The exchange of data using the clipboard feature between diferent applications and computers is a fundamental capability provided by modern operating systems and remote access tools. However, it can be abused by cybercriminals and attackers to obtain or manipulate sensitive data, such as passwords, secrets, and credential tokens. This research paper explores the various types of attacks that can be executed on the clipboard, with particular emphasis on new attacks on shared clipboard data. The investigation entails an in-depth examination of the interplay between the system clipboard and remote computers, including those accessed through Virtualization applications and Remote Desktop Protocol (RDP) sessions. The study also proposes a detection technique for identifying such attacks, which can be employed to distinguish between normal clipboard-sharing actions and malicious clipboard data snifing and manipulation. Our findings demonstrate that clipboard hijacking can be accomplished remotely without the need to install malware on the victim's device. These findings underscore the significance of heightened awareness and security measures to thwart such attacks on shared clipboards. The attack can be successfully executed on all versions of Windows operating systems.
both Windows and non-Windows machines, with
clipboard data being one of the data types that can be
transModern operating systems provide features to facilitate ferred between RDP peers [6]. Virtualization applications
transferring data between applications, for example, Sys- like VMWare share the clipboard using the same
techtem Clipboard [1]. However, cybercriminals and threat nique as RDP, making it vulnerable to the newly
discovactors continue to develop new techniques to perform ered attack technique. Remote access applications like
malicious activities, with the clipboard becoming a prime TeamViewer also share clipboard data using the same
target for attacks. Malware can monitor and hijack the method, making them susceptible to this type of attack.
clipboard, allowing cybercriminals to steal sensitive data However, VirtualBox shares clipboard data diferently
such as passwords and credit card numbers [
The evolution of cybercriminals and threat actors has normal clipboard-sharing operations and malicious clipresulted in the emergence of new attacks, such as Re- board data manipulation. mote Desktop Protocol (RDP) ransomware attacks. RDP is a popular protocol for remote administration and data transfer, connecting remote computers and clients on 2. Background
The Remote Desktop Protocol (RDP) is a communication protocol that enables the communication between local and remote clipboards via the clipboard virtual channel extension. This extension supports the delayed rendering of data, which enables eficient synchronization of clipboards [1]. The interaction between the local clipboard and applications for Copy and Paste operations in the RDP connection is illustrated in Figure 1.
System Clipboard Mstsc.exe
Local Application
Local
Application Virtual Channel End-point
Clipboard Virtual Channel
Virtual Channel End-point
System Clipboard Rdpclip.exe the clipboard to diferent applications [ 1, 8]. The system clipboard supports multiple data formats[9], such as Files Figure 1: Copy and Paste operations through the clipboard and Text within both Unicode and ASCII formats, and virtual channel assigns a unique numeric format ID and textual name to each clipboard format to allow the destination application During the “Copy“ operation, when a local application to identify and extract the data in the right way without on the client system copies data to the system clipboard, extracting the data and parsing it later [10]. Essential the virtual channel endpoint on the server receives a clipboard operations include placing extra data from the notification and updates the server’s clipboard with the clipboard, enumerating the available data formats on the same formats. Once the update is successful, the server clipboard, and registering itself to receive notifications acknowledges it. in case of clipboard updates [11]. In the realm of Mi- During the “Paste“ operation, the virtual channel endcrosoft Windows, two primary clipboard mechanisms point on the server can send a clipboard data lock request exist: The Standard Windows Clipboard API and Ob- to the client machine to prevent any changes to the data ject Linking and Embedding (OLE) uniform data transfer on the client