1

I came across this cool feature while playing around with Kaspersky '15. Basically, when you launch a "Smart Money" Protected Browser (this browser is just a modified, clean install of Chrome), if your computer hardware supports VTx, you are unable to take screenshots while the protected browser is running.

I tried doing some research myself (furious Googling, browsing RE websites like kernelmode.info, etc...) but I couldn't figure out how they did it. For more details, check out their "troubleshooting" section about the technology: http://support.kaspersky.com/us/9955

Does anyone have any idea on how this is done? When I try to grab the screen, I just get an entirely black screenshot. I don't know how one can leverage VTx to accomplish such a task. Are they just using VTx to hook all the screen capture syscalls?! Or is there a more interesting way?

I'll probably try to poke around with the KAV drivers, but they definitely don't make it easy to RE them.

KeBugCheck
  • 11
  • 1
  • I have a little custom program to automatically save my screenshots (as done by the key) and for some games, this built-in windows function doesn't work either (it does for VMs, however). I think this has something to do with the post-rendering processes. Did you try Steam's oder NVidia's screenshot feature? These two work for all games I know. – Sebb Mar 08 '15 at 11:59

1 Answers1

1

This question will most likely be closed as primarily opinion based, since "how does a particular system work" can't be answered unless there's either documentation about it or someone has reverse-engineered it already.

So take this answer with a grain of salt - it describes how i'd tackle the problem. It might not even be feasible after closer investigation, and Kaspersky might have done something completely different.

What you want to do is allow the video driver to write the video card memory, while preventing it from reading the same memory - which is hard to do by just messing with memory access bits, as the driver is running with Ring 0 privileges within the kernel. Also, features like alpha blending might be implemented by reading a video memory cell, messing with the value, and writing it back, so you can't just prevent all video memory reads.

VT-X allows you to capture instructions in Ring 0 mode, so they might trap read accesses to the video memory, check the call stack from within the hypervisor, and then decide if they want to read the real value or just simulate black by replacing the read value with 0.

They might even track the usage of the value, allow the video driver to use the real value, but replace it with a 0 whenever something outside the driver tries to access it (however, i doubt they're doing that, since it's awfully hard to do correctly, and requires emulating the processor until it leaves the driver, which has performance issues as well).

Guntram Blohm
  • 12,950
  • 2
  • 22
  • 32