Category Archives: little known secrets

1 little secret of mapi32.dll

Posted on by

The mapi32.dll is a stub DLL that acts as a proxy for MAPI API calls. Pretty much all its exported functions start with a GetProxyDllEx routine that tries very hard to find a target email client library that will deliver the requested functionality offered by a standardized MAPI interface.

The GetProxyDllEx routine is pretty complicated as it attempts to handle many cases – many of which are catering for various architectural choices Microsoft made around MAPI over last 3 decades. Okay, I lied, it’s actually more boring than complicated, and since I am always triggerhappy when it comes to quick wins, I will just describe one below.

As a side note, from a forensic perspective, the following registry entry may be of interest:

HKLM\SOFTWARE\Clients\Mail\AlwaysUseLegacyMapiRegistration

It determines how the MAPI provider DLL is being searched for. If it doesn’t exist, or the value is not 1, the search will focus primarily on the modern RoGetActivationFactory function; otherwise, it will search the MAPI providers the old-fashioned way (via Registry enumeration of HKLM\Software\Clients\Mail key).

Anyway, back to the quick win…

If we put the file mapisvc.inf in a PATH location, and attempt to load any MAPI API via rundll32.exe f.ex.:

rundll32 mapi32.dll, LaunchWizard

the mapi32.dll will try to load:

C:\Windows\System32\mapi32x.dll

This DLL may or not may be present on the OS, depending on the OS version. So it’s a bit of a Schrödinger phantom DLL. If you are lucky, and it doesn’t exist, it can be used to host a payload…

Note: the mapi32x.dll file name is hard coded and used in situations when a better MAPI DLL file cannot be found. In many cases there may be Email clients present on the system that will configure email client entries that will take precedence over mapi32x.dll, so YMMV and you simply need to test it for your specific scenario. Remember it’s a quick win, and these are usually low quality 🙂

1 or more little secrets of disksnapshot.exe

Posted on by

This native tool is not very well known, but it may be useful in some cases.

The tool seems to be parsing volumes directly, bypassing the Windows APIs — hence, it kinda works like a dir command, but parses the $MFT of volumes directly (but still via API).

The program accepts a number of command line arguments:

DiskSnapshot.exe [options]
        -c write detail data to console
        -i write detail data to console (same as -c)
        -s (deprecated) summary data to console
        -u process large volumes (no limit)
        -j [config] specifies an alternate config file
        -v [volume][path] specifies volume(+path) to process, e.g. "d:" or "d:\foo"
        -d [input-file] print encoded versions of the strings in the input file, for decoding purposes
        -e prints out escalation keywords
        -k calculate checksums for files, used to investigate duplicated on-disk content (c arg required).
        -o [output-file] write detail data to a file

It turns out that the ‘checksum’ is actually a SHA256 algorithm, so running:

disksnapshot -c -k -v c:\test

will list all the files in the c:\test directory, and will calculate the SHA256 of each file.

The other curious command line argument is -e. Running:

disksnapshot -e > escalation_keywords.txt

gives us this list of keywords (on Windows 11 25H2). It turns out that this list is based on the content of c:\WINDOWS\system32\DiskSnapshot.conf file.

There is an undocumented command line argument -z that kinda tries to collect telemetry, but it doesn’t really work. If the call to a function TelIsTelemetryTypeAllowed(2) returns 1 it just exits with a message:

Telemetry run: telemetry is disabled, exiting

Otherwise, it checks if the OS is a retail version (guessing by the function name that is called here), and if it is, it ‘rolls a dice’ and prints the below message:

    curtime = _time64(0);
    _o_srand(curtime);
    rand = ::rand();
    if ( rand != 7 * (rand / 7) )
    {
      v4 = o___acrt_iob_func_0(2u);
      fwprintf(v4, L"Telemetry run: failed the dice roll, exiting\n");
      return 0;
    }

There is a command line argument -j that we can use to change the default config file from c:\WINDOWS\system32\DiskSnapshot.conf file to our own, but I am not sure how to use it. The disksnapshot -j c:\test\test.conf -e command prints out the content of the custom config, but when I tried to apply it to the volume, it somehow didn’t work. I guess I just don’t fully understand the logic behind this tool.