Ever have issues trying to get management to try and understand log files from your proxy server, showing inappropriate user activity? As they say a picture is worth 1000 words. If you decide to use this little proggie to monitor employee activity make sure you are within your right to do so. Also it is not very stealthy It just dumps the screenshots to a folder on the local drive or a network share. You need Admin rights to remotely install it, and you need to reboot the machine before it starts working(you can just use the shutdown command in XP). It does write to the Run key so if have some sort of AV protection prenventing this you will need an alternate way to start it.

First go and download and install the latest version of Active perl 5.8 (5.10 currently does not work)

http://www.activestate.com/store/activeperl/download/

Next we are going to install some deps that we need for taking the screen shot's and to convert our perl script to an exe so that the target machine does not need to have perl installed.

ppm install http://www.bribes.org/perl/ppm/PerlMagick.ppd

ppm install http://www.bribes.org/perl/ppm/Parse-Binary.ppd

ppm install http://www.bribes.org/perl/ppm/Win32-EXE.ppd

ppm install http://www.bribes.org/perl/ppm/Module-ScanDeps.ppd

ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR-Dist.ppd

ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR.ppd

ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR-Packer.ppd

ppm install http://theoryx5.uwinnipeg.ca/ppms/Win32-Screenshot.ppd

ppm install Win32::TieRegistry

ppm install File-Copy-Recursive

Make the dir to hold the files that we will transfer to the target system.

mkdir c:\screenshots

Copy the ImageMagick? DLL's into the c:\screenshots dir for some reason pp doesn't package them.

copy C:\Perl\site\lib\auto\Image\Magick\*.dll c:\screenshots

Start the screenshot install build.

-t gives the script the target ip address

-w tells the screenshot proggie where to write the screen shots 2. Make sure you properly escape thing that perl needs escaped so c:\downloads\ becomes c:\\downloads\\ or \\someserver\somehidenshare\ becomes \\\\someserver\\somehiddenshare\$\\

-i tells the program at what interval to take screen shots. It will not take a screen shot if nobody is logged in or the screen is locked.

-s tells the program what directory to copy over to the remote system. This needs to be the same dir that contains the ImagMagick? dll's. In example below wearewatching.exe also gets created in this dir.

-d tells the progam what the dst directory should be on the remote machine. It doesn't have to be c:\windows\system32\ but it has to be somewhere in the PATH.

-e tells the program what executable name to give the application.

c:\perl\bin\perl f:\\screenshotinstaller3.pl -t 127.0.0.1 -w c:\\downloads\\ -i 60 -s c:\\screenshots\\ -d c:\\windows\\system32\\ -e wearewatching.exe

Once the program is built it will copy over the files to the remote machine and remotely spawn the screenshot process on it's first run. The first run will check for the registry key and add if it is not there and then exit. You will then have to manually reboot the remote machine.

shutdown -r -f -m \\127.0.0.1

In this example once the user logs back in it will create a folder with the date below c:\downloads so something like MonAug112008?. The program will create a new folder each day and in each folder you will have a new image every 60 seconds while a user is logged in with the format of Domain:username:date.png

Hope somebody else finds it useful ;-).....

Thanx to Matt jonkman at emerging threats for letting me host this file.

ScreenShotInstaller?.zip b1830a24a9bf848bf3bbf6f37611b6d9

• ScreenShotInstaller.zip: ScreenShotInstaller?.zip