Notepad++ Plugins Plug and Payload

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://trustedsec.com/blog/notepad-plugins-plug-and-payload
• Blog Title: Notepad++ Plugins: Plug and Payload
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation / Persistence (new page): "Notepad++ Plugin (DLL) Autoload for Execution & Persistence" or alternatively "Generic Hacking / Persistence -> Application plugin/DLL autoload persistence"

🎯 Content Summary

This post explains (1) how Notepad++’s plugin architecture works at a low level (plugins are Windows DLLs autoloaded from disk), and (2) how red teams can operationalize that design for reliable code execution inside the Notepad++ process by building plugins—first a minimal educational example, then a weaponized reflective DLL loader plugin. It also frames the technique in the context of the Notepad++ updater infrastructure breach that could have enabled delivery of backdoored updates, resulting...

🔧 Technical Details

Notepad++ plugin autoload as an execution/persistence primitive: Because Notepad++ loads every plugin DLL found under its plugins subfolders during startup, an attacker who can write a DLL into a user-writable Notepad++ installation (portable build or copied install in a writable directory) can achieve automatic code execution inside notepad++.exe on launch/restart. Execution can occur from DllMain on load and/or from Notepad++-recognized exported callbacks called during initialization (e.g., setInfo(), getName(), getFuncsArray()), and ongoing user-driven execution can be triggered via event handlers like beNotified() or message handling via messageProc().

In-process reflective DLL loading via a plugin: Implement a Notepad++ plugin that accepts a DLL source (local file path or URL), reflectively maps the DLL into the current process memory, and then calls an exported functio...

🤖 Agent Actions

Summary:

• Added a dedicated page detailing Notepad++ plugin autoload abuse for execution/persistence, including plugin export requirements, minimal malicious skeleton, and reflective loader usage plus detection/hardening notes.
• Linked the new Notepad++ plugin persistence page from the Windows Local Privilege Escalation README.

Files Modified/Added:

• src/windows-hardening/windows-local-privilege-escalation/notepad-plus-plus-plugin-autoload-persistence.md
• src/windows-hardening/windows-local-privilege-escalation/README.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/notepad-plugins-plug-and-payload

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation / Persistence (new page): "Notepad++ Plugin (DLL) Autoload for Execution & Persistence" or alternatively "Generic Hacking / Persistence -> Application plugin/DLL autoload persistence"".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0