capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

Improve Screenshot Detection by Modifying capture-screenshot.yml

Open akh7177 opened this issue 10 months ago • 2 comments

Added GDI, GDIP, and DirectX API calls to improve detection accuracy for various screenshot capture methods.

This detects screenshot capture that uses GDI+ routines as well as CreateDC with other arguments along with DISPLAY. The test files include two executables that demonstrate the improved detection.

closes #981

akh7177 avatar Feb 24 '25 23:02 akh7177

@akh7177 lints are failing now:

 capture screenshot
  FAIL: rule contains one or more statements with a single child statement: 
remove the superfluous parent statement: 
and(or(api(BitBlt),api(StretchBlt),api(PrintWindow)))
  FAIL: rule format incorrect: use scripts/capafmt.py or adjust as follows

You can run lints locally by installing capa for development using the instructions found here.

mike-hunhoff avatar Mar 10 '25 19:03 mike-hunhoff

@mike-hunhoff I modified the file and made sure that it passes lint.py given that my new test binary is added . Could you please check it?

akh7177 avatar Mar 11 '25 02:03 akh7177