machine’s system clipboard until an un(UDT) [11]. While Microsoft recommends the use of the lock request is sent. The local application on the server OLE mechanism for certain use cases, the standard Clip- requests data from its own clipboard, and the server’s board Windows API is still supported and will continue clipboard requests delay-rendered data from the virtual to be maintained according to Microsoft’s confirmation channel endpoint on the client machine. The virtual chan[12]. To ensure the synchronization of independent sys- nel endpoint on the server sends a format data request for tem clipboards, monitoring clipboard updates is a tech- the requested data type, and the virtual channel endpoint nique that involves either polling the contents of the on the client machine retrieves the data from the client’s clipboard at regular intervals or registering for clipboard system clipboard. The data is then returned to the virtual update notifications. Additionally, delayed rendering is channel endpoint on the client machine, which sends it to a supportive technique that assists in keeping indepen- the virtual channel endpoint on the server machine using dent system clipboards in sync with minimal cost. This a format data response. The virtual channel endpoint on technique involves transferring only the format ID of the the server machine updates the server’s clipboard with targeted data to be copied to the clipboard, as opposed to the received data, and the local application on the server the actual data, which is then transferred upon request receives the data from the server’s clipboard. Finally, the during the paste operation [13]. virtual channel endpoint on the server machine sends an
This study focused on text clipboard data formats as optional unlock clipboard data protocol data unit (PDU). shown in Table 1. Microsoft Terminal Services Client (Mstsc) is a Windows desktop application used by a client machine to create a remote desktop session on another machine [14]. On RDP Server, rdpclip.exe is responsible for all the related clipboard operations between the RDP server clipboard
4.1. Local Attacks and the RDP service. It is a normal process to interact with the RDP service via a dedicated virtual channel [6].
Remote access applications like TeamViewer, which provide users with the ability to remotely access and control a computer, also ofer clipboard-sharing functionality. This feature allows for the seamless sharing of clipboard data between connected systems, making it easy to transfer information between remote and local computers. The process of sharing clipboard data via TeamViewer is similar to that used in RDP connections, where clipboard data is exchanged via a dedicated virtual channel.
In virtualized environments, such as VMware, two components facilitate the exchange of clipboard data: vmtoolsd.exe, which is responsible for interactions with the clipboard on the guest operating system, and vmwarevmx.exe, which is specific to the targeted Virtual Machine (VM) and resides on the host operating system. These components work together to coordinate the exchange of clipboard data between the guest and host operating systems. The process is illustrated in Figure 2.
Clipboard hijacking and data manipulation attacks are sophisticated techniques that require in-depth analysis of the related Windows Application Programming Interface (API) calls. To simulate a clipboard data manipulator malware, a simple application can be created and run on a local Windows machine to analyze the interaction between the system clipboard and the machine. The goal is to demonstrate how clipboard data can be manipulated using standard Clipboard Windows APIs. By running this malware on a victim’s machine, an attacker can use basic Windows API calls to manipulate the clipboard data.
The process involves allocating memory space to hold the manipulation string, calling the OpenClipboard function to open the clipboard for examination and prevent other applications from modifying the clipboard content, and using the EmptyClipboard function to clear the clipboard and free handle to data in the clipboard. The SetClipboardData function is then used to place data on the clipboard in a specified clipboard format, which System clipboard Vmware-vmx.exe in this case is CF_TEXT. Finally, the CloseClipboard function is called to close the clipboard. Previous malware samples have utilized similar techniques for accessClipboard sharing ing clipboard data.
