capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

false negative for screenshot

Open williballenthin opened this issue 11 months ago • 7 comments 

          nice example - false negative for the more specific branch GetDC/BitBlt/CreateCompatibleDC.

maybe we need to:

  • add DISPLAY* to CreateDC
  • add Gdip routines (GdipCreateBitmapFromScan0, GdipGetImageGraphicsContext, GdipGetDC)

Originally posted by @williballenthin in https://github.com/mandiant/capa/pull/2532#discussion_r1920802278

williballenthin avatar Jan 17 '25 21:01 williballenthin

Hey @williballenthin , I'm Abhyuday Hegde, and I'd like to work on this issue to familiarize myself with the capa codebase as part of my GSoC 2025 journey. Could you please assign it to me? I've gone through the capa rules and understand that the fix likely involves updating the API detection rules to recognize CreateDC("DISPLAY") and missing GDI+ routines. If you have any pointers on where to start, that would be really helpful.

Thanks!

akh7177 avatar Feb 22 '25 15:02 akh7177

i'd recommend trying to reproduce the issue, running capa against the sample and confirming the rule does not match. then you can use the show-features.py script to see the available features and figure out the changes needed to the existing rule.

thank you!

williballenthin avatar Feb 22 '25 16:02 williballenthin

Update_1 :

Hello @williballenthin,

As per your instructions, I tried reproducing the issue. I ran capa against two executables—one using CreateDC and another using GDI+ routines for screenshot capture. In both cases, capa did not detect ATT&CK Technique T1113 (Screen Capture), confirming that the issue is valid and needs to be addressed.

CreateDC output 👇

Image

GDI+ Output👇

Image

Below are the executables I used along with their capa results. Let me know if you’d like me to take any additional steps.

Create DC Executable file : https://drive.google.com/file/d/14uS-UHCJQFihQAuheQLswE2m2Mmlyv4H/view?usp=sharing CAPA JSON Output file : ss_create_dc.json

GDI+ Executable file : https://drive.google.com/file/d/1_b4ETQUI97RUEpA98Q1yNzgy0FoZv9kg/view?usp=sharing CAPA JSON Output file : ss_gdip.json

Thanks!

— Abhyuday

akh7177 avatar Feb 23 '25 05:02 akh7177

Update_2:

Hello @williballenthin,

I spent the Sunday exploring capa-rules and YAML. Based on my understanding, I implemented a few changes in the collection/screenshot/screenshot-capture.yml , adding new rules to address the issue mentioned above, along with a few other gaps in capa’s screenshot detection mechanism.

I've attached the draft_rule below.

Please let me know if you have any suggestions or improvements.

Thanks!

draft_rule : Google Drive Link

akh7177 avatar Feb 23 '25 18:02 akh7177

Update_3:

Hey @williballenthin ,

I’ve made the necessary changes for screenshot detection. The below version detects screenshot capture that uses GDI+ routines as well as CreateDC with other arguments along with DISPLAY. The test files include two executables that demonstrate the improved detection.

Here are my commits:

  1. capa-rules
  2. capa-testfiles

Could you review and let me know if everything looks good before I submit the PR?

akh7177 avatar Feb 24 '25 17:02 akh7177

would you please open a PR so we can comment inline and discuss there?

williballenthin avatar Feb 24 '25 21:02 williballenthin

Hello @williballenthin ,

I've opened the PR for the screenshot detection rule test files:

Let me know if any changes are needed!

Thanks!

akh7177 avatar Feb 24 '25 23:02 akh7177