the command that is triggering on the screenshot command.

Are you sure this is doable? Just to make sure you didn't misunderstand me - it's not that computers' gdi32/user32.dll that's being triggered, it's those dll files on the master computer when pressing PrintScreen.

Obviously user32.dll is always sending info about graphical output to the remote computer, but then what the remote computer does with that info, we cannot know.

I'd be happy to be proven wrong though.

Edited by Xibalba

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

OK, confirmed impossible unless someone would like to prove otherwise.

Thanks to those who posted.

Edited by Xibalba

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0