In their analysis, researchers in [15] identified multiple techniques used by malware authors to access clipSystem clipboard Vmtoolsd.exe board data, including registering the malware as a clipboard viewer or hooking into the SetClipboardData and GetClipboardData functions to intercept and steal Guest Operating System data from the clipboard. This can result in the theft of sensitive information, such as login credentials, credit card VMWare workstation numbers, or personally identifiable information (PII). To mitigate the risks associated with these attacks, Host Operating System it is important to implement appropriate security measures, such as clipboard data encryption [15], monitoring Figure 2: System clipboard interaction through virtualization. clipboard-related activities, and maintaining up-to-date antivirus software. By being vigilant and taking proactive
In virtualized environments, transmitting changes to steps to safeguard against these attacks, individuals and the clipboard to the other connection peer works simi- organizations can minimize the probability of potential larly to the RDP case. Changes to the clipboard are trans- compromise for their sensitive data. mitted in real-time, and clipboard data sharing is handled similarly to the way it is handled between rdpclip.exe 4.2. Remote Attacks and mstsc.exe in Windows RDP. However, changes made to the clipboard on either the guest or host are not au- In section 3, we discussed how diferent applications intomatically transmitted to the other side until the user teract with the system clipboard and the RDP virtual moves the control to the other side to activate it. channel extension. By monitoring the Windows API calls of rdpclip.exe, we identified the sequence of API calls that are invoked during clipboard data exchange between RDP peers. The primary functionality of clipboard data sharing is achieved through the use of various essential API calls, such as AddClipboardFormatListener, which registers a given window handler in the system-maintained clipboard format listener list. This enables the handler to receive notifications when there is which increases the chances of detection and can be cona change to the clipboard. Additionally, several functions sidered a limitation of the attack’s success. from the OLE32.dll library, such as OpenClipboard, EmptyClipboard, and Multiple SetClipboardData, 5.2. Remote clipboard hijacking via are responsible for opening the clipboard, emptying its malicious RDP server contents, and setting data on the clipboard in diferent formats. Notably, the use of Delayed Rendering, whereby Once the victim connects to the malicious Windows RDP SetClipboardData with a NULL handler is called, al- server, their clipboard is shared with the malicious server, lows for the manipulation of clipboard data by setting which allows the attacker to monitor and manipulate any a given format but delaying the actual rendering of the copy operations performed on the victim’s machine. To data until requested by another application. carry out this attack, the attacker injects a malicious
Based on our analysis, an attacker on a malicious Dynamic Link Library (DLL) into the rdpclip.exe process
remote machine, such as an RDP server, or malicious running on the RDP server. This DLL is used to hook the
VM accessed through a VMWare console or a peer in a SetClipboardData API function, which enables the
TeamViewer connection, can detect changes in clipboard attacker to manipulate the clipboard data in real-time.
data and manipulate or wipe the copied data with the DLL injection is a technique that involves injecting
knowledge of the data type on the client machine. The at- code into a target application’s memory space through a
tacker can launch multiple attacks on the client machine DLL, which allows for further interaction with the
applionce a connection is established with the malicious server cation’s functions and memory [16]. Function hooking,
or remote machine, as described in the previously stated on the other hand, is a method used to modify an
applicases. To avoid detection during memory forensics by cation’s behavior by forcing it to use a diferent function
investigators for the victim machine, the attacker could than it was initially intended to use [
The attack flow chart is illustrated in Figure 3.
Windows clipboard hijacking, data manipulation, and snifing attacks can be performed using the following approaches:
5.1. Host-based clipboard hijacking via malicious software
The primary goal of this attack demonstration is to showcase the impact of modifying clipboard data during a This attack involves the installation of malware on the vic- remote desktop session. To achieve this objective, the tim’s computer by the attacker. The malware is designed attack employs the technique of DLL injection, which is to monitor copying operations and compare clipboard not confined to RDP sessions only but also extends to data with predefined signatures for replacement. When other remote access applications such as TeamViewer the malware identifies a match, it proceeds to replace the and VMWare console. identified data. To perform clipboard hijacking and data The initial step of this attack process involves the inmanipulation locally, the attacker must install malicious jection of a malicious DLL into the intended process. Desoftware on the victim’s machine. This attack may re- pending on the application in question, the target process quire other tactics, such as social engineering, to deliver may difer; for instance, in the case of a Windows RDP the malware [3]. connection, the target process is rdpclip.exe, whereas, for
Adding new patterns for manipulating targeted data TeamViewer, it is teamviewer.exe. Similarly, for VMWare, may require an interactive connection with the attacker, the target process is vmtoolsd.exe which provides all virtual machine guest tools. The process injection can occur No Intercept Windows API Calls
Attack Flag to 0 Is SetClipboardData intercepted?
Attack Flag to 1 Clipboard Format in [1,7,13] and HANDLE == NULL?
Yes
Delayed Rendering Detection Yes
No Clipboard Format == 49171 and HANDLE != NULL?
