[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1248":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":13,"stars7d":13,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":16,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":9,"pushedAt":9,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":15,"starSnapshotCount":15,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},1248,"TailVNC","wh0amitz\u002FTailVNC","wh0amitz","Tailscale-based Windows VNC persistence tool with Session 0 isolation bypass, embedding a full WireGuard peer and RFB server into a single drop-in binary.",null,"Go",294,34,3,1,0,9,50.03,false,"master",true,[],"2026-06-12 04:00:08","# TailVNC\n\nA Windows remote desktop persistence tool built on top of Tailscale's WireGuard-encrypted mesh network. TailVNC embeds a fully self-contained VNC server and Tailscale node into a single binary, enabling secure remote desktop access over Tailscale\u002FHeadscale without exposing any ports to the public internet. Designed for both legitimate infrastructure administration and red team persistence operations.\n\nInspired by [SockTail](https:\u002F\u002Fgithub.com\u002FYeeb1\u002FSockTail).\n\n## Features\n\n- **Tailscale\u002FHeadscale Integration** - Leverages `tsnet` to embed a WireGuard peer directly into the binary; supports both official Tailscale coordination and self-hosted Headscale control planes\n- **Windows Session 0 Isolation Bypass** - When running as SYSTEM, automatically spawns an agent process in the active user session via `CreateProcessAsUser` and proxies VNC traffic through IPC, circumventing Vista+ session isolation\n- **Dynamic Desktop Tracking** - Follows the user across desktop transitions including the default desktop, Winlogon (login screen), UAC secure desktop, and lock screen via `OpenInputDesktop`\u002F`SetThreadDesktop`\n- **Ctrl+Alt+Del Injection** - Sends the Secure Attention Sequence from Session 0 via `sas.dll!SendSAS`\n- **Bidirectional Clipboard Sync** - Latin-1 clipboard synchronization between VNC client and target host\n- **Build-Time Configuration Embedding** - Auth key, VNC password, listen port, and control URL are injected at compile time via LDFLAGS; the resulting binary requires no configuration files at runtime\n- **Auth Key Obfuscation** - Tailscale auth key is XOR-obfuscated at build time to prevent plaintext credential exposure in the binary\n\n## Architecture\n\n```\n┌──────────────────────────────────────────────┐\n│          TailVNC Service (Session 0)         │\n│                                              │\n│  tsnet.Server ───► Tailscale\u002FHeadscale Net   │\n│       │                                      │\n│  VNC Listener :5900 (Tailscale interface)    │\n│       │                                      │\n│  ┌────▼───────────────────────────────────┐  │\n│  │ Session Manager                        │  │\n│  │  - Polls active console session (2s)   │  │\n│  │  - Spawns agent via CreateProcessAsUser│  │\n│  │  - Auto-restarts on session change     │  │\n│  │    or agent crash                      │  │\n│  └────┬───────────────────────────────────┘  │\n│       │ TCP Proxy (bidirectional)            │\n└───────┼──────────────────────────────────────┘\n        ▼\n┌────────────────────────────────────────┐\n│   VNC Agent (User Session, Desktop)    │\n│   127.0.0.1:15900                      │\n│   - GDI+ screen capture (~30fps)       │\n│   - SendInput keyboard\u002Fmouse injection │\n│   - Clipboard monitoring               │\n└────────────────────────────────────────┘\n```\n\n## Tech Stack\n\n| Component | Technology |\n|-----------|------------|\n| Language | Go 1.25+ |\n| Network Transport | [Tailscale tsnet](https:\u002F\u002Fpkg.go.dev\u002Ftailscale.com\u002Ftsnet) — embedded WireGuard peer |\n| VNC Protocol | RFB 3.008 (custom implementation, Raw encoding) |\n| Screen Capture | Windows GDI+ (`CreateDIBSection`, `BitBlt`) |\n| Input Injection | Windows `SendInput` API |\n| Session Management | `WTSQueryUserToken` + `CreateProcessAsUser` |\n| Desktop Switching | `OpenInputDesktop` + `SetThreadDesktop` |\n| SAS Injection | `sas.dll!SendSAS` |\n| Authentication | VNC DES challenge-response (per RFB spec) |\n| Key Obfuscation | XOR + hex encoding |\n| System Calls | `golang.org\u002Fx\u002Fsys` (Windows syscall wrappers) |\n| Binary Compression | UPX (optional) |\n| Build System | GNU Make + Go LDFLAGS injection |\n\n## Building\n\n### Prerequisites\n\n- **Go** >= 1.25.3\n- **GNU Make**\n- **UPX** (optional, for binary size reduction)\n- **Tailscale Auth Key** — generate from the Tailscale admin console; reusable + ephemeral keys are recommended for operational use\n\n### Build Parameters\n\n| Parameter | Required | Default | Description |\n|-----------|----------|---------|-------------|\n| `AUTH_KEY` | Yes | — | Tailscale auth key; automatically XOR-obfuscated and embedded at compile time |\n| `LISTEN_PORT` | No | `5900` | VNC listen port on the Tailscale interface |\n| `AUTH_PASS` | No | Empty (no auth) | VNC connection password (DES challenge-response) |\n| `CONTROL_URL` | No | Empty (official Tailscale) | Headscale control plane URL |\n| `CONFIG_DIR` | No | `C:\\Windows\\Temp\\.cache` | Persistent tsnet state directory (WireGuard keys, node identity) |\n\n### Compilation\n\n```bash\n# Minimal build — only auth key required\nmake build-vnc AUTH_KEY=tskey-auth-kBEXAMPLEKEY\n\n# Full build with all parameters\n# [CONTROL_URL] — optional, only required when using a self-hosted Headscale control plane\n# [CONFIG_DIR]  — optional, overrides the default tsnet state directory (C:\\Windows\\Temp\\.cache)\nmake build-vnc \\\n  AUTH_KEY=tskey-auth-kBEXAMPLEKEY \\\n  LISTEN_PORT=5900 \\\n  AUTH_PASS=VNCPassword \\\n  [CONTROL_URL=https:\u002F\u002Fheadscale.example.com] \\\n  [CONFIG_DIR='C:\\Windows\\Temp\\.cache']\n```\n\nBuild artifacts are written to `dist\u002F`:\n\n```\ndist\u002FTailVNC-windows-amd64.exe\n```\n\nThe build pipeline performs the following steps:\n\n1. Cleans previous build artifacts\n2. Downloads and tidies Go module dependencies\n3. Runs `obfuscator\u002F` to XOR-obfuscate the auth key\n4. Injects all configuration into the binary via LDFLAGS (`-X`)\n5. Strips the symbol table and DWARF debug info (`-s -w`)\n6. Compresses the binary with UPX (`--best --lzma`) if available\n\n### Additional Make Targets\n\n```bash\nmake clean    # Remove build artifacts\nmake deps     # Download and tidy Go modules\nmake help     # Print usage and parameter reference\n```\n\n## Usage\n\n**TailVNC must run with SYSTEM privileges.** When executing in Session 0 (as a Windows service or under SYSTEM context), the tool automatically detects the active console session, spawns an agent process within it for screen capture and input injection, and proxies all VNC traffic. If launched directly within an interactive user session, it operates in local mode without the agent proxy layer.\n\nUpon execution, the target host joins the configured Tailscale network as a new node. Connect using any standard VNC client:\n\n```\n\u003CTailscale IP>:5900\n```\n\n![image-20260412003923140](assets\u002Fimage-20260412003923140.png)\n\n![image-20260412004037568](assets\u002Fimage-20260412004037568.png)\n","TailVNC 是一个基于 Tailscale 的 Windows VNC 持久化工具，通过集成 WireGuard 加密的网格网络和 RFB 服务器到单个可执行文件中，实现了无需公开端口的安全远程桌面访问。其核心功能包括 Tailscale\u002FHeadscale 集成、Windows Session 0 隔离绕过、动态桌面跟踪、Ctrl+Alt+Del 注入以及双向剪贴板同步等。项目使用 Go 语言开发，并利用 Tailscale tsnet 库嵌入完整的 WireGuard 节点。TailVNC 适用于合法的基础架构管理和红队持久化操作场景，在确保安全性的前提下提供了便捷的远程控制解决方案。",2,"2026-06-11 02:42:34","CREATED_QUERY"]