LnkParse3 1.5.0

Windows Shortcut file (LNK) parser

LnkParse3

Windows Shortcut file (LNK) parser

LnkParse3 is a minimalistic python package for forensics of a binary file with LNK extension aka Microsoft Shell Link aka Windows shortcut. It is aimed to dig up as much data as possible and to process even malformed files. It is not able to create or modify files.

Features

• easy to use
• CLI tool & package
• JSON output

Background

This is a fork of lnkfile available here.

Improvements:

• much more extracted data
• many bug fixes
• made to not fail on malformed files

NOTE: master branch history was rewritten and has different commits metadata than the upstream master.

Installation

pip install LnkParse3

Usage

Can be used as a package or as a command line tool. It accepts several arguments, including setting the output format to JSON or a more human-readable form. For all parameters, see the program description below.

usage: lnkparse [-h] [-t] [-j] [-c CP] [-a] FILE

Windows Shortcut file (LNK) parser

positional arguments:
  FILE                  absolute or relative path to the file

optional arguments:
  -h, --help            show this help message and exit
  -t, --target          print target only
  -j, --json            print output in JSON
  -c CP, --codepage CP  set codepage of ASCII strings
  -a, --all             print all extracted data (i.e. offsets and sizes)

CLI tool

$ lnkparse tests/samples/microsoft_example
Windows Shortcut Information:
   Guid: 00021401-0000-0000-C000-000000000046
   Link flags: HasTargetIDList | HasLinkInfo | HasRelativePath | HasWorkingDir | IsUnicode | EnableTargetMetadata - (524443)
   File flags: FILE_ATTRIBUTE_ARCHIVE - (32)
   Creation time: 2008-09-12 20:27:17.101000+00:00
   Accessed time: 2008-09-12 20:27:17.101000+00:00
   Modified time: 2008-09-12 20:27:17.101000+00:00
   File size: 0
   Icon index: 0
   Windowstyle: SW_SHOWNORMAL
   Hotkey: UNSET - UNSET {0x0000}

   ...more data...

   EXTRA:
      DISTRIBUTED LINK TRACKER BLOCK:
         Size: 96
         Length: 88
         Version: 0
         Machine identifier: chris-xps
         Droid volume identifier: 94C77840-FA47-46C7-B356-5C2DC6B6D115
         Droid file identifier: 7BCD46EC-7F22-11DD-9499-00137216874A
         Birth droid volume identifier: 94C77840-FA47-46C7-B356-5C2DC6B6D115
         Birth droid file identifier: 7BCD46EC-7F22-11DD-9499-00137216874A

Python package

>>> import LnkParse3
>>> with open('tests/samples/microsoft_example', 'rb') as indata:
>>> 	lnk = LnkParse3.lnk_file(indata)
>>> 	lnk.print_json()
{
	"data": {
        "relative_path": ".\\a.txt",
        "working_directory": "C:\\test"
    },
    "extra": {
        "DISTRIBUTED_LINK_TRACKER_BLOCK": {
            "birth_droid_file_identifier": "7BCD46EC-7F22-11DD-9499-00137216874A",
            "birth_droid_volume_identifier": "94C77840-FA47-46C7-B356-5C2DC6B6D115",
            "droid_file_identifier": "7BCD46EC-7F22-11DD-9499-00137216874A",
            "droid_volume_identifier": "94C77840-FA47-46C7-B356-5C2DC6B6D115",
            "length": 88,
            "machine_identifier": "chris-xps",
            "size": 96,
            "version": 0
        }
    },
	...more data...
}

Extracted data

List of data in LNK structure and their current status of implementation. For more information about each data, see Microsoft LNK documentation and Shell item format specification.

• ShellLinkHeader [lnk_header.py]
• LinkTargetIDList [lnk_targets.py]
  • RootFolder [root_folder.py] (incomplete)
  • CommonPlacesFolder [common_places_folder.py]
  • CompressedFolder [compressed_folder.py]
  • ControlPanel [control_panel.py]
  • Internet [internet.py]
  • MyComputer [my_computer.py]
  • NetworkLocation [network_location.py]
  • Printers [printers.py]
  • ShellFSFolder [shell_fs_folder.py] (incomplete)
  • UsersFilesFolder [users_files_folder.py]
• LinkInfo [lnk_info.py]
  • Local [local.py]
  • Network [network.py]
• StringData [string_data.py]
• ExtraData [extra_data.py]
  • ConsoleDataBlock [console.py]
  • ConsoleFEDataBlock [code_page.py]
  • DarwinDataBlock [darwin.py]
  • EnvironmentVariableDataBlock [environment.py]
  • IconEnvironmentDataBlock [icon.py]
  • KnownFolderDataBlock [known_folder.py]
  • PropertyStoreDataBlock [metadata.py] (incomplete)
  • ShimDataBlock [shim_layer.py]
  • SpecialFolderDataBlock [special_folder.py]
  • TrackerDataBlock [distributed_tracker.py]
  • VistaAndAboveIDListDataBlock [shell_item.py]
  • Unknown (undefined) block [unknown.py]
  • TerminalBlock [terminal.py]

Contributing

Any contribution is welcome. There are still several uncovered parts of LNK Structure. Just fork the project and open a new PR.

Tests

To run tests without installing any dependencies, just run:

python -m unittest discover tests

If you want to use pytest, install it via pip and run:

pytest tests

Also, to see code coverage in HTML output, run:

pytest --cov=LnkParse3 tests --cov-fail-under=80 --cov-report=html --no-cov-on-fail

Code

Make sure to run black auto-formatter before opening a PR. It will keep the code in good shape.

Also, it would be nice to try to make meaningful commit messages and atomic commits.

Authors and acknowledgment

Many thanks to the project's founder @silascutler as well as to @ernix for such a good job refactoring and improving the code.

Related projects

Here is a list of other available LNK parsers:

• pylnk3 - console application and package in Python 3
• lnk-parse - console application in Perl
• pylnker - console application and package in Python 2, based on lnk-parse
• liblnk - robust C library with Python 2/3 bindings

License

Distributed under the MIT License. See LICENSE for more information.

Contact

matusjas.work@gmail.com

Source - https://github.com/Matmaus/LnkParse3