Home Original page

GitHub - lofcz/thirdeye: The Third Eye 👁⃤

ThirdEye

Usermode WDA_MONITOR/WDA_EXCLUDEFROMCAPTURE bypasser using undocumented Windows functions with C# bindings.

Starring:

  • PEB walking
  • Halo's Gate
  • Custom PE sections
  • Undocumented Windows functions
  • Quick and dirty EDR/AV evasion (2/72 on VirusTotal)
  • Direct syscalls

Getting Started

Install the package:

Usage (C#)

Take screenshots unmasking any hidden windows:

using ThirdEye;

using var session = new ThirdEyeSession()
session.CaptureToFile("screenshot.png");

Options are available:

using var session = new ThirdEyeSession();
var options = new ThirdEyeOptions(
    format: ThirdeyeFormat.Jpeg,
    quality: 90,
    bypassProtection: true
);
    
session.CaptureToFile("screenshot.jpeg", options);

If needed, screenshots can be stored in memory:

using var session = new ThirdEyeSession()
byte[] bufferData = session.CaptureToBuffer();

Usage (C/C++)

#include "thirdeye_core.h"

ThirdeyeContext* ctx = nullptr;
if (Thirdeye_CreateContext(&ctx) == THIRDEYE_OK) {
    Thirdeye_CaptureToFile(ctx, L"screenshot.jpg", nullptr);
    Thirdeye_DestroyContext(ctx);
}