PDA

View Full Version : Investigating Outlook's Single-Instance Restriction (PART 2)


REBlog
October 19th, 2007, 20:27
Please see PART 1 ("http://www.woodmann.com/forum/showthread.php?t=10610").

While the return value of FindWindowA ("http://msdn2.microsoft.com/en-us/library/ms633499.aspx") is used to determine whether or not Outlook terminates its process, there's another issues when it comes to using a separate profile.

Outlook calls MAPILogonEx ("http://msdn2.microsoft.com/en-us/library/ms529409.aspx") without the MAPI_NEW_SESSION bit set. This causes Outlook to try to use an existing MAPI session if it can find one. Because of this, Outlook doesn't present the user with the option to choose a different profile in the second instance of Outlook; it will instead just use the profile that the first instance is using. (Why I didn't hit this issue in PART 1 is not clear.)

As such, to fully overcome Outlook's single-instance limitation, it is necessary to spoof the return value of the FindWindowA call in PART 1 and to set the MAPI_NEW_SESSION bit in the flFlags argument passed to MAPILogonEx.


http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2007/08/31/359.aspx