Sublime Intervention


I don’t know about the rest of you, but I’m a big fan of Sublime Text 3. Fellow users will know that every now and then when you launch Sublime Text you will probably see a popup that looks like this.


For whatever reason, I finally felt like taking a look to see how this process actually works!

Teardown Time

First thing noticed during the update process is a UAC prompt. If you click on more details you should see something similar to below.


We can actually learn a lot of the update proccess just from this UAC screen. It looks like the last argument is the path to the downloaded update package. We can see it looks like it fetches and stores the standard Sublime Text install package at C:\Users\$USER\AppData\Local\Sublime Text 3\Update


From that same UAC prompt we can infer that the destion of the install program will be C:\Program Files\Sublime Text 3, which is the default install location of Sublime Text 3. So it looks like this Sublime Text Update Installer.exe is responsible for copying the contents of the newly downloaded package and moving them into the users install location. The next question is can we put any files we want in this Update folder ahead of time and let Sublime move the file for us when the user clicks update. I tried a couple of methods and ran into a big issue.

Sublime will redownload the folder every time you initiate an update (your file will get removed!)

The workaround for this is when preloading the file is to set the Read-Only file attribute. That way Sublime won’t be able to modify the file. By marking this file as Read-Only when Sublime goes to clear the Update folder for the download the update package it won’t be able to. This leaves our file in the Update folder along with all the files that are meant to be there.

Prepped file
Test 1

Sublime installed our file!
Test 2

Putting it all together

So now we are able to get a file to be copied into the the Sublime installation folder. But how can we take this further? What if we were able to overwrite a file that Sublime is looking for and make it load ours instead. Time to load up ProcessMonitor and see what files Sublime is looking for on boot.


Bingo! Looks like Sublime is looking for a dwrite.dll file. Lucky for us we have the ability to place a file in the Sublime directory. So we will just create a small dwrite.dll with some stub code to launch a popup. We don’t know exactly which function is called, so we will just place it in a couple of spots for now (you can totally figure this out so you don’t have to guess). The right way to do this is to determine exactly which exported functions are called by the sublime.exe binary. For this iteration, the payload was just placed in some of the exported symbols as a PoC. In realistic scenarios, you should know exactly which function you want to modify and when it is called. For now we just put our malicious DLL with the scatter payload in the Update folder and click install. This technique is nicely documented by our friends at MITRE,

Making it read only Bad Step 1

After clicking install Bad Step 2

Success! Demo

Sublime will automatically restart Sublime after an update, so our payload executes immediately. It will also execute on any Sublime launch, it doesn’t just work because it is the first launch after an update.

What’s Left?

  • There’s actually more that goes into the update process (making folder, subprocesses, runas, etc..) and another binary named update_installer.exe that Sublime uses, but I just wanted to focus the DLL aspect in this post.

Thanks - for the inspiration on looking into my text editor