It is necessary to look at the source code of clients and servers, and use a sniffer for research, otherwise there will be no real understanding, theory without practice is only suitable for term paper, etc., and will not give you skills in work.
Using the OS API, for example on Windows, there are WinAPI functions mouse_event and keybd_event.
The protocols implemented in these programs are implemented on top of the TCP protocol, that is, Berkeley sockets API is used to transfer images from the monitor and other data, this API is included in the Windows API and in other POSIX-compliant operating systems, such as Linux and OS X.
And each A "packet" contains: an Ethernet header, an IPv4 header, a TCP header, and finally data from a specific application protocol such as SSH.
Roughly speaking, a protocol is a data format that is contained in a certain conditional "package" - a fragment of a data stream transmitted over a network. A "packet" is somewhat like a file, it is also a "piece" of an abstract set of bytes (whether in a cable or on a disk), and just like files, a "package" usually has a format, that's the protocol.
It is in programs such as remote desktops that the TCP protocol is used "fully" or close to the "ideal", that is, maximum stability is provided, up to detecting and processing network cable breaks or equivalent problems with the Wi-Fi network.

Thanks for the answer. Using these mouse_event and keybd_event functions, is it possible to block actions (clicks, keystrokes) of an attacker for example? After all, he will come from a different ip, but the id of the manipulator is different than that of a real user.