Hidden VNC
My own implementation of HVNC (known also as HiddenVNC / Hidden Desktop).
Client written in C++ with use of OpenCV for JPEG encoding, image resizing and WinSock for networking.
Server written in C# without use of any 3d party libraries.
About Functionality
We are using a safe queue system with mutex for synchronization between threads.
In order to save some traffic, we are comparing each new MAT with previous one with a treshold that can be changed in settings.
In server settings, we can configure things such as image quality (resize), JPEG compression quality, input cooldown (for receiving commands, keyboard events and mouse clicks) and process cooldown (between sending frames).
Networking is quite simple here, as it's not main focus of this POC, but yet still produces some tolerable results.
HVNC, which stands for "Hidden Virtual Network Computing" is a technique allowing stealthy remote control with an experience similar old fashioned remote desktop. The main difference here is, that everything is on (for user invisible) virtual desktop. Creating a virtual desktop is part of old feature that dates back to the days of windows XP.
A classic VNC usually interacts with remote client simply by emulating mouse clicks on some specific coordinates. However, given the fact that the desktop is not set as active one in the time we are working with it, we are unable to use classic approach as VNC's use. Because of that, things are gonna get a bit more complicated. Crafting a fully fledged poc requires us to write our own window manager, enumerate windows on our virtual desktop an manually paint each one on a bitmap by their Z order. For mouse emulation, we have to use functions such as SendMessage or PostMessage, manually compute relative coordinates and find a window which lies on coordinates of the click.
CreateDesktop - Creates a new virtual workstation with custom name
SendMessage - Sends a message to specific window by it's handle. Windows use these messages for events and communication
SetThreadDesktop - Allows us to switch between virtual desktop we interact with on current thread
EnumWindows - We need to keep track of windows and enumerate all of windows that belong to our virtual desktop
PrintWindow - A function that is not commonly use today, used to copy window visual context into DC (works even when the window is not actively used desktop)
WindowFromPoint - Quite useful function that helps us to find a window by desktop coordinates
PrintWindow requires us to specify a flag which in our case can be PW_RENDERFULLCONTENT from windows 8.1 and on. Not specifying this value will result in
old looking window borders to be present and also less compatibility with some browsers that use hardware acceleration (at least from my testing)
Hidden vnc has been observed in the wild already a plenty of times.
Publishing a POC work may be cruical in spreading more knowledge and awareness about the subject.
Also, given the proportions of hidden vnc, it could indeed be levaraged by redteams to commit ethical testing.
As always, you take full responsibility from usage of this code on your own.
Code here is provided strictly for academical, research and ethical purposes.
I am publishing a release here, configured only for local connection and with a prompt on each start informing the user.
- https://icons8.com for used icons
- https://learn.microsoft.com/en-us/windows/win32/api/winuser - official documentation
Code licensed under Gnu General Public License V3 https://www.gnu.org/licenses/gpl-3.0.en.html
You are allowed to fork this repo, I will be happy for any new ideas
If you are using this code somewhere, please make sure you comply with license