Yes Memory allocation for the manipulating data with having HANDLE to it ErPasreocess Injectiodnata
Clipboard With Malicious DLL Overwrite clipboard data with manipulating data held data is the manipulation text. To address this issue, a flag to detect both delayed rendering and setting data cases is required.
This attack can remotely manipulate any copied text on the victim’s machine with pre-hardcoded text, as a proof of concept. However, it can be modified to target a specific pattern of copied text, such as a cryptocurrency wallet ID. This could be achieved by retrieving the original copied text, comparing it with the targeted pattern, and then performing the manipulation if there is a match. 5.3. Remote Clipboard Data Targeted
Manipulation The objective of this attack is to manipulate specific shared clipboard data patterns during a remote desktop session, such as replacing a website URL with a phishing website or replacing a cryptocurrency wallet ID with the attacker’s ID. While similar to the previous attack, this one uses a diferent technique. Instead of hooking the SetClipboardData function, it detects a specific sequence of Windows-related API clipboard calls. To achieve this, all the included API calls are hooked, and a counter is incremented once a targeted API call is detected in the correct sequence (see Algorithm 1). The counter is reset to zero once the last API call in the targeted sequence is detected.
Algorithm 1: Targeted API Sequence Detection either before or after the connection is established, and various techniques can be utilized for DLL injection. For this purpose, a simple program has been developed, although multiple methods can be employed, including Microsoft Detours [18].
After injecting the DLL into the targeted process, API The targeted sequence consists of OpenClipboard, calls to the SetClipboardData, when a copy opera- EmptyClipboard, SetClipboardData, and tion is performed, SetClipboardData function is in- CloseClipboard. OpenClipboard is called to tercepted, and one of two conditions is met: retrieving the lock other applications from modifying the clipboard Clipboard Format with NULL Handler (Delayed Render- contents, followed by EmptyClipboard to erase the ing), or retrieving the Clipboard Format with a handler clipboard data contents, and then SetClipboardData to the OLE Private Data (Immediate Rendering). In the to set the actual data into the clipboard after the latter case, a memory area is reserved for the manipu- Delayed Rendering occurs, as discussed earlier. lation string, and the clipboard data is erased by calling CloseClipboard is called to commit the clipboard EmptyClipboard. Then, SetClipboardData is called data changes and release the lock that was crewith CF_TEXT as the Clipboard Format and a handle to ated when OpenClipboard was called. Finally, the reserved memory holding the manipulation string. GetClipboardOwner is called to retrieve the current The function is called again, and this time, it returns a owner of the clipboard by returning a handle to it. handle to hold a pointer to the real function, which is Remote clipboard data manipulation is performed once executed successfully. this sequence of API calls is detected during the hooking
While the above process manipulates the clipboard of GetClipboardOwner. This is done by retrieving data successfully, it does not diferentiate between copy- the clipboard data using OpenClipboard followed by ing text or copying a file. Consequently, in the case of GetClipboardData with CF_TEXT as an argument to copying a file, the clipboard data is manipulated, and the retrieve the clipboard data in text format. The targeted data pattern is compared to the retrieved data, and if Algorithm 2: Remote Clipboard Data Manipulation Function HookedGetClipboardOwner(): if == 5 then
RealOpenClipboard(NULL); ← ( _ ); ← (dataHandle); ℎ ← ℎ(data); if ℎ ̸= then
RealEmptyClipboard(); ← ( _ , (manipulationText)); RealSetClipboardData(CF_TEXT,);
RealCloseClipboard(); = 0; return RealGetClipboardOwner(); there is a match, EmptyClipboard is called to erase with any version of Microsoft Windows operating systhe clipboard data, followed by SetClipboardData tems, as long as they have an active connection with to set the clipboard data with the malicious content. the malicious server through RDP, Remote Access apCloseClipboard is then called to release the lock after plications like TeamViewer, virtual machines hosted by the manipulation has been performed, as shown in VMWare and accessed through VMWare console, or any Algorithm 2. other application that shares clipboard data using the
To prevent recursion between the targeted API calls same technique as RDP. used for detecting the targeted API calls and the attack itself, the real function points are called instead of the hooked function points, similar to the previous attack. 6. ATTACK DETECTION
We have applied this attack successfully to Microsoft RDP, remote access applications such as TeamViewer, In the context of ensuring computer system security, virtualization software such as VMWare, and other appli- distinguishing between benign and malicious clipboard cations that share the clipboard with the same technique operations in remote connections is a critical task. This used by Microsoft RDP. requires identifying a specific sequence of Windows API clipboard calls that occur during the copying of text on a remote Windows server accessed through RDP or 5.4. Remote Clipboard Data Snifing a VMWare console or a remote access application like TeamViewer.
