Skip to content
Go to file

Latest commit

Have to change display to :1 instead of :0 due to Kali changes.

Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Scans for accessibility tools backdoors via RDP

Twitter: @DennisMald

Twitter: @notmedic

Establishes a Remote Destop session (RDP) with the specified hosts and sends key presses to launch the accessibility tools within the Windows Login screen. will analyze the console and alert if a command prompt window opens up. Screenshots will be put into a folder ('./rdp-screenshots' by default) and screenshots with a cmd.exe window are put in a subfolder ('./rdp-screenshots/discovered' by default). accepts a single host or a list of hosts, delimited by line and works with multiple hosts in parallel. incorporates code from Zach Grace's sticky_keys_hunter

DEFCON24 Presentation Slides:

Video demo of stickyKeysSlayer can be found here:


  • imagemagick
  • xdotool
  • parallel
  • bc

All packages exist in the Kali repositories:

apt-get update

apt-get -y install imagemagick xdotool parallel bc


In some situations, running this tool within Docker may be advantageous. To do so, first build it:

docker build -t sticky-keys-slayer .

Then run the container, passing in necessary arguments to

docker run --rm -it --name sticky-keys-slayer --net=host sticky-keys-slayer -o /tmp/pics <target>

If you'd like to save the screenshots of vulnerable systems:

mkdir pics
docker run --rm -it --name sticky-keys-slayer --net=host -v `pwd`/pics:/tmp/foo/ sticky-keys-slayer -o /tmp/pics <target>

If you'd like to pass in a list of hosts to run and save the screenshots

mkdir pics
# put some hosts in hosts.txt
echo > hosts.txt
docker run --rm -it --name sticky-keys-slayer --net=host -v `pwd`/hosts.txt:/tmp/hosts.txt -v `pwd`/pics:/tmp/foo/ sticky-keys-slayer -o /tmp/pics /tmp/hosts.txt

To Do:

  • Detection of missed boxes (boxes to which we do not obtain a screenshot)
  • Handle scenario when more than one window is found to share the same title. Perhaps quit if wc -l > 1 for xdotool search.
  • Detect if black pixels are greater than 480,000. Means title bar went away. Possibly error out and move on
  • Fix bug when scanning hosts with a specified port. (Ex:
  • Fix whitespacing (Windows vs Linux)


Scans for accessibility tools backdoors via RDP




No releases published


No packages published


You can’t perform that action at this time.