msoffice.native

$ target-query <path/to/target> -f msoffice.native

Details

Module	dissect.target.plugins.apps.productivity.msoffice.MSOffice
Output	records

Module documentation

Microsoft Office productivity suite plugin.

Function documentation

Returns all native (COM / VSTO) add-ins by parsing the registry and manifest files.

COM (Component Object Model) is a binary-interface standard developed by Microsoft that enables software components to communicate with each other. COM plugins for Microsoft Office applications, such as Word, Excel, and Outlook, are typically used to extend the functionality of these programs by integrating custom features. COM plugins interact directly with Office applications through COM interfaces, offering a low-level approach to automation.

VSTO is a set of tools provided by Microsoft to create Office add-ins using the .NET Framework. VSTO plugins are more modern than COM plugins and leverage managed code. They are typically developed in C# or VB.NET using Visual Studio.

Both COM and VSTO add-ins are registered in the Windows registry, where they are associated with specific Office applications and configured to load automatically or on demand.

References:

• https://learn.microsoft.com/en-us/office/dev/add-ins/overview/office-add-ins

• https://learn.microsoft.com/en-us/visualstudio/vsto/registry-entries-for-vsto-add-ins

Yields a OfficeNativeAddinRecord with fields:

manifest (path): The full path to the manifest of a VSTO plugin. ``None`` for COM plugins.
modification_time (datetime): The modification time of the registry key of the plugin.
name (string): The name of the add-in.
type (string): The type of the add-in, either "com" or "vsto".
codebases (path[]): The full paths to the executables associated with the add-in.
loaded (boolean): Whether the add-in is currently loaded.
load_behavior (string): The load behavior of the add-in, e.g., "Autostart", "Manual", "OnDemand", "FirstTime".