The readme.txt file presented at the end of the previous section provides the step-by-step procedure to manually insert a Lotus Notes client extension. Under normal circumstances, however, this process will be automated.
To automate the installation process, the installer must first find the Lotus Notes installation directory. We have been using the default, C:\Program Files\Lotus\Notes, but Lotus Notes does not have to be installed into this default location. Fortunately, the Lotus Notes installation creates a registry entry that points to the installation directory. This registry entry is HKEY_LOCAL_MACHINE\SOFTWARE\Lotus\ Notes\Path
Use this registry value to find the notes.ini file that requires a LotusExtension.dll entry to EXTMGR_ADDINS.
Unfortunately, this is not the only mechanism for specifying the notes.ini file. Lotus Notes can also be launched with a passed parameter specifying the location of the notes.ini file. If the operator uses a shortcut that specifies an alternate notes.ini file location, the installation technique described above will not work.
If, however, you are filtering e-mail in conjunction with a rootkit, then it is possible to hook the ZwFileOpen function and check for a file named notes.ini. If detected, the hook can fool Lotus Notes into using a specially crafted notes.ini file. The actual procedure would require the hook to create a temporary version of the file, modify the temporary version to include the required EXTMGR_ADDINS section, and then close the original notes.ini file and pass the handle of the temporary file to the calling application.