The bit players simply map Active Accessibility / whatever MS calls it now (Windows Automation Framework?).

The more serious players shadow Windows events.

The real stuff does process injection and directly shadow copies / modifies in-memory data structures.