Releases: ogmini/Notepad-State-Library
Release v1.0.2
Releasing .NET 8.0 dependent and standalone versions of Windows Notepad Parser. The standalone versions do not need .NET 8.0 runtime installed on the system to run. The executables are larger in size though.
The Minimal version of Windows Notepad Parser does not have the code or option to generate GIF files of the changes.
Changes:
- Continued cleanup of the CSV output
- Reorder columns
- Remove unnecessary columns
Feel free to reach out with any suggestions, bugs, or comments by opening an Issue or messaging me on LinkedIn.
GaslitPad - v1.0.0
First release of the Proof of Concept Malware for Windows Notepad.
https://ogmini.github.io/2025/01/03/POC-Malware-Part-1.html
https://ogmini.github.io/2025/01/31/POC-Malware-Part-2.html
https://ogmini.github.io/2025/02/01/POC-Malware-Part-3.html
Requirements
.NET 8.0 Runtime - https://dotnet.microsoft.com/en-us/download/dotnet/8.0/runtime?cid=getdotnetcore&os=windows&arch=x64
Options
These can be set by editing the "GastlitPad.dll.config" file. The default settings will perform an Active Attack on a file called "wp-config.php" after 10 seconds of idle time.
- attackVersion - 0 is Active Attack / 1 is Sleep Attack
- attackFileName - Filename to attack
- attackRegex - regex for text to replace
- attackReplace - text to replace regex match
- idleWaitTime - idle wait time in seconds for Active Attack
- pollingInterval - polling time in milliseconds to check
Attack Demonstrations
An example "wp-config.php" file has been included in the zip file to demonstrate the attack in action.
Active Attack
Make sure the options are set for the Active Attack. Run GaslitPad how you see fit. Open "wp-config.php" in Windows Notepad and make a change to the file. Do not save the file or close Windows Notepad. Wait the required idleWaitTime without any actions and you should see Windows Notepad blink and the text change to 'compromised'.
Sleep Attack
Make sure the options are set for the Sleep Attack. Open "wp-config.php" in Windows Notepad and make a change to the file. Do not save the file and instead just close Windows Notepad. Wait a second or two and the Tab State will be changed. You can reopen Windows Notepad and see that the text has been changed to 'compromised'
Fix - WindowState
Changes:
- Executable has been reduced to a single file
- No reliance on .NET Core being installed
- Flag for generating GIF has been added
- The CSV for the Windowstate was missing the GUID Chunks section. These are now stored as a comma separated string.
For more details, consult the README
Feel free to reach out with any suggestions, bugs, or comments by opening an Issue or messaging me on LinkedIn.
Initial Release
Initial release version of Windows Notepad Parser.
Executable to quickly extract and collect information related to Windows Notepad. Collected information is saved as CSV files for easy analysis using tools such as Timeline Explorer. Also generates GIF files for any recovered Unsaved Buffer Chunks.
For more details, consult the README
Feel free to reach out with any suggestions, bugs, or comments by opening an Issue or messaging me on LinkedIn.