Spyndicapped: COM ViewLogger — new malware keylogging technique
Spyndicapped
Spy of your users with Microsoft UIA!
MS UIA (Microsoft User Interface Automation) is a special framework designed to automate the use of the Windows GUI. With its help you can read any text values on the screen, open menus, close windows.
In general, you can do everything a user does in front of a monitor, just as if a hacker were sitting at a desktop.
The framework was originally designed for handicapped people, hence the name of the tool — Spyndicapped.
MSAA (Microsoft Active Accessibility) was heavily used in Windows prior to MS UIA, but it has been completely replaced by MS UIA. I should note that MS UIA is supported by almost all modern systems, starting with Windows XP, so I don’t see any point in diving into MSAA.
U can read more information about MSAA and UIA comparsion here.
How it works
So, there is a Windows User Automation framework that allows you to work with any Windows graphical elements. I just studied it over the New Year holidays and made a small POC 😛 It just so happens that in parallel I became an expert in Windows programming for handicapped people. Why didn’t anyone tell me about this when I first started learning pentest?
In fact, I have two handlers:
MyAutomationEventHandler
— UIA basic event processing (Ex: opened a new window);MyPropertyChangedEventHandler
— property changed event handling (Ex: inserted a value).
They handle all the GUI changes we are interested in: data input, text copying, data modification. Among other things, I’ve added handlers under different processes and even domains in the browser so you can get more familiar with the framework! See the examples below for more details. Also, I added an example of using patterns (one of the UIA components) on the example of KeePass looting.
With this project you will be able to learn Windows UIA! I use almost all concepts: event handling, pattern calling, tree traversal, item lookup.
You can find out more details in this article on medium.