CaptureBypass — Screen Capture Bypass via Kernel GPU Framebuffer Access

A kernel-level screen capture tool that bypasses SetWindowDisplayAffinity protection by reading the GPU framebuffer directly from hardware. Unlike traditional approaches that hook or patch Windows APIs, this reads the raw pixel data that the GPU sends to the physical monitor — making it completely invisible to any software-based integrity check.

How It Works

Windows applications can call SetWindowDisplayAffinity(hwnd, WDA_EXCLUDEFROMCAPTURE) to prevent their window from being captured by screen capture APIs like BitBlt, PrintWindow, or DXGI Desktop Duplication. The protection works at the DWM compositor level — the window content is excluded from the composition buffer returned to capture APIs.

CaptureBypass takes a fundamentally different approach: instead of interacting with Windows capture APIs at all, it reads the display output directly from the GPU hardware.

The Technique

1. PCI Bus Scan — The kernel driver scans the PCI configuration space to locate the display GPU (class code 0x03). It reads BAR0 to find the GPU's MMIO (Memory-Mapped I/O) register base address.

2. GPU Register Read — On Intel GPUs (Gen9+ / Skylake and later), the driver reads the display plane configuration registers:

   • PLANE_CTL — pixel format, tiling mode, enable status
   • PLANE_SIZE — display resolution (width x height)
   • PLANE_STRIDE — bytes per scanline
   • PLANE_SURF — GGTT offset of the display surface

3. GGTT Translation — The PLANE_SURF register contains a GGTT (Global Graphics Translation Table) offset. The driver reads GGTT entries from MMIO space (at offset 0x800000) to translate each 4KB GPU virtual page to a physical memory address.

4. Physical Memory Copy — Each physical page of the framebuffer is mapped into kernel address space via MmMapIoSpace and copied to the user-mode output buffer.

5. De-tiling — Intel GPUs store the framebuffer in tiled formats (X-tile, Y-tile) for memory access efficiency. The usermode viewer de-swizzles the raw data back to linear BGRA pixel layout.

Why This Bypasses Protection

SetWindowDisplayAffinity only affects the software composition path in DWM. The physical display output — what the GPU actually sends to the monitor — always contains the full, unprotected window content. By reading the GPU's scanout surface directly, we bypass the protection entirely without modifying any Windows structures or hooking any APIs.

Key properties:

• PatchGuard safe — no kernel hooks, no patches, no detours
• Does not modify any Windows kernel or win32k structures
• Invisible to all known anti-capture integrity checks
• Works regardless of DWM compositor settings

Fallback: tagWND DKOM

For non-Intel GPUs, the driver includes a fallback approach that directly modifies the DisplayAffinity field in the kernel tagWND structure via DKOM (Direct Kernel Object Manipulation). This uses MDL remapping and physical memory mapping to write to the protected kernel structure. The tagWND offset is discovered dynamically by scanning the gSharedInfo handle table — no hardcoded offsets needed.

Screenshots

Full desktop capture

Video Demo

See the full demonstration video: screen-capture-bypass-demo.mp4

Building

Usermode Viewer (C# / .NET 8)

cd src/viewer
dotnet build -c Release

The output will be in src/viewer/bin/Release/net8.0-windows/.

Kernel Driver (C / WDK)

Requires Windows Driver Kit (WDK) and Visual Studio with the WDK extension.

1. Create a new KMDF driver project in Visual Studio
2. Replace the source with src/driver/AffinityBypass.c
3. Build for x64 Release

Or use the WDK command line:

msbuild AffinityBypass.vcxproj /p:Configuration=Release /p:Platform=x64

Usage

1. Load the driver (requires Administrator + test signing mode):

   bcdedit /set testsigning on    # Reboot required
   sc create AffinityBypass type=kernel binPath=C:\path\to\AffinityBypass.sys
   sc start AffinityBypass
   

2. Run the viewer:

   CaptureBypass.exe
   

3. Select a window from the dropdown (protected windows show [PROTECTED 0x...]) and click Start.

Requirements

• Windows 10 or Windows 11 (x64)
• Intel GPU (Gen9+ / Skylake or later) for GPU framebuffer capture
• Administrator privileges
• Test signing mode enabled (for unsigned driver loading)

Public Release Note

The kernel driver source in this repository is partially redacted. The struct definitions, IOCTL interface, PCI GPU detection, and driver entry/unload are included in full. The core GPU framebuffer capture implementation and tagWND DKOM patching logic have been removed from the public release.

The usermode viewer is provided in full — it handles driver communication, framebuffer de-tiling (X-tile and Y-tile), window region cropping, and live display.

Contact

• Email: contact@bypasscore.com
• Telegram: @bypasscore
• Web: bypasscore.com

Support

If you find this project useful, consider supporting development:

Network	Address
Polygon	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Ethereum	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
BSC	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Arbitrum	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Optimism	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Avalanche	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a

License

MIT License - Copyright (c) 2025 BypassCore Labs