note-bof is a collection of Beacon Object Files (BOFs) for extracting unsaved text content from Notepad and Visual Studio Code (including VSCodium). It is designed for use in red team operations and post-exploitation scenarios where recovering sensitive, unsaved user data can provide operational value.
Modern text editors often persist unsaved data in recovery locations. These BOFs enumerate and parse those locations to extract and display plaintext content from:
-
Notepad (.bin recovery files)
%LocalAppData%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\ -
VSCode / VSCodium (backup folders)
%AppData%\Code\Backups\
%AppData%\VSCodium\Backups\
- Enumerates unsaved recovery files for Notepad and VSCode
- Extracts and prints full unsaved content to Beacon output
- Supports both x86 and x64 payload architectures
makeBOF object files will be placed in the dist/ directory.
In Cobalt Strike:
- Open the Script Manager
- Load
note-bof.cna
To dump Notepad recovery data:
notepad_dump
To dump VSCode or VSCodium backup content:
vscode_dump
Extracted data will be printed directly to the Beacon console.
Licensed under the GNU General Public License v3.0
Author: sarange