Detecting window hijacking via ETW and GDI table scanning.
winbo parses the dxgkrnl.sys ETW events to see which processes call Present on which window handles. The process id of the Present call is compared to the process id of the window owner, and if they do not match then a process is rendering on another process’s window (hijacked). If the processes share a common parent process then they are allowed, as legitimate applications can a cluster of processes sharing one window.
The above check works for when windows are rendered with any major graphics APIs (DirectX, OpenGL, etc). There is one other aspect to cover: GDI. GDI rendering by creating a handle to the window’s DC and copying a draw buffer can also be used to render. To detect this, the shared GDI handle table is iterated to find DC handles. The owner of the DC handle is compared to the Window it points to and if they don’t match, then the Window is being hijacked.