Microsoft Office add-in detection

[twiggler]

Detects:

• Persistence through startup folders (templates, executables)
• COM addins
• VSTO addins by parsing ClickOnce Deployment manifests
• Web addins by inspecting WEF cache and parsing manifests

Limitations:

• Office for Mac is not supported
• Supports Microsoft Office 2016 and later
• Manifests which are wof compressed are unreadable

Bonus:

• Fix issue in resolver where user environment was not taken into account when expanding paths
• Fix issue where partial path resolution resolved to directories.
• Added convenience functions for querying registry

[codecov]

Codecov Report

Attention: Patch coverage is 89.51965% with 24 lines in your changes missing coverage. Please review.

Project coverage is 77.85%. Comparing base (6770095) to head (97a57f4).
Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
...ssect/target/plugins/apps/productivity/msoffice.py	87.36%	24 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #966      +/-   ##
==========================================
+ Coverage   77.72%   77.85%   +0.13%     
==========================================
  Files         326      328       +2     
  Lines       28571    28863     +292     
==========================================
+ Hits        22206    22472     +266     
- Misses       6365     6391      +26     

Flag	Coverage Δ
unittests	77.85% <89.51%> (+0.13%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Schamper]

Can you roll this into the value method so it's more in line with standard library Python code?

[Schamper]

Same here.

[Schamper]

Same with this one.

[twiggler]

To Miauwkeru: For our usecases, your implementation won in the end.

[Horofic]

Suggested change

	def keys(self, keys: Union[str, list[str]]) -> Iterator[RegistryKey]:
	def keys(self, keys: str | list[str]) -> Iterator[RegistryKey]:

[Horofic]

bump

[Horofic]

Suggested change

	def values(self, keys: Union[str, list[str]], value: str) -> Iterator[RegistryValue]:
	def values(self, keys: str | list[str], value: str) -> Iterator[RegistryValue]:

[Horofic]

bump

[Horofic]

Suggested change

	Yields a OfficeNativeAddinRecord with fields:
	Yields a ``OfficeNativeAddinRecord`` with fields:

[Horofic]

bump

[twiggler]

I think this one was already processed?

[Schamper]

Wouldn't we still want the actual hive to be linked?

[Schamper]

Maybe update these return types while we're at it?

[twiggler]

I love types, so happy to do it.

But is there light at the end of the tunnel?

Unfortunately, a lot of the type annotations are incorrect. As I am used to inferring the behavior of a function by its type signature, this has put me on the wrong foot on multiple occasions. The type annotations are incorrect because the code is not type checked, either in CI or locally. I think one of the problems with enforcing type checking is that core dependencies such as flow record and cstruct use dynamic typing.
I believe @Miauwkeru mentioned a solution for somehow adding type information to cstruct. Or we could use code generation at "compile-time" instead of during run-time.

Happy to help out with this (also in my own time). However, I also think a principled decision needs to be made to stop relying on techniques which use dynamic types.

[Schamper]

The .pyi generation for cstruct was indeed my idea, of which Miauwkeru made a POC. Happy to hear other suggestions of yours.

However, 95% of code in dissect.target does not interact with flow.record or dissect.cstruct, and we still want accurate type information there. I agree that it's best if we can check that in CI or locally. So I think the best way forward for the time being is to figure out if there's some way to do that and ignore all flow.record and dissect.cstruct types while we work separately on a solution for those dynamic types.

[twiggler]

(I take it the return type can be covariant?)

[Schamper]

Maybe update these return types while we're at it?

[Horofic]

Suggested change

	elif not isinstance(value, list):
	if not isinstance(value, list):

[Horofic]

Any reason this is not snake cased?

Suggested change

	nativePluginStatus = self._parse_plugin_status(addin)
	yield OfficeNativeAddinRecord(
	name=addin.value("FriendlyName", None).value,
	modification_time=addin.timestamp,
	loaded=nativePluginStatus.loaded if nativePluginStatus else None,
	load_behavior=nativePluginStatus.load_behavior.name if nativePluginStatus else None,
	type=addin_type,
	manifest=windows_path(manifest_path_str) if manifest_path_str else None,
	codebases=executables,
	)
	native_plugin_status = self._parse_plugin_status(addin)
	yield OfficeNativeAddinRecord(
	name=addin.value("FriendlyName", None).value,
	modification_time=addin.timestamp,
	loaded=native_plugin_status.loaded if nativePluginStatus else None,
	load_behavior=native_plugin_status.load_behavior.name if native_plugin_status else None,
	type=addin_type,
	manifest=windows_path(manifest_path_str) if manifest_path_str else None,
	codebases=executables,
	)