{
	"id": "6f6a5335-046f-47bb-b2a0-b1fce057d552",
	"created_at": "2026-04-06T01:30:49.157701Z",
	"updated_at": "2026-04-10T03:20:36.803316Z",
	"deleted_at": null,
	"sha1_hash": "ba4ea295bfc4f6daeb3d0ccbff6f2e06006aaa69",
	"title": "Hidden VNC for Beginners",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 228787,
	"plain_text": "Hidden VNC for Beginners\r\nBy Marcus Hutchins\r\nPublished: 2015-09-13 · Archived: 2026-04-06 00:19:50 UTC\r\nHidden VNC is a creative solution to a solution to a problem which stemmed from banking fraud. Back years ago\r\nwhen fraud was uncommon, most banks only had basic IP or Geo-location checks to flag or block accounts if\r\nsomeone logged in from another computer. To combat this, banking trojans would run a SOCKS proxy server on\r\nthe victims computer, allowing the fraudster to access the victims bank account with the same IP. As fraud became\r\nmore prominent, banks started coming up with proprietary fraud detection systems which fingerprint the user’s\r\nsystems using a variety of check (Browser, OS/Plugin versions, locale, timezone, etc). The blackbox nature of\r\nthese systems would require a fraudster to pretty much replicate the victim’s system configuration in order to be\r\nsure the account wouldn’t get blocked, so a more convenient method of fraud had to be found, that method was of\r\ncourse VNC. Fraudsters could VNC into a victims computer and use it to log into their bank account, but\r\nobviously this wasn’t ideal. If the victim was using the computer, they’d see what the fraudster was doing, and if\r\nthey weren’t, the computer would probably be turned off. What was needed was some kind of VNC software that\r\nallowed fraudsters to access the system discretely, at the same time as the victim was using it.\r\nHidden Desktop Malware can make use of some little known Windows features such as CreateDesktop and\r\ncross-process window subclassing to implement an invisible environment for VNC to run. As most linux users\r\nwill probably be familiar with, a lot of distros have the ability to run multiple simultaneous desktops with\r\nindependent taskbars. Windows has had this ability to crate multiple desktops since 2000, but it’s not a well\r\nknown feature and there is no default application to make use of it. By calling CreateDesktop, software can create\r\na hidden desktop and execute applications in the desktop’s context. All applications running on the hidden desktop\r\nwill be invisible to the other desktops (i.e. the one the victim is using), they will not even show in the taskbar\r\noutside of the hidden desktop. Sounds simple enough, right?\r\nScreenshots Most VNC software works by taking periodic screenshots and sending them back to the client;\r\nhowever, Windows does not render any GUI elements to desktops which are not active (currently displayed on the\r\nmonitor). One can’t simply just capture screenshots of the hidden desktop, instead the VNC server would have to\r\ncall EnumDesktopWindows to get a list of windows running on the hidden desktop, then call PrintWindow on\r\neach individual window, writing them to a bitmap in reverse Z-Order (starting with the bottom-most window and\r\nworking its way to the top-most). Essentially the server is just emulating the screenshot feature by rendering each\r\nindividual window to a bitmap in reverse of the order they appear on the screen.\r\nUnfortunately, some applications don’t properly handle WM_PRINT or WM_PRINTCLIENT messages (sent by\r\nPrintWindow), and as a result all or parts of the application will display as a white rectangle, as shown below.\r\nhttps://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html\r\nPage 1 of 3\n\nTo resolve this, the VNC server would need to implement WM_PRINT and WM_PRINTCLIENT message on\r\nbehalf of the application, making sure it paints all visible elements to the buffer. This can be done by either\r\ninjecting code into all processes and hooking various functions in user32.dll, or by using cross-process subclassing\r\nto give the VNC server the ability to process window messages destined for the target application from within the\r\nVNC process.\r\nUser Input When it comes to user input, the server has to emulate a virtual keyboard / mouse as input would be\r\nsent to the active desktop, not the hidden one. Normally when the mouse is moved or clicked the VNC client\r\nwould sent the position along with a button click event to the VNC server, which would move the mouse to the\r\ngiven position and simulate a click, but because the real keyboard and mouse can’t be use, things are far more\r\ncomplicated. The VNC server would have to keep track of every window on the hidden desktop, it’s location, and\r\nits Z-Index; When a click even is sent, the server would need to find which window is at the cursor’s current\r\nposition by enumerating each window and checking its coordinates and visibility, then use PostMessage to send it\r\na click event. For keyboard the same is true, the VNC server needs to keep track of which window is currently\r\nfocused and use PostMessage to direct the input towards it.\r\nConclusion\r\nHidden VNC is probably one of the most complicated malware features to code and essentially requires coders to\r\nimplement their own window manager, which is why there are very few unique implementations in the wild (most\r\nmalware uses a single implementation unimaginatively named HVNC).\r\nSadly due to the fact it’s a very sought after feature for banking trojans, I’m not going to post proof of concept\r\ncode; however, I’ve uploaded some example code to demonstrate creating and switching between multiple\r\ndesktops, you can find it here: https://github.com/MalwareTech/CreateDesktop/\r\nhttps://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html\r\nPage 2 of 3\n\nSource: https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html\r\nhttps://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html"
	],
	"report_names": [
		"hidden-vnc-for-beginners.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439049,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba4ea295bfc4f6daeb3d0ccbff6f2e06006aaa69.pdf",
		"text": "https://archive.orkl.eu/ba4ea295bfc4f6daeb3d0ccbff6f2e06006aaa69.txt",
		"img": "https://archive.orkl.eu/ba4ea295bfc4f6daeb3d0ccbff6f2e06006aaa69.jpg"
	}
}