Thursday, July 21, 2005

MAPI Spy

That small utility i've written while developing own store provider. That is utility is written to investigate Outlook behaviour with MAPI subsystem. It does not have some GUI interface so far but we have what we have. I think some useful log files can do some good :) It's not so stable as I want but it is usable. I noticed that it is rather stable if you run investigated process under VC6 debugger. How to use

  1. Copy content of archive to c:\hook
  2. Copy hookstub.dll to %SYSTEM32% directory or to any directory in %PATH%.
  3. Edit HookTool.ini [Scope] Hook= sets processes names (without .exe extension) to be hooked [MAPI] Functions= determines functions of MAPI subsystem to be hooked. There is some set of functions already but commented out. Each function has it's description in it's own section
  4. Run HookSrv.exe.
  5. Start investigated process.
  6. Look C:\ for log files.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

IMPORTANT

To use this tool under VS.NET Debugger you need to set variable

in HookTool.ini

[Trace]

;...

CreateRemoteThread = No

;...

Without this setting started process will hang

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

There is the possibility to spy MAPI providers without hooktool engine. See the following how to spy without hooktool. Sample uses Exchange provider to demonstrate how to do that. Copy mapispy32.dll and hooktool.ini to the C:\Program Files\Common Files\System\Mapi\1033\. It is for Outlook XP english default installation. Other versions of Outlook can use slightly differ path. Modify mapisvc.ini in this directory: change section [EMS_MDB_private] like this [EMS_MDB_private] 3dfd001e=EMSMDB32.DLL ;PR_PROVIDER_DLL_NAME=EMSMDB.DLL PR_PROVIDER_DLL_NAME=MAPISpy.DLL PR_SERVICE_INSTALL_ID={6485D26A-C2AC-11D1-AD3E-10A0C911C9C0}

PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER PR_RESOURCE_FLAGS=STATUS_PRIMARY_IDENTITYSTATUS_DEFAULT_STORESTATUS_PRIMARY_STORE 66090003=0C000000 660A0003=01000000 34140102=5494A1C0297F101BA58708002B2A2517 PR_DISPLAY_NAME=Private Folders PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store To make it work you need to create new profile because this information is populated while adding provider to the profile. Previously created profiles won't be hooked. After that you can revert changes and you will have only hooked profile. :) That way you can spy only providers and not only Outlook working with these providers. But client spying is impossible. Any way that should do the trick for you.

Download Last Updated 08.08.2008

Posted by at 8 comments:
Subscribe to: Posts (Atom)