Cyber security

Spyndicapped : The Power Of UI Automation For Surveillance

Dive into the cutting-edge world of digital surveillance with “Spyndicapped,” a robust tool leveraging Microsoft’s UI Automation to monitor and gather data stealthily.

Developed by the CICADA8 Research Team, this tool unveils a new frontier in cybersecurity by allowing detailed access to user activities and system operations.

Discover its unique capabilities and how it transforms spying on user interfaces into an art form.

PS A:\ssd\gitrepo\Spyndicapped_dev\x64\Debug> .\Spyndicapped.exe -h

              ._
                |
                |
                |L___,
              .' '.  T
             :  *  :_|
              '._.'   L

[Spyndicapped]
CICADA8 Research Team
Christmas present from MzHmO

There are different work modes:
[FIND mode]
        Displays the windows available for spying with --window or --pid
        [EXAMPLES]
         Spyndicapped.exe find
[SPY mode]
        Window(s) spying mode
         --window <name> <- grabs information from that window
         --pid <pid> <- grabs information from that process (GUI Required)
         --logfile <filename> <- store all events into the log file
         --ignore-handlers <- I have created handlers for various apps, but u can use the generic HandleOther() with this flag
         --timeout <sec> <- interval to process events (default 1 sec)
         --no-uia-events <- disables MyAutomationEventHandler
         --no-property-events <- disables MyPropertyChangedEventHandler
        [EXAMPLES]
         Spyndicapped.exe spy
         Spyndicapped.exe spy --window "Program Manager"
         Spyndicapped.exe spy --pid 123
[Other]
         --debug <- displays more information

TL;DR

# Spy the whole system (high load may be!)
  .\Spyndicapped spy

# And log everything into the file
  .\Spyndicapped spy --logfile 1.txt

# Find target and spy by the pid
  .\Spyndicapped find
  .\Spyndicapped spy --pid <pid from find command>

How It Works

So, there is a Windows User Automation framework that allows you to work with any Windows graphical elements.

I just studied it over the New Year holidays and made a small POC 😛 It just so happens that in parallel I became an expert in Windows programming for handicapped people.

Why didn’t anyone tell me about this when I first started learning pentest?

In fact, I have two handlers:

  • MyAutomationEventHandler — UIA basic event processing (Ex: opened a new window);
  • MyPropertyChangedEventHandler — property changed event handling (Ex: inserted a value).

They handle all the GUI changes we are interested in: data input, text copying, data modification.

Among other things, I’ve added handlers under different processes and even domains in the browser so you can get more familiar with the framework! See the examples below for more details.

Also, I added an example of using patterns (one of the UIA components) on the example of KeePass looting.

With this project you will be able to learn Windows UIA! I use almost all concepts: event handling, pattern calling, tree traversal, item lookup.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

4 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

4 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

1 day ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

2 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago