Spyndicapped : The Power Of UI Automation For Surveillance

Dive into the cutting-edge world of digital surveillance with “Spyndicapped,” a robust tool leveraging Microsoft’s UI Automation to monitor and gather data stealthily.

Developed by the CICADA8 Research Team, this tool unveils a new frontier in cybersecurity by allowing detailed access to user activities and system operations.

Discover its unique capabilities and how it transforms spying on user interfaces into an art form.

PS A:\ssd\gitrepo\Spyndicapped_dev\x64\Debug> .\Spyndicapped.exe -h

              ._
                |
                |
                |L___,
              .' '.  T
             :  *  :_|
              '._.'   L

[Spyndicapped]
CICADA8 Research Team
Christmas present from MzHmO

There are different work modes:
[FIND mode]
        Displays the windows available for spying with --window or --pid
        [EXAMPLES]
         Spyndicapped.exe find
[SPY mode]
        Window(s) spying mode
         --window <name> <- grabs information from that window
         --pid <pid> <- grabs information from that process (GUI Required)
         --logfile <filename> <- store all events into the log file
         --ignore-handlers <- I have created handlers for various apps, but u can use the generic HandleOther() with this flag
         --timeout <sec> <- interval to process events (default 1 sec)
         --no-uia-events <- disables MyAutomationEventHandler
         --no-property-events <- disables MyPropertyChangedEventHandler
        [EXAMPLES]
         Spyndicapped.exe spy
         Spyndicapped.exe spy --window "Program Manager"
         Spyndicapped.exe spy --pid 123
[Other]
         --debug <- displays more information

TL;DR

# Spy the whole system (high load may be!)
  .\Spyndicapped spy

# And log everything into the file
  .\Spyndicapped spy --logfile 1.txt

# Find target and spy by the pid
  .\Spyndicapped find
  .\Spyndicapped spy --pid <pid from find command>

How It Works

So, there is a Windows User Automation framework that allows you to work with any Windows graphical elements.

I just studied it over the New Year holidays and made a small POC 😛 It just so happens that in parallel I became an expert in Windows programming for handicapped people.

Why didn’t anyone tell me about this when I first started learning pentest?

In fact, I have two handlers:

MyAutomationEventHandler — UIA basic event processing (Ex: opened a new window);
MyPropertyChangedEventHandler — property changed event handling (Ex: inserted a value).

They handle all the GUI changes we are interested in: data input, text copying, data modification.

Among other things, I’ve added handlers under different processes and even domains in the browser so you can get more familiar with the framework! See the examples below for more details.

Also, I added an example of using patterns (one of the UIA components) on the example of KeePass looting.

With this project you will be able to learn Windows UIA! I use almost all concepts: event handling, pattern calling, tree traversal, item lookup.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.