A buffer reader for notepad TabState buffers.
Warning
This project is in early development. Things may change. Sorry for any inconvenience.
Lmao
It works for the most part, now. Check below. There is still data that doesn't get parsed, and I probably have a few definitions
incorrect, but for now it does work for most files. Still need to figure out the multi-buffer stuff.
The tab buffers are located in %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState
.
Thank you to @nas_bench and @_JohnHammond for cluing me into this location. nas bench tweet.
Read one of the files and pass it in to TabStateReader::new()
as a slice. Call the get_refs()
method to get references
to parts of the buffer.
There are some print lines for things I am not sure about, so if you see this print some extra lines in your console, please let me know, so I can check out what is wrong.
The TabStateReader
type is there for the future. This type will handle other stuff, later, probably. Right now it just
checks that you aren't passing in an empty buffer. I will probably change it to also check the magic bytes.
fn get_tab_state_refs<'a>(buffer: &'a [u8]) -> std::io::Result<TabStateRefs<'a>> {
let np = TabStateReader::new(buffer)?;
np.get_refs()
}
fn main() {
let file = std::fs::read_dir(r"P:/ath/to/notepad/tabstate/buffer.bin").unwrap();
let refs = get_tab_state_refs(&file[..]).expect("Could not read TabState buffer.");
println!("{:?}", refs.get_path().unwrap_or_default());
println!("{:?}", refs.get_buffer());
}
Open a github issue, or message me on discord. Name on Discord is Nordgaren
. GitHub issues is easier. If I don't get to
you on Discord you can @ me in any shared server we have. I am in John Hammonds Discord. You can also try e-mailing me at
[email protected]
The functions are heavily documented. I just kinda put my thoughts on why I did things the way I did, and what I have seen in samples, thus far. The samples are being generated by opening new tabs with existing files and inspecting the new files notepad makes. I have generated some unsaved tab buffers, and started the process of supporting them.
Also shout out to John Hammond who told me the unsaved buffers are different when notepad closes! Huzzah! WTH?!
@nas_bench - or this tweet nas bench tweet
@_JohnHammond - Showed me the above tweet and asked me to look into this format, and I
have enjoyed every minute of it!
vswarte - For misc reasons including figuring out my varint issue.
notarib-catcher - Started the issue that helped organize the rest of the collaborators
and shared their insights at the start of this, which helped greatly.
JustArion - Identified the FileTime and sha256 hash bytes! Never would have though they would
store FileTime as a varint, but.... Microsoft..
ogmini - For passing on info from their research on this format, that they are documenting
here.
joost-j - Thank you for starting the python dissect PR which lead to a lot of good discussion
and discovery!
daddycocoaman - Thank you for your efforts, and showing me the options structure and
what each one means!
Figure out any inkling of how the unsaved buffers work before notepad has closed, so I can figure out how to read them.