A lightweight Windows tray application that monitors your clipboard for suspicious content, prompts you to Discard or Keep, and writes a full audit trail to a log file. Perfect for security-conscious environments where paste-based attacks (e.g. stealthy PowerShell one-liners - ClickFix) are a concern.
-
Pattern-based detection
Load user-defined regular expressions frompatterns.txtand scan every Unicode text snippet for indicators of malicious payloads (e.g.powershell.exe -NoP -NonI -W Hidden -Exec Bypass …). -
Seamless UI integration
- Uses native TaskDialog prompts for “Discard?” vs “Paste now…” workflows.
- Keyboard (
WH_KEYBOARD_LL) and mouse (WH_MOUSE_LL) hooks ensure only one authorized paste proceeds, and block any other input during the decision.
-
Atomic, thread-safe logging
- Captures
Time,User,Host,SourceApp,DestApp,Contentsnippet andAction(“Keep”/“Discard”).
- Captures
-
Single-instance guard & robust error handling
Prevents multiple instances via a named mutex and surfaces initialization failures with a MessageBox.
If you'd like to support this project, feel free to donate:
👉 Buy Me a Coffee
Feel free to open issues or pull requests, we're open to suggestions and improvements.
-
Initialization
- Load regex patterns from
patterns.txt(skip comments / blanks). - Create a hidden message-only window to receive
WM_CLIPBOARDUPDATE. - Cache current user and host names for later logging.
- Load regex patterns from
-
Clipboard update handler
void ClipboardWatcher::OnClipboardUpdate() { if (!OpenClipboard(_hWnd)) return; // 1) Grab CF_UNICODETEXT and scan with std::regex_search(). // 2) (optional) Scan file drops or image data … CloseClipboard(); if (!suspicious) return; // Install hooks → show TaskDialog → log user choice. }
-
Decision workflow
| Action | Behaviour |
|---|---|
| Discard | Clears the clipboard, shows a red “Content discarded” toast, and logs Action: Discard. |
| Keep | Prompts “Paste now (Ctrl+V / Shift+Ins / right-click)”, allows one paste, and logs Action: Keep. |
Security-Message:
Discarded:
Kept:
- Detailed audit trail
git clone https://github.com/your-org/xtended-runtime-detection.git
cd xtended-runtime-detection- Build requirements: Visual Studio 2019 + with C++17, link against user32, comctl32, psapi, Shlwapi.
Configure Patterns Edit patterns.txt – one regex per line (# for comments).
Run the Tray App Double-click xTended Runtime Detection.exe → tray icon appears.
Right-click the icon for Open Logs / Exit.
- Enable CF_HDROP & CF_DIB scanning (file drops, steganography).
- Combine patterns into a single mega-regex for higher throughput.
- Cross-platform support (macOS/Linux clipboard APIs).