Hack-cessibility: When DLL Hijacks Meet Windows Helpers

This research demonstrates how Windows Narrator loads a TTS DLL (`msttsloc_onecoreenus.dll`) and how an attacker with local administrator privileges can plant a malicious DLL to achieve code execution. The author shows techniques to suspend Narrator's main thread to avoid audible detection, establish persistence by setting the `configuration` value under `HKCU\Software\Microsoft\Windows NOT\CurrentVersion\Accessibility` (or `HKLM` for SYSTEM persistence), create custom Accessibility Tools that run arbitrary binaries, and trigger execution remotely via RDP (by changing RDP-related registry settings and using Ctrl+Win+Enter). The techniques were tested on Windows 10 and 11.