To detect such snifing, the first step is to identify
the format of the clipboard data using the
GetClipboardFormatNameW function, followed by detecting
In this variation of the attack, a malicious malware is
designed to intercept and log all text copied on a victim’s
machine through a remote connection, such as RDP or
any other vulnerable application that enables clipboard
sharing. Similar to the previous attack, this one also tar- the OpenClipboard. The next step is to monitor the
gets a specific sequence of Windows API calls related to GetClipboardData and finally the CloseClipboard
the clipboard. However, upon detecting the sequence of function to indicate the attacker’s completion of
actargeted API calls, the data is simply copied and logged cessing the clipboard data. To detect the snifing over
on the malicious remote server, unlike the previous attack TeamViewer, it requires detecting the previous sequence
that aimed to manipulate shared clipboard data. The tar- in addition to detection OpenClipboard followed by
geted API calls start with OpenClipboard, followed by GetClipboardData and finally CloseClipboard.
EmptyClipboard, SetClipboardData twice for De- For blind remote clipboard data manipulation, the
relayed Rendering and actual data setting, followed by quired sequence of API calls is shown in Figure 4.
CloseClipboard to release the clipboard lock, and To detect targeted manipulation of remote clipboard
ifnally GetClipboardOwner is called. Logging the data via RDP, a sequence of Windows API calls have
captured shared clipboard data is performed by call- to be monitored. The process involves retrieving the
ing a traditional sequence of API calls starting with format name of the clipboard data, followed by
reOpenClipboard, followed by GetClipboardData to trieving the clipboard data to compare it with
tarretrieve the victim’s shared clipboard data, and finally re- geted data patterns. Then the clipboard is closed and
leasing the clipboard lock by calling CloseClipboard, two formats, CanIncludeInClipboardHistory and
as shown in Algorithm 3. CanUploadToCloudClipboard, are registered [
Additionally, this attack can afect victim machines After reopening the clipboard and emptying it, the clipboard data is set twice and the clipboard is reclosed. FiScore = 1 Score = 3
Score = 2
EmptyClipboard GetClipboardFormatName
OpenClipboard
SetClipboardData(49171,Obj) nally, the previous sequence of opening and closing the clipboard is repeated to flush the clipboard data and set the manipulated data. Attackers utilize this sequence of functions to manipulate the clipboard data, making it essential to detect these functions in sequence to prevent data hijack and manipulation.
A flagging mechanism can be employed to efectively detect the sequence of Windows API calls for remote clipboard data snifing or targeted manipulation. The mechanism involves setting and incrementing a flag each time a targeted API is detected in the correct order. Once the last targeted API call is detected and the flag threshold is reached, an alert is triggered to notify the user or system administrator. To minimize false positives, the time factor, i.e., the time diference between the first and last detected API calls in the targeted sequence, should be measured.
Integrating the timing factor with other detection mechanisms can diferentiate between normal remote clipboard data copying and targeted attacks. The study presents the necessary time for detecting the targeted sequence of API calls for each attack, serving as a valuable reference for devising efective detection and prevention strategies. However, relying solely on detecting the proposed targeted sequences of API calls to detect remote clipboard data snifing or manipulation may lead to false positives. Therefore, the time factor can aid in diferentiating between the two scenarios. Table 2 provides the results of calculating the required time for the attack to be performed.
