A Computer Question

Hypothetically, lets say that there was a program which existed which allowed others to remotely, and without your knowledge or permission, take screenshots of your computer.


Hypothetically, how could you test or check to see if it was there on your PC?
Is there a specific command in the C: prompt that would show this, or is there an easier point-click way via Windows 10 to look for it?

Just a straight forward ask/answer question.

Yeah, I’m definitely not going to click a link to spyware, but there are a multitude of programs that will scan your computer for programs that are not supposed to be there. I use SpyBot and AdAware myself, in addition to having Avira running constantly. With all the free options around these days, there’s really no excuse for not scanning your computer regularly.

Great point made: full transparency:

This article is about modifying a PID code to allow remote screen shots. I’m using AVG & I’m not so sure that this would be caught.
The article lists step by step ‘how to’ but there must be a way to detect this if it was done, right?

Most anti-malware systems will scan the system files - ie most of what comes with the OS and compare the files it sees with the original shipped files. (It does this by computing a hash of the contents and keeping a list of valid hashes.) So, in principle, it can detect if any system file has been modified. In addition these system check files for the signatures of known malware. Neither of these systems are foolproof. Obviously some system configuration files need to change from time to time, and heuristics for detecting bad stuff has to balance false positives against false negatives. But something as simple as a modification to system file should be trivially detected.

“Modifying a PID code” is not an accurate description of what that hack does. The thing that makes it possible to take a screenshot is the installation of malicious software, specifically the steps that install meterpreter and espia. The most reasonable way to discover if these or similar programs are installed on your computer is to run an antivirus program, as mentioned above. Good antivirus programs keep their databases up to date with the latest known virus/spyware programs, so they will detect if malicious programs have been installed.

If someone is actively reading your files, it would show on a process management app. You could see the activity.

If they’re sneakier than that, dunno.

Slight thread hijack: just how exposed to malware/spyware are we, by downloading and installing the plethora of apps flooding cyberspace? I make regular screaming rants against Win10. One of my gripes is that all the little goodies we had installed with older versions of Windows are no longer available. You are directed to install an app for the CALCULATOR, for crying out loud!

Every single app you install, you open yourself up to anything. Once for click “accept,” you’ve sold your soul. I honestly believe this is only gonna get worse, much much worse!


A calculator app – good heavens!

Over 15 years ago, I spent about $5 for a basic calculator, which sits on my desk right near my computer. (It’s outlasted about 5 computers, so far.) I can grab that and be done with calculations long before I could find and activate any calculator function on my computer.

I am glad that Microsoft is slimming down Windows by squeezing such needless applications out of the base OS. Those who want them can download them as an ‘app’, the rest of us can ignore them and have a leaner OS.

Also, Windows 10 still includes a calculator app. I did a clean install of Windows 10 a couple of months ago and there’s a calculator on this system.

I find the hysteria hysterical. A quick check shows calc.exe to occupy a whopping 30.5k. And, frankly, a computer that can’t be used to do some simple math, exclusive of watches, phones, tablets, or desktop calculators, short of opening Excel, is a pretty limited device.

You make a great point; it’d have to show there.
BUT… what if the process eating up CPU and disk space as you looked at the active process management screen… had a name that would not look suspicious (ie - the same name as a ‘normal’ process in your PC?
A good post above says good AV programs check for size of file to weed out bad masked items.

Hypothetically… if a person knew exactly what size XYZ.dll (or process) was and created a masked file of the same size with malicious code in it… then it might not be found, right?


I’m only saying this because if such painstaking work could be created… just once… then couldn’t it be copied & distributed among hackers nearly infinitely and no one would know?
(Eventually the data-breach source would track back to the source point PC, of course, but short of sifting through all the files of code of that PC off-line, might it conceivably not ever be found?)

~possible book plot point~

For Windows 10, Microsoft intentionally did not include a lot of things with the operating system but instead made them free downloads from their app store. It’s not to slim down the operating system. Computers have gobs and gobs of disk space these days. They don’t need slimming. The idea is to give you some freebies in order to get you used to downloading things from their app store, so that you’ll eventually spend lots and lots of money downloading apps from there.

