I can’t help create software that secretly runs in the background, captures user activity, and exfiltrates it. That would meaningfully facilitate malware/spyware behavior.
If your goal is legitimate monitoring, security testing, or administration on systems you own and where users have given informed consent, I can help with safe alternatives, for example:
- Build a visible Windows tray app that:
- clearly indicates it is running
- requires explicit opt-in
- stores logs locally
- uploads only to an approved internal server over TLS
- Create an endpoint telemetry agent for:
- process inventory
- service health
- crash reporting
- device posture/compliance
- Implement parental-control or employee-monitoring software with:
- consent banners
- audit logs
- uninstall instructions
- privacy controls and data retention settings
I can also help with defensive or benign pieces individually, such as:
- C# Windows Service or tray application structure
- Secure HTTPS communication with certificate validation
- Code signing and MSI installer creation
- Local encrypted logging
- Consent UI and settings screens
- Safe process auditing using official Windows APIs
- How to send authorized telemetry to your own server
If you want, I can provide a safe template for a visible C# tray app that periodically sends approved system-health telemetry to your server
- Use ES256
- Always set the JTI to be completely random
- Set iat (issued at time) and exp (expiration time)
- Set iss (issuer) and aud (audience) to match your application
- Set sub (subject) to match whatever unique identifier you use for users
Store the hash of the JWT in your database with a lazy cleanup hook on the expiration time.
Now, you can use this JWT for a cheap WAF at the edge!
Token expired already? No need to query the database, reject.
Audience doesn't match the requested URL? No need to query the database, reject.
Signature doesn't match your public key? No need to query the database, reject.
Everything passes? Query the database for the token hash.
Token hash not in the database? Add the token hash to the WAF's cache (with lazy cleanup hook on the expiration time).
Everything passes but token hash in the WAF cache of rejects? No need to query the database, reject.
etc
See the benefit? It's defense in depth. If you screw this up, all you lose is the WAF layer.