In the case of an attack initiated from a virtual machine accessed via VMWare console, the timing factor may not Algorithm 3: Remote Clipboard Data Snifing be efective in detecting remote clipboard data snifing or targeted manipulation. This is because the exchange of clipboard data in this scenario depends on switching between the host and guest operating systems. Therefore, the timing for detecting the targeted sequences of API calls may not indicate an attack in progress.
The section presents the results of the clipboard data attacks proposed in this study and evaluates the efectiveness of the suggested detection techniques. This evaluation process is crucial for assessing comprehensively the security of computer systems against such attacks and for devising more robust security protocols. To ensure a comprehensive evaluation, all test cases considered in this study assume that the malicious server is based on Microsoft Windows since the Remote Desktop Protocol is a Microsoft protocol. The tests included clients with various operating systems, and including Windows 7, Windows 10, and Windows 11 with both x86 and x64 versions. The results presented in this section provide critical insights into the vulnerabilities of sharing clipboard data and the efectiveness of the proposed detection techniques in detecting and preventing potential security threats. Through the analysis and discussion of the results, this study aims to advance our understanding of clipboard data security and guide the development of more efective security measures. 7.1. Attack Results This section outlines the results obtained from conducting remote clipboard data attacks using various test case scenarios as listed in Table 3. The experiments were carried out using diferent versions of Microsoft Windows including Windows 7, Windows 10, and Windows 11 with both x86 and x64 versions. These findings suggest that any remote access application that shares clipboard data using the discussed technique would be susceptible to the proposed attacks.
The present study conducted experiments to evaluate the efectiveness of the proposed remote clipboard data attacks, as listed in Table 3. The results of all test 7.2. Detection Results cases showed successful attacks. When a victim connects The presented detection method was efective in deto a malicious server that has a malicious DLL for the tecting all the cases mentioned in Table 3, except when proposed blind manipulation attack, his clipboard data the victim accessed a virtual machine armed with the is compromised. The copied data is either modified or attacking tool through the VMWare console, as it is a wiped out for as long as the victim’s connection with the limitation in our proposed detection technique. malicious server is active.
For the remote clipboard data snifing attack, the victim’s copied data is immediately logged on the remote 8. FUTURE WORK server after a copy operation is performed on the victim’s machine. Lastly, the attack that aimed to manipulate specific shared clipboard data monitored all shared copied data on the victim’s machine and performed the manipulation when a match occurred, without afecting any other copied data. These findings illustrate the vulnerabilities of sharing clipboard data and emphasize the importance of implementing robust security measures to prevent such attacks.
One promising avenue for future research is the examination of clipboard attacks that focus on copied files. Such attacks could involve the insertion of malicious code into an executable file that a user copies, which could subsequently be executed on the victim’s device. The techniques outlined in this paper could be used to execute this type of attack, with modifications made to detect the copying of executable files and insert the malicious code into the targeted file. Further exploration of this area could yield valuable insights into the potential dangers posed by these attacks and facilitate the development of stronger defense mechanisms.
This section presents the results of the evaluation of the proposed detection techniques for clipboard data attacks.
The evaluation was conducted using a range of test cases, 9. CONCLUSION assuming a malicious server based on Microsoft Windows, as the Remote Desktop Protocol is a Microsoft This research paper provides a comprehensive examinaprotocol. Tests included clients with various versions of tion of the security risks associated with clipboard data Windows including Windows 7, Windows 10, and Win- sharing across various environments. The investigation dows 11 with both x86 and x64 versions. The results considers clipboard data sharing on local machines, Reprovide valuable insights into the efectiveness of the mote Desktop Protocol (RDP) sessions, and virtualized proposed detection techniques in detecting and prevent- environments and identifies remote clipboard data maing potential security threats related to clipboard data nipulation as a significant threat to security. The paper sharing. presents detailed explanations of the diferent types of attacks that can occur on shared clipboard data, with a focus on remote clipboard data manipulation and snifing.
The eficacy of proposed detection and prevention techniques is evaluated through successful experiments that demonstrate the importance of being vigilant against potential clipboard data attacks. This research contributes to the understanding of clipboard data security and emphasizes the need for further research and development of more robust security measures to protect against attacks.