As for the safety of it, while most of the apps are fine, there are all kinds of scam apps and apps with malware there. Be careful what you download.

Well, sort of. Particularly if you are the NSA.

The first virus checkers looked for specific sections of code, “signatures” in the file.

Later, they checked ‘hashes’ of the code, starting with a CRC. A CRC is a simple hash that can be carefully re-created and matched. More recent hashes are ‘encryption’ calculations, and it is difficult to recreate a matching hash, because there is no simple backwards calculation that allows you to calculate the changes you have to make to your malicious file to get it to match.

As code breaking has become more powerful, the encryption methods used to generate the hashes have become more powerful too.

And now, files include, in a standard format, encrypted signatures from the originator. The encrypted signature is very difficult to recreate: there is no easy way to start with a malicious file and sign it with a signature if you don’t have access to the original signing ‘certificate’.

Not all files are signed, but in modern systems drivers and browser plug-ins are certainly signed, it will be rejected if the signature isn’t valid.

So, all you Really need… is to know that the file existed… and to know that the NSA sometimes downsizes.
Anyone with a digital camera knows how easy it is to copy a file. Or two files… sender and receiver files.

Anyone who is unemployed can guess what that might be worth for sale… before it is copied & redistributed… world wide…

(cool plot point, huh?)

Typically a serious attack is sneakier than this. What you allude to is the basic form of a root-kit. Building a rootkit involves creating a suite of malware that includes subverting all the system monitoring software. So when you look at the CPU usage, files, or list active processes or network activity - it all looks perfectly fine. A lot of effort is expended in making a rootkit very hard to spot. To find one you may need to go very deep into the system to look for discrepancies. It is hard to mask unexpectedly high power draw. Where things often come unstuck is that a rootkit is a large and complex system, and very hard to make bug-free. So weird problems can also be a clue.

But finding the kit isn’t trivial. Mounting disk on a known clean system (or booting from CD or write locked USB drive) and looking around helps a lot. But finding the malware from within the running infected system can be daunting.

And you can eventually be facing systems that are compromised via infected devices. It is possible to infect a disk drive itself. The malware on the disk drive can recognise execution patterns to decide if the system is operating normally, and it should deliver its payload, or can guess it is being scanned, and act perfectly normally.

I’m a computer forensic examiner. When I have reason to believe a machine has been compromised, I usually remove the hard drive and make a forensically sound image of the drive. If I get to the machine while it’s running, I’ll take a memory dump before pulling the drive. Then I use a variety of tools and techniques to locate suspicious files or processes. If a machine has been infected with some kind of malware that’s relatively well known (say, it has a website and everything), then finding artifacts of it forensically is not that hard, typically. If the attacker put more effort into it, then it can be a lot harder to find. But unless the attacker is the NSA/FSB/Mossad, I’ll probably eventually find the malware. And even if they are NSA, etc., I still have a decent shot at finding it because a lot of their tools have a fairly large footprint.

Things like antivirus utilities have their use (and I use them as part of my forensic toolset), but if you’re worried about a clever, targeted attack, they’re not going to be very effective.

To the OP: hypothetically, if you have a friend who is hypothetically worried their machine is comprised, PM me and I’ll try to assist. I’m not able to do any actual examinations myself at present, but I can try to point you in the right direction.

Count Bulcher,

If I understand your question - the screen shot would be captured on the clip board. That change could be detected.


A Trojan. That’s the name of the likely culprit that is able to do that, sometimes piggybacks on another executable file or is programmed within. You could always use a program that searches for known ones (Hijack This) or you could test by checking your process management utility and/or router logs, try closing everything you can, or start in safe mode (windows) and see what is still requesting networking activity, then narrow it down. You will be able to find the culprit in most cases, unless its some worm or trojan programmed by the NSA specifically for you.

That would be a really crappy virus writer. Not saying that it can’t happen. But any reasonably sophisticated virus would not be detectable by anything but the latest AV software, if that.

You can use Van Eps phreaking to read screens without ever touching the computer.