dissect.target.plugins.apps.productivity.msoffice¶
Module Contents¶
Classes¶
Parser to extact information out ClickOnce deployment manifest files. |
|
Values that specify the run time behavior of the VSTO add-in. |
|
Microsoft Office productivity suite plugin. |
Attributes¶
- dissect.target.plugins.apps.productivity.msoffice.OfficeStartupItem¶
- dissect.target.plugins.apps.productivity.msoffice.OfficeWebAddinRecord¶
- dissect.target.plugins.apps.productivity.msoffice.OfficeNativeAddinRecord¶
- class dissect.target.plugins.apps.productivity.msoffice.ClickOnceDeploymentManifestParser(root_manifest_path: pathlib.Path, target: dissect.target.target.Target, user_sid: str)¶
Parser to extact information out ClickOnce deployment manifest files.
Currently only extracts codebase information. Also handles nested manifests. Can be extended to a .NET assembly parser in the future.
- XML_NAMESPACE¶
- root_manifest_path¶
- find_codebases(manifest_path: str) set[pathlib.Path]¶
Dig for executables given a manifest
- class dissect.target.plugins.apps.productivity.msoffice.LoadBehavior¶
Bases:
enum.EnumValues that specify the run time behavior of the VSTO add-in.
- Manual = 1¶
- Autostart = 2¶
- OnDemand = 3¶
- FistTime = 4¶
- class dissect.target.plugins.apps.productivity.msoffice.NativePluginStatus¶
Bases:
NamedTuple- loaded: bool¶
- load_behavior: LoadBehavior¶
- class dissect.target.plugins.apps.productivity.msoffice.MSOffice(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugin.PluginMicrosoft Office productivity suite plugin.
- __namespace__ = 'msoffice'¶
Defines the plugin namespace.
- HIVES = ['HKLM', 'HKCU']¶
- OFFICE_KEY = 'Software\\Microsoft\\Office'¶
- OFFICE_COMPONENTS = ['Access', 'Excel', 'Outlook', 'PowerPoint', 'Word', 'OneNote']¶
- ADD_IN_KEY = 'Addins'¶
- OFFICE_DEFAULT_USER_STARTUP = ['%APPDATA%/Microsoft/Templates', '%APPDATA%/Microsoft/Word/Startup',...¶
- OFFICE_DEFAULT_ROOT = 'C:/Program Files/Microsoft Office/root/Office16/'¶
- OFFICE_STARTUP_OPTIONS = [('Software\\Microsoft\\Office\\16.0\\Word\\Options', 'STARTUP-PATH'),...¶
- CLASSES_ROOTS = ['HKCR', 'HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes',...¶
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- web() Iterator[OfficeWebAddinRecord]¶
Returns all available Web add-ins cached in the WEF (Web Extension Framework) folder.
Office Web Add-ins are web-based applications that extend the functionality of Office applications like Word, Excel, and Outlook. These add-ins can interact with the content in Office documents and provide additional features and capabilities. The WEF folder contains cached data and manifests for Office Web Add-ins. The manifest includes information about the add-ins, such as their source locations, display names, and other metadata.
References
Yields a
OfficeWebAddinRecordwith fields:manifest (path): The full path to the manifest in the WEF folder. modification_time (datetime): The modification time of the manifest. name (string): The display name of the add-in. version (string): The version of the add-in. provider_name (string): The provider name of the add-in. source_locations (string[]): URLs referencing the web assets of the add-in (such as javascript and html files).
- native() Iterator[OfficeNativeAddinRecord]¶
Returns all native (COM / VSTO) add-ins by parsing the registry and manifest files.
COM (Component Object Model) is a binary-interface standard developed by Microsoft that enables software components to communicate with each other. COM plugins for Microsoft Office applications, such as Word, Excel, and Outlook, are typically used to extend the functionality of these programs by integrating custom features. COM plugins interact directly with Office applications through COM interfaces, offering a low-level approach to automation.
VSTO is a set of tools provided by Microsoft to create Office add-ins using the .NET Framework. VSTO plugins are more modern than COM plugins and leverage managed code. They are typically developed in C# or VB.NET using Visual Studio.
Both COM and VSTO add-ins are registered in the Windows registry, where they are associated with specific Office applications and configured to load automatically or on demand.
References
https://learn.microsoft.com/en-us/office/dev/add-ins/overview/office-add-ins
https://learn.microsoft.com/en-us/visualstudio/vsto/registry-entries-for-vsto-add-ins
Yields a
OfficeNativeAddinRecordwith fields:manifest (path): The full path to the manifest of a VSTO plugin. ``None`` for COM plugins. modification_time (datetime): The modification time of the registry key of the plugin. name (string): The name of the add-in. type (string): The type of the add-in, either "com" or "vsto". codebases (path[]): The full paths to the executables associated with the add-in. loaded (boolean): Whether the add-in is currently loaded. load_behavior (string): The load behavior of the add-in, e.g., "Autostart", "Manual", "OnDemand", "FirstTime".
- startup() Iterable[OfficeStartupItem]¶
Returns all startup items found in Microsoft Office startup folders.
Office startup folders are specific directories where Microsoft Office looks add-ins, macros, templates, or custom scripts. These are used to automatically load when the corresponding Office application starts up. These folders allow users and administrators to automate launching add-ins, executing scripts, or applying custom settings.
References
Yields a
OfficeStartupItemwith fields:path (path): The full path to the startup item. creation_time (datetime): The creation time of the startup item. modification_time (datetime): The modification time of the startup item.