1

For a silly little project I wanted to do, I wanted to make it so that I could open new notes (Microsoft Sticky Notes) from an external script - preferably python. Although I'm not good at reverse engineering I thought that it shouldn't be too hard because I thought it was a standalone exe. It was only until I couldn't launch the exe on it's own that I realised it's a UWP app which means I couldn't do my go-to debugging it in IDA.

(Just to mention now, I noticed that sticky notes always has two processes running - ApplicationFrameHost which I assume is the main sticky notes window and another process which I assume is the actual open sticky notes. All the methods I've tried, I've tried on both processes to be certain.)

I started by opening sticky notes in IDA and trying to use the debugger, but as mentioned, that didn't get me too far so I opened it up in Binary Ninja instead, just to explore a bit. I didn't know what to look for, so I didn't find much. However, BN did show a lot of strings except apparently they aren't used anywhere in the program. Things like:

BCreateStickyNoteViaJumplistAction - "Jumplist" is also in the name of the plus icon used as the button - C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.8.8.0_x64__8wekyb3d8bbwe\Assets\JumpListNewNote.png`
CreateNewNote .... WithNewStickyNote
TryGet_ViewState_IsSticky

and lots of what looks like C# code. But as I mentioned, BN showed no references to these (and other) strings and as I'll mention later, the strings in x64dbg all seemed "encoded" so I never found a use for these anyway.

Next I think I tried out WinDBG (preview). I tried first by just attaching it to the running sticky notes process (and then launching the app using the launch app package) but I wasn't able to do anything with that. It just told me the DLL's that were being loaded, including the ones missing which means I couldn't launch the exe directly, like:

C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__8wekyb3d8bbwe\mrt100_app.dll
C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__8wekyb3d8bbwe\SharedLibrary.dll

Maybe it's possible to somehow point the exe to these DLL so I could launch it via IDA but I think it's a stretch.

I did a few other small things here and there like ollydbg and PE Disassembler viewer but they are not of significance.

The thing I have been trying the most is x64dbg. On my own, I didn't really get anything done; I didn't find anything related to buttons or their handler's. So I tried googling to see if someone else had tried reverse engineering a UWP and came across this. I gave the second answer a go, since it was quicker to do at the time. However, when you click to open a new note, no new DLL's will be loaded so I couldn't use that. I tried also breaking when a new thread is created which did cause it to stop execution when I created a new note but I don't think each new note is its own thread, I think that was just some other internal Windows thing.

The reason I didn't try the first answer is that they hook into CreateFileW from KernelBase.dll to "redirect" the resources accessed, since it loads a new DLL when Restart now is pressed, but again, in my situation, nothing new is loaded when a new note is created. I did also try EventHook and just using GetProcessById to get the sticky notes process but that doesn't really expose much.

I feel like I have what I need to do this, I just don't quite know how. If anyone could point me in the right direction I'd really appreciate it.

MarianD
  • 1,130
  • 1
  • 6
  • 23
DreamingInsanity
  • 13
  • 2

1 Answers1

1

I am not sure what you are asking (never used sticky notes and don't have it installed )
but if you want to run sticky notes from command line you can do something like this

the command below will run calculator instead of the wildcard calc use stick

C:\>powershell -c "(get-startapps -name *calc*).Appid
Microsoft.WindowsCalculator_8wekyb3d8bbwe!App

C:>start shell:appsfolder\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App

you can obviously use this with python withsomething like

C:\>python -c "import os;os.system(\"start explorer shell:appsfolder\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\")"

if you need to start a new note from a script checkout

:\>pip show uiautomation
Name: uiautomation
Version: 2.0.11
Summary: Python UIAutomation for Windows
Home-page: https://github.com/yinkaisheng/Python-UIAutomation-for-Windows
Author: yinkaisheng
Author-email: [email protected]
License: Apache 2.0
Location: c:\python39\lib\site-packages
Requires: comtypes
Required-by:

with this it is a single liner the Name ="New Note" is taken from your comments be aware the uwp app needs to be in foreground for this to work tooltip remark

:\>python -c "import uiautomation as auto;auto.ButtonControl(Seachdepth=1,Name =\"New note\").Click()"

a gif

enter image description here

blabb
  • 16,376
  • 1
  • 15
  • 30
  • My bad, I should have been more clear. When you open sticky notes, there's a button in the top left with the tooltip "New note" when you click that button, it opens a new sticky note. My goal is to to be able to be able to find the code that handles that button click, but call it from a different script, simulating someone clicking on that button. – DreamingInsanity Apr 22 '21 at 15:26
  • you cannot send keystrokes to a uwpapp look for uiautomation the sdk tool inspect.exe has an action menu it has a DoDefaultAction() or Invoke() action clicking that will normally result in actions like hitting enter on the focussed ui element – blabb Apr 22 '21 at 21:48
  • That's actually really helpful, thank you! It might now be possible to do what I want to do. – DreamingInsanity Apr 23 '21 at 15:37
  • I edited the answer to point to a possible readymade solution take a look – blabb Apr 23 '21 at 20:46
  • Looks perfect for what I need, thanks! – DreamingInsanity Apr 24 '21 at 08:49