dissect.target.plugins.apps.editor.windowsnotepad
¶
Module Contents¶
Classes¶
Windows notepad tab content parser |
|
Windows notepad tab content plugin. |
Attributes¶
- dissect.target.plugins.apps.editor.windowsnotepad.windowstab_def = Multiline-String¶
Show Value
""" struct file_header { char magic[2]; // NP uleb128 updateNumber; // increases on every settings update when fileType=9, // doesn't seem to change on fileType 0 or 1 uleb128 fileType; // 0 if unsaved, 1 if saved, 9 if contains settings? } struct tab_header_saved { uleb128 filePathLength; wchar filePath[filePathLength]; uleb128 fileSize; // likely similar to fixedSizeBlockLength uleb128 encoding; uleb128 carriageReturnType; uleb128 timestamp; // Windows Filetime format (not unix timestamp) char sha256[32]; char unk0; char unk1; uleb128 fixedSizeBlockLength; uleb128 fixedSizeBlockLengthDuplicate; uint8 wordWrap; // 1 if wordwrap enabled, 0 if disabled uint8 rightToLeft; uint8 showUnicode; uint8 optionsVersion; }; struct tab_header_unsaved { char unk0; uleb128 fixedSizeBlockLength; // will always be 00 when unsaved because size is not yet known uleb128 fixedSizeBlockLengthDuplicate; // will always be 00 when unsaved because size is not yet known uint8 wordWrap; // 1 if wordwrap enabled, 0 if disabled uint8 rightToLeft; uint8 showUnicode; uint8 optionsVersion; }; struct tab_header_crc32_stub { char unk1; char unk2; char crc32[4]; }; struct fixed_size_data_block { uleb128 nAdded; wchar data[nAdded]; uint8 hasRemainingVariableDataBlocks; // indicates whether after this single-data block more data will follow char crc32[4]; }; struct variable_size_data_block { uleb128 offset; uleb128 nDeleted; uleb128 nAdded; wchar data[nAdded]; char crc32[4]; }; struct options_v1 { uleb128 unk; }; struct options_v2 { uleb128 unk1; // likely autocorrect or spellcheck uleb128 unk2; // likely autocorrect or spellcheck }; """
- dissect.target.plugins.apps.editor.windowsnotepad.GENERIC_TAB_CONTENTS_RECORD_FIELDS = [('string', 'content'), ('path', 'path'), ('string', 'deleted_content')]¶
- dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadUnsavedTabRecord¶
- dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadSavedTabRecord¶
- dissect.target.plugins.apps.editor.windowsnotepad.c_windowstab¶
- class dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadTab(file: dissect.target.helpers.fsutil.TargetPath)¶
Windows notepad tab content parser
- file¶
- is_saved = None¶
- content = None¶
- deleted_content = None¶
- __repr__() str ¶
- class dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadPlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugins.apps.editor.editor.EditorPlugin
Windows notepad tab content plugin.
- __namespace__ = 'windowsnotepad'¶
Defines the plugin namespace.
- GLOB = 'AppData/Local/Packages/Microsoft.WindowsNotepad_*/LocalState/TabState/*.bin'¶
- users_tabs: set[dissect.target.helpers.fsutil.TargetPath, dissect.target.helpers.record.UnixUserRecord | dissect.target.helpers.record.WindowsUserRecord]¶
- check_compatible() None ¶
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- history() Iterator[WindowsNotepadSavedTabRecord | WindowsNotepadUnsavedTabRecord] ¶
Return contents from Windows 11 Notepad tabs - and its deleted content if available.
Windows Notepad application for Windows 11 is now able to restore both saved and unsaved tabs when you re-open the application.
- Resources:
Yields
WindowsNotepadSavedTabRecord
orWindowsNotepadUnsavedTabRecord
records:ts (datetime): The modification time of the tab. content (string): The content of the tab. path (path): The path to the tab file. deleted_content (string): The deleted content of the tab, if available. digest (digest): A digest of the tab content. saved_path (path): The path where the tab was saved.