Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Driving, especially on long road trips, is when I do some of my best thinking. The 6 hour trip home gave me a lot of time to think about that Windows Notepad. My mind wandered and contemplated about a few topics:
At first, it confused me that the Markdown Tabs do not use the unsaved buffer chunks. It would be difficult to properly support Markdown as the unsaved buffer chunks would not be able to place the Markdown tags in a clean fashion. What is fun, we see the return of the Content bytes for the unsaved Tabs which disappeared in 11.2408.12.0. Granted, this is just for the Markdown Tabs.
Early on, there had been discussion if this byte was a version or count. I personally settled on count as it made the mose sense for ease of reading the correct number of later bytes for options. We are now up to 3 along with 3 more options. I still have not figured out what the previous 2 options are but it appears the last option is related to Markdown. It will be 1 for unformatted and 2 for Markdown formatted. I’m trending to calling this option “Tab Format” just in case they introduce more formats in the future.
I’m going to pat myself on the back for this one. There should be no codes changes required to the binary templates or libary to support this change. I have not tested; but I wrote everything to handle a dynamic number of Options based on the Options Count.
Now that I’m back home I can put some actual work and testing into this new feature for Windows Notepad. Expect more posts in the future with heavy testing and validation.
tags: #research #windows-notepad