Patch SciLexer.dll

[gavin20]

Reference: https://wikileaks.org/ciav7p1/cms/page_26968090.html

Notepad++ DLL Hijack
The following DLL hijack works for both the portable and non-portable variants of Notepad++

Notepad++ loads Scintilla, a "code editing component" (and seperate project), from a DLL adjacent to its EXE called "SciLexer.dll". This DLL exports only one funciton named "Scintilla_DirectFunction" at ordinal #1

The DLL does a lot of "set up" in ProcessAttach, so it is important to load the true DLL as soon as the hijack is loaded.

The exported function has the following prototype definition, according to the open source for Notepad++ online:

sptr_t __stdcall Scintilla_DirectFunction(ScintillaWin * sci, UINT iMessage, uptr_t wParam, sptr_t lParam)

For the life of me, I couldn't get this function to be called – I even installed additional plugins that were supposed to interact with Scintilla directly. Considering we have the prototype, this shouldn't be that big of a deal, but its worth noting.

Languages Available:

Languages %PAL:LanguageCustom% Replacement
Arabic arabic
Bengali bengali
Chinese (Simplified) chinese
Chinese (Traditional) chineseSimplified
Dutch dutch
English english
French french
Farsi farsi
German german
Hindi hindi
Italian italian
Japanese japanese
Korean korean
Portuguese prtuguese
Portuguese (Brazilian) brazilian_portugese
Russian russian
Spanish spanish
Turkish turkish
Urdu urdu

[dail8859]

Can you provide more info other than copy/pasting the text because it really doesn't describe a problem.

[teepean]

This is from the Wikileaks CIA leak.

https://wikileaks.org/ciav7p1/cms/page_26968090.html

[mchubby]

Verbatim from https://groups.google.com/forum/#!original/scintilla-interest/ibNlrTJEj7s/zMClRx_tXw0J

References: <9171D137-C360-4F00-956F-E15BD2352535@googlemail.com>
Date: Thu, 26 Jan 2012 11:25:01 +1100
Message-ID: <CAMLCkUcyh5aTKxUahFuP_fsO51zNR-Z=7OxJ=xM0Lkdw32KmTA@mail.gmail.com>
Subject: Re: [scintilla] Scintilla_DirectFunction
From: Neil Hodgson <nyama...@gmail.com>
To: scintilla-interest@googlegroups.com
Content-Type: text/plain; charset=UTF-8

Mike Lischke:
> can you give a short example how this exported function is to be used? It
> uses ScintillaWin as first parameter which is not exported.

   I didn't want or implement this feature. It is undocumented and you
should not use it unless you can not write something in any other way.

   Neil

Edit: sounds fishy, but taken out of context, sorry. Seems like this symbol should not be defined in static builds of the dll.

[dail8859]

@mchubby Thanks for that, it does make a bit more sense. This would still be best addressed by the Scintilla developers. However, I don't know why this is "unique" to Scintilla, you can say that any DLL that exports functions is vulnerable to hijacking.

Edit: well I guess technically it doesn't even have to export anything.

[donho]

Fixed in b869163