Last week during a research on Office, I happened to notice a weird string in the Outlook binary (Outlook.exe). Let's quickly go to the related code.
.text:00C88067 lea eax, [ebp-16Ch]
.text:00C8806D push eax ; lpBuffer
.text:00C8806E push esi ; nBufferLength
.text:00C8806F call ds:GetTempPathA
.text:00C88075 test eax, eax
.text:00C88077 jnz short loc_C88087
.text:00C88079 lea eax, [ebp-16Ch]
.text:00C8807F push eax ; lpBuffer
.text:00C88080 push esi ; nBufferLength
.text:00C88081 call ds:GetCurrentDirectoryA
.text:00C88087
.text:00C88087 loc_C88087: ; CODE XREF: sub_C87EA5+1D2 j
.text:00C88087 push esi
.text:00C88088 mov esi, MSO_4606
.text:00C8808E lea eax, [ebp-16Ch]
.text:00C88094 push eax
.text:00C88095 push offset aGigiduru ; "gigiduru"
.text:00C8809A call esi ; MSO_4606
.text:00C8809C push 104h
.text:00C880A1 lea eax, [ebp-16Ch]
.text:00C880A7 push eax
.text:00C880A8 lea eax, [ebp-26Ch]
.text:00C880AE push eax
.text:00C880AF call esi ; MSO_4606
.text:00C880B1 push 1
.text:00C880B3 xor eax, eax
.text:00C880B5 push eax
.text:00C880B6 push 100h
.text:00C880BB push 1
.text:00C880BD push eax
.text:00C880BE push eax
.text:00C880BF push 80000000h
.text:00C880C4 lea eax, [ebp-16Ch]
.text:00C880CA push eax
.text:00C880CB call MSO_1655
.text:00C880D1 mov esi, eax
.text:00C880D3 cmp esi, 0FFFFFFFFh
.text:00C880D6 jz short loc_C88105
.text:00C880D8 push edi ; lpResult
.text:00C880D9 push offset byte_63810C ; lpDirectory
.text:00C880DE lea eax, [ebp-16Ch]
.text:00C880E4 push eax ; lpFile
.text:00C880E5 call FindExecutableA
.text:00C880EB cmp byte ptr [edi], 0
.text:00C880EE push esi ; hObject
.text:00C880EF setnz bl
.text:00C880F2 call ds:CloseHandle
.text:00C880F8 lea eax, [ebp-16Ch]
.text:00C880FE push eax ; lpFileName
.text:00C880FF call ds:DeleteFileA
Saw that line highlighted? After some debugging, it apperars to me that Outlook does a "test" to look for the appropriate icon to show to the user when the user opens an email which contains attachment(s). Based on my understanding, it does the following:
Another bit is that I was only able to reach the related code on Office 2013, I didn't trigger it on Office 2010 nor Office 2016 during a quick test, while (if you search in the process memory) you will find the "gigiduru" string on all the versions. So if you'd like to go a digging, you probably want to use Outlook 2013.
Thanks,
Haifei
.text:00C88067 lea eax, [ebp-16Ch]
.text:00C8806D push eax ; lpBuffer
.text:00C8806E push esi ; nBufferLength
.text:00C8806F call ds:GetTempPathA
.text:00C88075 test eax, eax
.text:00C88077 jnz short loc_C88087
.text:00C88079 lea eax, [ebp-16Ch]
.text:00C8807F push eax ; lpBuffer
.text:00C88080 push esi ; nBufferLength
.text:00C88081 call ds:GetCurrentDirectoryA
.text:00C88087
.text:00C88087 loc_C88087: ; CODE XREF: sub_C87EA5+1D2 j
.text:00C88087 push esi
.text:00C88088 mov esi, MSO_4606
.text:00C8808E lea eax, [ebp-16Ch]
.text:00C88094 push eax
.text:00C88095 push offset aGigiduru ; "gigiduru"
.text:00C8809A call esi ; MSO_4606
.text:00C8809C push 104h
.text:00C880A1 lea eax, [ebp-16Ch]
.text:00C880A7 push eax
.text:00C880A8 lea eax, [ebp-26Ch]
.text:00C880AE push eax
.text:00C880AF call esi ; MSO_4606
.text:00C880B1 push 1
.text:00C880B3 xor eax, eax
.text:00C880B5 push eax
.text:00C880B6 push 100h
.text:00C880BB push 1
.text:00C880BD push eax
.text:00C880BE push eax
.text:00C880BF push 80000000h
.text:00C880C4 lea eax, [ebp-16Ch]
.text:00C880CA push eax
.text:00C880CB call MSO_1655
.text:00C880D1 mov esi, eax
.text:00C880D3 cmp esi, 0FFFFFFFFh
.text:00C880D6 jz short loc_C88105
.text:00C880D8 push edi ; lpResult
.text:00C880D9 push offset byte_63810C ; lpDirectory
.text:00C880DE lea eax, [ebp-16Ch]
.text:00C880E4 push eax ; lpFile
.text:00C880E5 call FindExecutableA
.text:00C880EB cmp byte ptr [edi], 0
.text:00C880EE push esi ; hObject
.text:00C880EF setnz bl
.text:00C880F2 call ds:CloseHandle
.text:00C880F8 lea eax, [ebp-16Ch]
.text:00C880FE push eax ; lpFileName
.text:00C880FF call ds:DeleteFileA
Saw that line highlighted? After some debugging, it apperars to me that Outlook does a "test" to look for the appropriate icon to show to the user when the user opens an email which contains attachment(s). Based on my understanding, it does the following:
- Create a zero-byte file named "gigiduru.<extname>" into the user's temp folder, so the full path of the temp file looks like "C:\Users\user1\AppData\Local\Temp\gigiduru.pdf".
- Call API "FindExecutable()" on that temp file (as it's first param) to retrieve the associated executable on that specific file type.
- Delete the temp file.
- Find the appropriate icon in the found executable for showing to the user (on Outlook).
Another bit is that I was only able to reach the related code on Office 2013, I didn't trigger it on Office 2010 nor Office 2016 during a quick test, while (if you search in the process memory) you will find the "gigiduru" string on all the versions. So if you'd like to go a digging, you probably want to use Outlook 2013.
Thanks,
Haifei