From 715b4e1b4c4cd3d15e35b0c1c837c56208a6df02 Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Wed, 4 Jan 2023 23:21:46 +0100
Subject: [PATCH] clsid: added MSI CLSIDs

---
 oletools/common/clsid.py | 8 ++++++--
 setup.py                 | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/oletools/common/clsid.py b/oletools/common/clsid.py
index 439c0d6..252e971 100644
--- a/oletools/common/clsid.py
+++ b/oletools/common/clsid.py
@@ -12,7 +12,7 @@ http://www.decalage.info/python/oletools
 
 #=== LICENSE ==================================================================
 
-# oletools are copyright (c) 2018-2021 Philippe Lagadec (http://www.decalage.info)
+# oletools are copyright (c) 2018-2023 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -43,7 +43,7 @@ http://www.decalage.info/python/oletools
 # 2018-04-18       PL: - added known-bad CLSIDs from Cuckoo sandbox (issue #290)
 # 2018-05-08       PL: - added more CLSIDs (issues #299, #304), merged and sorted
 
-__version__ = '0.60.1.dev1'
+__version__ = '0.60.2.dev2'
 
 
 # REFERENCES:
@@ -93,6 +93,10 @@ KNOWN_CLSIDS = {
     '0003000D-0000-0000-C000-000000000046': 'OLE Package Object (may contain and run any file)',
     '0003000E-0000-0000-C000-000000000046': 'OLE Package Object (may contain and run any file)',
     '0004A6B0-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', # TODO: to be confirmed
+    # Referenced in https://devblogs.microsoft.com/setup/identifying-windows-installer-file-types/ :
+    '000C1082-0000-0000-C000-000000000046': 'MSI Transform (mst)',
+    '000C1084-0000-0000-C000-000000000046': 'MSI Installer Package (msi)',
+    '000C1086-0000-0000-C000-000000000046': 'MSI Patch Package (psp)',
     '048EB43E-2059-422F-95E0-557DA96038AF': 'Microsoft Powerpoint.Slide.12',
     '05741520-C4EB-440A-AC3F-9643BBC9F847': 'otkloadr.WRLoader (can be used to bypass ASLR after triggering an exploit)',
     '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)',
diff --git a/setup.py b/setup.py
index c74371f..9b0af6d 100644
--- a/setup.py
+++ b/setup.py
@@ -55,7 +55,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
 
 name         = "oletools"
-version      = '0.60.2dev1'
+version      = '0.60.2dev2'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"
--
libgit2 0.21.4