A screen capture application records the output of the computer screen. When the output of computer screen is continuously recorded it is called screencasting, and when the output of computer screen is stored as an image it is called screenshot/snapshot. Screencasting softwares have been used over years for the purpose of teaching and demonstration. But using screen capture applications all the user activity can be monitored and this a threat to privacy and security of user. For example, to avert stealing of passwords using keystroke loggers, many online banking sites make use of virtual keyboard. Virtual keyboard is an on-screen keyboard for entering password by clicking on the keys on the screen using a mouse. But using screencasting software, the screen can be recorded, and password can be seen, and this defeats the purpose of virtual keyboard. The screen capture application can be used to periodically take screenshots of the monitor of the attacked computer. These screenshots can then be remotely sent to the attacker.

Methods of Screen Capture

  1. GDI
    This mechanism is based on the principle that the desktop has a Window Handle (HWND) and a device context (DC). Using device context of the desktop to be captured, we can just blit those contents to application defined device context in the normal way. We can get the device context of the desktop if we know its window handle, which can be obtained using the function GetDesktopWindow().
  2. DirectX
    Every DirectX application contains buffer to hold the contents of the video memory related to that application. This is called the Back Buffer of the application. And there is another buffer that every application can by default access – the Front buffer. The front buffer holds the video memory related to the desktop contents and so essentially is the screen image. By accessing the front buffer from our DirectX application it can capture the contents of the screen at that moment
  3. Windows Media Encoder API
    Windows Media 9.0 supports screen captures using the Windows Media Encoder 9 API. It includes a codec named Windows Media Video 9 Screen codec that has been specially optimized to operate on the content produced through screen captures. The Windows Media Encoder API provides the interface IWMEncoder2 which can be used to capture the screen content efficiently.

Preventing the Screen Capture

The screen capturing methods belong to two prominent categories:
1. User mode capturing
2. Kernel mode capturing.
The method using the Kernel mode capturing, is through writing video miniport mirror drivers. A typical way of preventing screen capture for the user mode capturing applications is to hook the API and restrict the operations. This solution is prone to failures and difficult to extend or maintain, since every all possible API that can be used to capture the screen have to be considered and each of them should be hooked for denial.

The other more reliable approach to screen capture prevention is writing Video filter drivers. Typically you would have a kernel mode filter driver (that permits or denies the video blit operations) along with a user mode service which will take care of identifying the access security for the capturing processes and supplies those details to the kernel mode driver, which then will take care of either denying the blit request or processing it. It is just allowing or denying existing display operations. It would include writing a filter driver that sits on top of existing display driver and hack the calls to it.

More details can be found on the site

Trusteer Rapport
Rapport is web security software developed by Trusteer, a company that provides safe communication between business websites and customers. Rapport is a lightweight browser security plug-in. It protects a user’s browsing sessions while visiting specific websites such as e-commerce and banking websites. When visiting any protected site, Rapport blocks any attempt to take control of the session by malware, which includes keylogging and screen capture, session hijacking, and DNS redirection hijacks. Rapport prevents taking screen shots while you are connected to protected websites and uses API blocking to prevent this type of behaviour, alerting users if any such activities are attempted

SnoopFree Privacy Shield
SnoopFree Privacy Shield is a security guard that watches your computer for programs that try to invade privacy. If any program tries to access potentially sensitive information, SnoopFree Privacy Shield stops the offending program and asks the user how to handle. It is a “firewall” for keyboard, screen and open windows. Whenever a screen capture application tries to capture screen, SnoopFree generates the following message where the user can either allow or deny access to the application.

Saving Web Page as an image in Mozilla Firefox

In addition to the screen capture methods mentioned above, content rendered within a browser can be captured as an image using Javascript. This is more dangerous as it does not use any Operating System functions for performing the capture, and hence cannot be detected using Rapport or SnoopFree. The capture is carried out using HTML 5 element canvas and its methods.

HTML5 Canvas Element
HTML 5 defines the element as “a resolution-dependent bitmap canvas which can be used for rendering graphs, game graphics, or other visual images on the fly.” A canvas is a rectangle in your page where graphics can be drawn using JavaScript. Canvas creates a fixed size drawing surface that exposes one or more rendering contexts. Canvas was first introduced by Apple for the Mac OS X Dashboard and later implemented in Safari. Gecko 1.8-based browsers, such as Firefox 1.5, also support this element. The element is part of the WhatWG Web applications 1.0 specification also known as HTML 5. After getting the canvas element, the 2d context can be obtained. The context object can then be used to actually render to the canvas.

getContext() Method for Canvas Element
The canvas is initially blank, and to display something a script first needs to access the rendering context and draw on it. The canvas element has a DOM method called getContext, used to obtain the rendering context and its drawing functions. getContext() takes one parameter, the type of context.

Rendering Web Content Into A Canvas using context.drawWindow() Method
Mozilla’s canvas is extended with the drawWindow() method. This method draws a snapshot of the contents of a DOM window into the canvas. Currently the drawWindow function can only be used by chrome privileged content. So extension authors and XUL application developers can use it, but normal Web pages cannot. This is the main function which is used for saving webpage as an image.

The context.toDataURL() method returns a data URL containing the image encoded in .PNG format by default. The toDataURL function is used to get a data: url that has the base-64 encoded image. This URL can then be used for converting the image into a file. Hence using the drawWindow() and toDataURL() methods, we can convert DOM contents into an image.


[1] http://gpalem.web.officelive.com/screencap.html
[2] Screenshot, http://en.wikipedia.org/wiki/Screenshot
[3] Trusteer Rapport
[4] SnoopFree Privacy Shield
[5] Canvas Tutorial
[6] Drawing Graphics with Canvas
[7] Banking Trojan Captures User’s Screen in Video Clip, Hispasec / VirusTotal, 05 September 2006, http://www.hispasec.com/laboratorio/banking_trojan_capture_video_clip.pdf
[8] New technique against virtual keyboards, Hispasec / VirusTotal, 26 September 2006, http://www.hispasec.com/laboratorio/New_technique_against_virtual_keyboards.pdf


Comments are closed.

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 46123 items have been purified.