Screen Capture Bypass & Evasion
BypassCore develops advanced screen capture bypass solutions that make designated content invisible to screenshot tools, screen recording software, and platform-embedded capture mechanisms. Our techniques operate at the graphics API and driver level, ensuring clean evasion across all capture methods.
How Screen Capture Detection Works
Screen capture systems use a range of methods to grab the contents of your display. At the simplest level, the Windows GDI function BitBlt can copy the contents of the desktop device context into a bitmap. More modern approaches use the DXGI Desktop Duplication API, which provides GPU-accelerated access to the desktop image through IDXGIOutputDuplication. Casino platforms and proctoring software frequently use this API because it captures the final composited output — including overlay content and hardware-accelerated surfaces that GDI cannot reach.
Some platforms go further. They inject screen capture libraries directly into the target application, hooking the DirectX or Vulkan present chain to grab frames before they reach the display. Remote work monitoring tools like Hubstaff, Time Doctor, and Teramind periodically capture screenshots at random intervals, sometimes combining them with webcam snapshots and keystroke data. Exam proctoring platforms like Proctorio and ExamSoft use browser-level screen capture combined with process monitoring to detect unauthorized content.
Graphics API Hooking for Capture Evasion
BypassCore's primary screen capture bypass technique operates by hooking the graphics APIs at the point where capture occurs. We intercept the DirectX present chain by hooking IDXGISwapChain::Present and its variants (Present1, ResizeBuffers). When our hook detects that a frame is being captured rather than displayed, we substitute the real frame buffer with a clean replacement — showing only what should be visible to the capture tool while the actual display shows the full content to the user.
// Capture evasion layers:
- $ DXGI Desktop Duplication interception — filter captured frames
- $ GDI BitBlt hooking — return clean DC to capture calls
- $ DirectX present chain hooks — swap frame buffers on capture
- $ DWM composition manipulation — exclude windows from capture
- $ Hardware overlay rendering — content never enters capture pipeline
For GDI-based capture, we hook NtGdiStretchBlt and NtGdiBitBlt at the win32k syscall level. When a capture operation targets a monitored window, our hook replaces the source device context with a clean version. This is effective against older monitoring tools, basic screenshot utilities, and the Windows Snipping Tool.
Display Spoofing & Virtual Monitor Techniques
A more robust approach involves display spoofing. BypassCore creates a virtual display adapter through a custom Indirect Display Driver (IDD). The sensitive content is rendered exclusively to this virtual display, which the user views through a custom compositor that overlays it onto their primary monitor output. Since the content is technically on a separate display surface, standard capture APIs that target the primary display only see the clean desktop. Even DXGI Desktop Duplication, which operates per-output, cannot reach content on a different adapter output.
For scenarios where the monitoring software enumerates all displays, we cloak the virtual display from the display enumeration APIs. Our IDD driver responds to EnumDisplayDevices and EnumDisplayMonitors queries by hiding itself from userland callers while remaining fully functional for rendering. The result: the user sees both displays, but the monitoring software sees only one.
Capture Redirection & Content Isolation
Capture redirection is a technique where we intercept the capture request and redirect it to a separate render target that contains only approved content. This is particularly effective against casino platforms that periodically capture the game window to verify that no overlay tools, bot interfaces, or probability calculators are visible alongside the game. Our redirection engine renders a pixel-perfect replica of the game window — minus any unauthorized overlays — and serves this clean version to the capture API.
BypassCore also implements window-level capture isolation using the SetWindowDisplayAffinity API in reverse. While this API is normally used by applications to protect their own content from capture, we manipulate it to selectively exclude specific overlay windows from capture while keeping them visible on-screen. Combined with DWM (Desktop Window Manager) composition hooks, this gives us fine-grained control over what appears in any captured frame.
Application Domains
Casino Platforms
Hide overlay tools, bot interfaces, and probability calculators from platform screen capture
Exam Proctoring
Evade proctoring screenshot capture while maintaining access to reference materials
Remote Monitoring
Bypass employee monitoring screenshots from Hubstaff, Teramind, and similar tools
Detection Resistance
BypassCore's screen capture bypass is designed to evade integrity checks that monitoring software uses to verify its own capture pipeline is intact. We handle checksum verification of hooked functions by maintaining clean copies of original code that are returned during integrity scans. Our hooks are placed using techniques that do not modify the original function bytes — instead using hardware breakpoints, vectored exception handlers, and import address table redirection that leave the original code sections unmodified and hash-verifiable.
Need a Screen Capture Bypass?
Whether you need to bypass casino capture, proctoring tools, or employee monitoring — BypassCore builds undetectable solutions.
> Get in Touch