Last week during a research on Office, I happened to notice a weird string in the Outlook binary (Outlook.exe). Let's quickly go to the related code.
.text:00C88067 lea eax, [ebp-16Ch]
.text:00C8806D push eax ; lpBuffer
.text:00C8806E push esi ; nBufferLength
.text:00C8806F call ds:GetTempPathA
.text:00C88075 test eax, eax
.text:00C88077 jnz short loc_C88087
.text:00C88079 lea eax, [ebp-16Ch]
.text:00C8807F push eax ; lpBuffer
.text:00C88080 push esi ; nBufferLength
.text:00C88081 call ds:GetCurrentDirectoryA
.text:00C88087
.text:00C88087 loc_C88087: ; CODE XREF: sub_C87EA5+1D2 j
.text:00C88087 push esi
.text:00C88088 mov esi, MSO_4606
.text:00C8808E lea eax, [ebp-16Ch]
.text:00C88094 push eax
.text:00C88095 push offset aGigiduru ; "gigiduru"
.text:00C8809A call esi ; MSO_4606
.text:00C8809C push 104h
.text:00C880A1 lea eax, [ebp-16Ch]
.text:00C880A7 push eax
.text:00C880A8 lea eax, [ebp-26Ch]
.text:00C880AE push eax
.text:00C880AF call esi ; MSO_4606
.text:00C880B1 push 1
.text:00C880B3 xor eax, eax
.text:00C880B5 push eax
.text:00C880B6 push 100h
.text:00C880BB push 1
.text:00C880BD push eax
.text:00C880BE push eax
.text:00C880BF push 80000000h
.text:00C880C4 lea eax, [ebp-16Ch]
.text:00C880CA push eax
.text:00C880CB call MSO_1655
.text:00C880D1 mov esi, eax
.text:00C880D3 cmp esi, 0FFFFFFFFh
.text:00C880D6 jz short loc_C88105
.text:00C880D8 push edi ; lpResult
.text:00C880D9 push offset byte_63810C ; lpDirectory
.text:00C880DE lea eax, [ebp-16Ch]
.text:00C880E4 push eax ; lpFile
.text:00C880E5 call FindExecutableA
.text:00C880EB cmp byte ptr [edi], 0
.text:00C880EE push esi ; hObject
.text:00C880EF setnz bl
.text:00C880F2 call ds:CloseHandle
.text:00C880F8 lea eax, [ebp-16Ch]
.text:00C880FE push eax ; lpFileName
.text:00C880FF call ds:DeleteFileA
Saw that line highlighted? After some debugging, it apperars to me that Outlook does a "test" to look for the appropriate icon to show to the user when the user opens an email which contains attachment(s). Based on my understanding, it does the following:
Another bit is that I was only able to reach the related code on Office 2013, I didn't trigger it on Office 2010 nor Office 2016 during a quick test, while (if you search in the process memory) you will find the "gigiduru" string on all the versions. So if you'd like to go a digging, you probably want to use Outlook 2013.
Thanks,
Haifei
.text:00C88067 lea eax, [ebp-16Ch]
.text:00C8806D push eax ; lpBuffer
.text:00C8806E push esi ; nBufferLength
.text:00C8806F call ds:GetTempPathA
.text:00C88075 test eax, eax
.text:00C88077 jnz short loc_C88087
.text:00C88079 lea eax, [ebp-16Ch]
.text:00C8807F push eax ; lpBuffer
.text:00C88080 push esi ; nBufferLength
.text:00C88081 call ds:GetCurrentDirectoryA
.text:00C88087
.text:00C88087 loc_C88087: ; CODE XREF: sub_C87EA5+1D2 j
.text:00C88087 push esi
.text:00C88088 mov esi, MSO_4606
.text:00C8808E lea eax, [ebp-16Ch]
.text:00C88094 push eax
.text:00C88095 push offset aGigiduru ; "gigiduru"
.text:00C8809A call esi ; MSO_4606
.text:00C8809C push 104h
.text:00C880A1 lea eax, [ebp-16Ch]
.text:00C880A7 push eax
.text:00C880A8 lea eax, [ebp-26Ch]
.text:00C880AE push eax
.text:00C880AF call esi ; MSO_4606
.text:00C880B1 push 1
.text:00C880B3 xor eax, eax
.text:00C880B5 push eax
.text:00C880B6 push 100h
.text:00C880BB push 1
.text:00C880BD push eax
.text:00C880BE push eax
.text:00C880BF push 80000000h
.text:00C880C4 lea eax, [ebp-16Ch]
.text:00C880CA push eax
.text:00C880CB call MSO_1655
.text:00C880D1 mov esi, eax
.text:00C880D3 cmp esi, 0FFFFFFFFh
.text:00C880D6 jz short loc_C88105
.text:00C880D8 push edi ; lpResult
.text:00C880D9 push offset byte_63810C ; lpDirectory
.text:00C880DE lea eax, [ebp-16Ch]
.text:00C880E4 push eax ; lpFile
.text:00C880E5 call FindExecutableA
.text:00C880EB cmp byte ptr [edi], 0
.text:00C880EE push esi ; hObject
.text:00C880EF setnz bl
.text:00C880F2 call ds:CloseHandle
.text:00C880F8 lea eax, [ebp-16Ch]
.text:00C880FE push eax ; lpFileName
.text:00C880FF call ds:DeleteFileA
Saw that line highlighted? After some debugging, it apperars to me that Outlook does a "test" to look for the appropriate icon to show to the user when the user opens an email which contains attachment(s). Based on my understanding, it does the following:
- Create a zero-byte file named "gigiduru.<extname>" into the user's temp folder, so the full path of the temp file looks like "C:\Users\user1\AppData\Local\Temp\gigiduru.pdf".
