veyoff

RFB man-in-the-middle proxy that controls what the Veyon master sees

veyoff sits between Veyon's internal proxy and the UltraVNC screen capture engine on the local machine. it forwards framebuffer data transparently in normal mode, and intercepts it when freeze or window hiding is active. the teacher sees nothing unusual; just a brief 1-2s connection blip during setup. if you're my teacher seeing this, hi please dont snitch.

---

how it works

veyon master (teacher)
    │
    │  connects to port 11100+session (veyon custom auth)
    ▼
veyon VncProxyServer (part of veyon service, untouched)
    │
    │  connects to localhost:11200+session (standard RFB)
    ▼
VEYOFF PROXY (binds port 11200+session, the original VNC port)
    │   transparent forwarding in normal mode
    │   intercepts framebuffer when frozen / blacklisting
    ▼
real UltraVNC (port 11250+session, redirected via registry)

setup is fully automated. on launch, veyoff reads the VNC port from the veyon registry, redirects it +50, restarts the veyon service, and binds the proxy on the original port. on exit, it restores everything.

---

features

1. screen freeze (Ctrl+Alt+F) lets the master keep seeing a frozen frame while you keep working normally.

2. presence overlays has two distinct warnings, and both stay invisible to veyon's screen capture:

   • amber "VEYON ACTIVE" means the teacher has the veyon master app open and connected to your machine, but isn't looking at your screen yet
   • red "MASTER VIEWING" means the teacher is actively viewing your screen through the RFB proxy

3. selective window hiding keeps windows matching keywords in config/blacklist.txt hidden from the master's view. veyoff preserves the last teacher-visible pixels for that region instead of drawing a black box. edit the blacklist from the tray menu or manually, one keyword per line:

   Firefox
   Chrome
   Signal
   

4. system tray shows a color-coded icon in the notification area. right-click for the menu: toggle freeze, edit blacklist, reload config, self-destruct, or quit. the icon color reflects the current state:

   • green = idle/live
   • blue = screen frozen
   • amber = veyon active
   • red = master viewing

5. self-destruct (Ctrl+Alt+X pressed 5 times within 2 seconds) is the panic button. it:

   • restores veyon's registry and restarts the service
   • clears windows event logs (Application, System, Security)
   • deletes prefetch entries matching veyoff
   • schedules deletion of the exe and its entire directory after the process exits
   • leaves no trace on disk

   also available from the tray menu under "Self-Destruct".

6. clean quit (Ctrl+Alt+Q) restores veyon config and exits normally.

---

quickstart

build (visual studio 2022 + cmake)

cmake -B build -G "Visual Studio 17 2022" -A x64
cmake --build build --config Release

or with ninja:

cmake -S . -B build -G "Ninja"
cmake --build build --config Release

run (as administrator)

.\build\Release\veyoff-windows.exe

veyoff automatically:

• reads veyon's config from HKLM\SOFTWARE\Veyon Solutions\Veyon\Network
• redirects the internal VNC port (11200 → 11250)
• restarts VeyonService (brief 1-2s blip)
• starts the RFB proxy and overlay

press Ctrl+Alt+Q to quit. veyoff restores the original port and restarts the service. right-click the tray icon for additional options.

custom blacklist

.\build\Release\veyoff-windows.exe --blacklist C:\path\to\blacklist.txt

---

how the proxy works

the proxy speaks RFB (VNC protocol) at the message level. it doesn't just relay bytes. it parses every RFB message to know where message boundaries are, which lets it:

• freeze: cache the last full framebuffer update from upstream and replay it to the master on every FramebufferUpdateRequest, while the real screen keeps changing
• blacklist: capture the real screen via GDI, keep the last teacher-visible pixels inside blacklisted window regions (matched by title substring), encode the result as a raw RFB FramebufferUpdate, and send that instead
• SetEncodings rewrite: forces the upstream VNC server to use only Raw encoding, so veyoff never needs to decode compressed pixel data

the master's VNC viewer has no way to tell the difference because it receives valid RFB frames either way.

---

requirements

• windows 10+
• administrator privileges (registry + service control)
• veyon installed and running
• visual studio 2022 or mingw-w64 with c++20 support
• cmake 3.21+

---

docs

• architecture: proxy design, RFB protocol handling, overlay mechanics
• build & validation: build instructions, manual testing procedures
• veyon reverse engineering: source analysis of veyon internals

---

project layout

veyoff/
├── src/windows/
│   └── veyoff-windows.cpp    # single-file implementation (~2000 lines)
├── config/
│   └── blacklist.txt          # window title keywords to hide (one per line)
├── toolchains/
│   └── windows-mingw64.cmake  # cross-compilation toolchain (linux → windows)
├── docs/
│   ├── windows-architecture.md
│   ├── windows-build.md
│   └── windows-reverse-engineering.md
└── CMakeLists.txt

---

ethical notice

this tool is for legitimate privacy needs, such as entering passwords or handling personal communications during monitored sessions. comply with your organization's policies and applicable laws.

---

license

MIT. see LICENSE.