Scans for accessibility tools backdoors via RDP
Switch branches/tags
Nothing to show
Clone or download
linuz Fix for Kali linux changes
Have to change display to :1 instead of :0 due to Kali changes.
Latest commit 0b431ac Mar 16, 2018


Scans for accessibility tools backdoors via RDP

Twitter: @DennisMald

Twitter: @notmedic

Establishes a Remote Destop session (RDP) with the specified hosts and sends key presses to launch the accessibility tools within the Windows Login screen. will analyze the console and alert if a command prompt window opens up. Screenshots will be put into a folder ('./rdp-screenshots' by default) and screenshots with a cmd.exe window are put in a subfolder ('./rdp-screenshots/discovered' by default). accepts a single host or a list of hosts, delimited by line and works with multiple hosts in parallel. incorporates code from Zach Grace's sticky_keys_hunter

DEFCON24 Presentation Slides:

Video demo of stickyKeysSlayer can be found here:


  • imagemagick
  • xdotool
  • parallel
  • bc

All packages exist in the Kali repositories:

apt-get update

apt-get -y install imagemagick xdotool parallel bc


In some situations, running this tool within Docker may be advantageous. To do so, first build it:

docker build -t sticky-keys-slayer .

Then run the container, passing in necessary arguments to

docker run --rm -it --name sticky-keys-slayer --net=host sticky-keys-slayer -o /tmp/pics <target>

If you'd like to save the screenshots of vulnerable systems:

mkdir pics
docker run --rm -it --name sticky-keys-slayer --net=host -v `pwd`/pics:/tmp/foo/ sticky-keys-slayer -o /tmp/pics <target>

If you'd like to pass in a list of hosts to run and save the screenshots

mkdir pics
# put some hosts in hosts.txt
echo > hosts.txt
docker run --rm -it --name sticky-keys-slayer --net=host -v `pwd`/hosts.txt:/tmp/hosts.txt -v `pwd`/pics:/tmp/foo/ sticky-keys-slayer -o /tmp/pics /tmp/hosts.txt

To Do:

  • Detection of missed boxes (boxes to which we do not obtain a screenshot)
  • Handle scenario when more than one window is found to share the same title. Perhaps quit if wc -l > 1 for xdotool search.
  • Detect if black pixels are greater than 480,000. Means title bar went away. Possibly error out and move on
  • Fix bug when scanning hosts with a specified port. (Ex:
  • Fix whitespacing (Windows vs Linux)