- Call API "FindExecutable()" on that temp file (as it's first param) to retrieve the associated executable on that specific file type.
- Delete the temp file.
- Find the appropriate icon in the found executable for showing to the user (on Outlook).
Another bit is that I was only able to reach the related code on Office 2013, I didn't trigger it on Office 2010 nor Office 2016 during a quick test, while (if you search in the process memory) you will find the "gigiduru" string on all the versions. So if you'd like to go a digging, you probably want to use Outlook 2013.
Thanks,
Haifei
when you face any kind of issues related to router then visit our site. router tech support provide the best service to their customer.Its provide a 24 hours service to their customer. asus router customer service
ReplyDeleteHaifei'S Random Thoughts: Who Is "Gigiduru"? >>>>> Download Now
Delete>>>>> Download Full
Haifei'S Random Thoughts: Who Is "Gigiduru"? >>>>> Download LINK
>>>>> Download Now
Haifei'S Random Thoughts: Who Is "Gigiduru"? >>>>> Download Full
>>>>> Download LINK XO
Google Customer Service Some users complaints that the touch screen is not working after upgrading the windows, some users complaints that touch screen works normally but sometimes it stops working.
ReplyDeleteBinance is a cryptocurrency exchange that defines as the private securities exchange. Want to Know About Binance Wallet Technology. You can overcome this type of situation which is out of handle by dialing 24/7 Binance support number and get connected to Binance support team in a split second. They are always available here day Binance Support Number and night and can fix the existing error with permanent and accessible techniques and remedies. The customer service experts provide assistance by making explain the procedure step by step in an no time manner.
ReplyDeleteOh, I get it now! CHeck the tylenol murders case study answers too!
ReplyDelete這是學習的好資源。
ReplyDeleteclipping path service
This comment has been removed by the author.
ReplyDelete
ReplyDeleteTrading is a good thing. I lost a lot before I got to were I am today. if you need assistance on how to trade and recover the money you have lost contact mr Richard via his email(cryptocurrencyminerr5 @ gmail com or whatsapp +19172750978) ” to get new amazing strategy, If you are also having problems withdrawing your fund from your Forex/binary trade brokers even when you were given a bonus, just contact me, I have worked with a binary broker for 6years, I have helped a lot of people and I wont stop until I have helped as many as possible, contact me when you need my help
ReplyDeleteprinter in error state
printer is in error state
canon printer error
printing in error state
printing in error state
Stunning post! Your post is very useful and quite interesting reading it. Expecting more post like this. Thanks for posting such a good post. To get the Nadi astrology,, Please visit : best nadi astrologer in Tamilnadu
ReplyDeleteThis article is out of the roof. Wow! Wonderful. Great Post!
ReplyDeletehttps://www.aarinkaur.com/
https://www.aarinkaur.com/Contact-Mumbai-Escorts-Aarin.html
https://www.aarinkaur.com/Mumbai-Escorts-Rate-Card.html
https://www.aarinkaur.com/Mumbai-Escorts-Location.html
https://www.aarinkaur.com/Mumbai-Escorts-Location.html
Haifei'S Random Thoughts: Who Is "Gigiduru"? >>>>> Download Now
ReplyDelete>>>>> Download Full
Haifei'S Random Thoughts: Who Is "Gigiduru"? >>>>> Download LINK
>>>>> Download Now
Haifei'S Random Thoughts: Who Is "Gigiduru"? >>>>> Download Full
>>>>> Download LINK 3h