Hey @williballenthin ,
I'm Abhyuday Hegde, and I'd like to work on this issue to familiarize myself with the capa codebase as part of my GSoC 2025 journey. Could you please assign it to me?
I've gone through the capa rules and understand that the fix likely involves updating the API detection rules to recognize CreateDC("DISPLAY") and missing GDI+ routines. If you have any pointers on where to start, that would be really helpful.

Thanks!

i'd recommend trying to reproduce the issue, running capa against the sample and confirming the rule does not match. then you can use the show-features.py script to see the available features and figure out the changes needed to the existing rule.

thank you!

Update_1 :

Hello @williballenthin,

As per your instructions, I tried reproducing the issue. I ran capa against two executables—one using CreateDC and another using GDI+ routines for screenshot capture. In both cases, capa did not detect ATT&CK Technique T1113 (Screen Capture), confirming that the issue is valid and needs to be addressed.

CreateDC output 👇

GDI+ Output👇

Below are the executables I used along with their capa results. Let me know if you’d like me to take any additional steps.

Create DC
Executable file : https://drive.google.com/file/d/14uS-UHCJQFihQAuheQLswE2m2Mmlyv4H/view?usp=sharing
CAPA JSON Output file : ss_create_dc.json

GDI+
Executable file : https://drive.google.com/file/d/1_b4ETQUI97RUEpA98Q1yNzgy0FoZv9kg/view?usp=sharing
CAPA JSON Output file : ss_gdip.json

Thanks!

— Abhyuday

Update_2:

Hello @williballenthin,

I spent the Sunday exploring capa-rules and YAML. Based on my understanding, I implemented a few changes in the collection/screenshot/screenshot-capture.yml , adding new rules to address the issue mentioned above, along with a few other gaps in capa’s screenshot detection mechanism.

I've attached the draft_rule below.

Please let me know if you have any suggestions or improvements.

Thanks!

draft_rule : Google Drive Link

Update_3:

Hey @williballenthin ,

I’ve made the necessary changes for screenshot detection. The below version detects screenshot capture that uses GDI+ routines as well as CreateDC with other arguments along with DISPLAY. The test files include two executables that demonstrate the improved detection.

Here are my commits:

1. capa-rules
2. capa-testfiles

Could you review and let me know if everything looks good before I submit the PR?

would you please open a PR so we can comment inline and discuss there?

Hello @williballenthin ,

I've opened the PR for the screenshot detection rule test files:

• PR Link for capa rules
• PR Link for capa test-files

Let me know if any changes are needed!

Thanks!