2016年8月21日星期日

Who is "gigiduru"?

Last week during a research on Office, I happened to notice a weird string in the Outlook binary (Outlook.exe). Let's quickly go to the related code.

.text:00C88067                 lea     eax, [ebp-16Ch]
.text:00C8806D                 push    eax             ; lpBuffer
.text:00C8806E                 push    esi             ; nBufferLength
.text:00C8806F                 call    ds:GetTempPathA
.text:00C88075                 test    eax, eax
.text:00C88077                 jnz     short loc_C88087
.text:00C88079                 lea     eax, [ebp-16Ch]
.text:00C8807F                 push    eax             ; lpBuffer
.text:00C88080                 push    esi             ; nBufferLength
.text:00C88081                 call    ds:GetCurrentDirectoryA
.text:00C88087
.text:00C88087 loc_C88087:                             ; CODE XREF: sub_C87EA5+1D2 j
.text:00C88087                 push    esi
.text:00C88088                 mov     esi, MSO_4606
.text:00C8808E                 lea     eax, [ebp-16Ch]
.text:00C88094                 push    eax
.text:00C88095                 push    offset aGigiduru ; "gigiduru"
.text:00C8809A                 call    esi ; MSO_4606
.text:00C8809C                 push    104h
.text:00C880A1                 lea     eax, [ebp-16Ch]
.text:00C880A7                 push    eax
.text:00C880A8                 lea     eax, [ebp-26Ch]
.text:00C880AE                 push    eax
.text:00C880AF                 call    esi ; MSO_4606
.text:00C880B1                 push    1
.text:00C880B3                 xor     eax, eax
.text:00C880B5                 push    eax
.text:00C880B6                 push    100h
.text:00C880BB                 push    1
.text:00C880BD                 push    eax
.text:00C880BE                 push    eax
.text:00C880BF                 push    80000000h
.text:00C880C4                 lea     eax, [ebp-16Ch]
.text:00C880CA                 push    eax
.text:00C880CB                 call    MSO_1655
.text:00C880D1                 mov     esi, eax
.text:00C880D3                 cmp     esi, 0FFFFFFFFh
.text:00C880D6                 jz      short loc_C88105
.text:00C880D8                 push    edi             ; lpResult
.text:00C880D9                 push    offset byte_63810C ; lpDirectory
.text:00C880DE                 lea     eax, [ebp-16Ch]
.text:00C880E4                 push    eax             ; lpFile
.text:00C880E5                 call    FindExecutableA
.text:00C880EB                 cmp     byte ptr [edi], 0
.text:00C880EE                 push    esi             ; hObject
.text:00C880EF                 setnz   bl
.text:00C880F2                 call    ds:CloseHandle
.text:00C880F8                 lea     eax, [ebp-16Ch]
.text:00C880FE                 push    eax             ; lpFileName
.text:00C880FF                 call    ds:DeleteFileA

Saw that line highlighted? After some debugging, it apperars to me that Outlook does a "test" to look for the appropriate icon to show to the user when the user opens an email which contains attachment(s). Based on my understanding, it does the following:
  1. Create a zero-byte file named "gigiduru.<extname>" into the user's temp folder, so the full path of the temp file looks like "C:\Users\user1\AppData\Local\Temp\gigiduru.pdf".
  2. Call API "FindExecutable()" on that temp file (as it's first param) to retrieve the associated executable on that specific file type.
  3. Delete the temp file.
  4. Find the appropriate icon in the found executable for showing to the user (on Outlook).
But, why "gigiduru" is chosen? Couldn't Microsoft just use a random string as what they usually do? Well, as a non-native English speaker I'm not actually sure what it means for "gigiduru", but a quick Google search shows maybe it's a nickname for a Microsoft Office developer?:-)

Another bit is that I was only able to reach the related code on Office 2013, I didn't trigger it on Office 2010 nor Office 2016 during a quick test, while (if you search in the process memory) you will find the "gigiduru" string on all the versions. So if you'd like to go a digging, you probably want to use Outlook 2013.

Thanks,
Haifei

没有评论:

发表评论