Windows Shortcut file (LNK) parser
Project description
LnkParse3
Windows Shortcut file (LNK) parser
LnkParse3 is a minimalistic python package for forensics of a binary file with LNK extension aka Microsoft Shell Link aka Windows shortcut. It is aimed to dig up as much data as possible and to process even malformed files. It is not able to create or modify files.
Features
- easy to use
- CLI tool & package
- JSON output
Background
This is a fork of lnkfile available here.
Improvements:
- much more extracted data
- many bug fixes
- made to not fail on malformed files
NOTE: master branch history was rewritten and has different commits metadata than the upstream master.
Installation
pip install LnkParse3
Usage
Can be used as a package or as a command line tool. It accepts several arguments, including setting the output format to JSON or a more human-readable form. For all parameters, see the program description below.
usage: lnkparse [-h] [-t] [-j] [-c CP] [-a] FILE
Windows Shortcut file (LNK) parser
positional arguments:
FILE absolute or relative path to the file
optional arguments:
-h, --help show this help message and exit
-t, --target print target only
-j, --json print output in JSON
-c CP, --codepage CP set codepage of ASCII strings
-a, --all print all extracted data (i.e. offsets and sizes)
CLI tool
$ lnkparse tests/samples/microsoft_example
Windows Shortcut Information:
Link CLSID: 00021401-0000-0000-C000-000000000046
Link Flags: HasTargetIDList | HasLinkInfo | HasRelativePath | HasWorkingDir | IsUnicode | E
nableTargetMetadata - (524443)
File Flags: FILE_ATTRIBUTE_ARCHIVE - (32)
Creation Timestamp: 2008-09-12 20:27:17.101000+00:00
Modified Timestamp: 2008-09-12 20:27:17.101000+00:00
Accessed Timestamp: 2008-09-12 20:27:17.101000+00:00
Icon Index: 0
Window Style: SW_SHOWNORMAL
HotKey: UNSET - UNSET {0x0000}
...more data...
EXTRA BLOCKS:
DISTRIBUTED_LINK_TRACKER_BLOCK
Length: 88
Version: 0
Machine identifier: chris-xps
Droid volume identifier: 94C77840-FA47-46C7-B356-5C2DC6B6D115
Droid file identifier: 7BCD46EC-7F22-11DD-9499-00137216874A
Birth droid volume identifier: 94C77840-FA47-46C7-B356-5C2DC6B6D115
Birth droid file identifier: 7BCD46EC-7F22-11DD-9499-00137216874A
Python package
>>> import LnkParse3
>>> with open('tests/samples/microsoft_example', 'rb') as indata:
>>> lnk = LnkParse3.lnk_file(indata)
>>> lnk.print_json()
{
"data": {
"relative_path": ".\\a.txt",
"working_directory": "C:\\test"
},
"extra": {
"DISTRIBUTED_LINK_TRACKER_BLOCK": {
"birth_droid_file_identifier": "7BCD46EC-7F22-11DD-9499-00137216874A",
"birth_droid_volume_identifier": "94C77840-FA47-46C7-B356-5C2DC6B6D115",
"droid_file_identifier": "7BCD46EC-7F22-11DD-9499-00137216874A",
"droid_volume_identifier": "94C77840-FA47-46C7-B356-5C2DC6B6D115",
"length": 88,
"machine_identifier": "chris-xps",
"size": 96,
"version": 0
}
},
...more data...
}
Extracted data
List of data in LNK structure and their current status of implementation. For more information about each data, see Microsoft LNK documentation and Shell item format specification.
- ShellLinkHeader [
lnk_header.py] - LinkTargetIDList [
lnk_targets.py]- RootFolder [
root_folder.py] (incomplete) - CommonPlacesFolder [
common_places_folder.py] - CompressedFolder [
compressed_folder.py] - ControlPanel [
control_panel.py] - Internet [
internet.py] - MyComputer [
my_computer.py] - NetworkLocation [
network_location.py] - Printers [
printers.py] - ShellFSFolder [
shell_fs_folder.py] (incomplete) - UsersFilesFolder [
users_files_folder.py]
- RootFolder [
- LinkInfo [
lnk_info.py]- Local [
local.py] - Network [
network.py]
- Local [
- StringData [
string_data.py] - ExtraData [
extra_data.py]- ConsoleDataBlock [
console.py] - ConsoleFEDataBlock [
code_page.py] - DarwinDataBlock [
darwin.py] - EnvironmentVariableDataBlock [
environment.py] - IconEnvironmentDataBlock [
icon.py] - KnownFolderDataBlock [
known_folder.py] - PropertyStoreDataBlock [
metadata.py] (incomplete) - ShimDataBlock [
shim_layer.py] - SpecialFolderDataBlock [
special_folder.py] - TrackerDataBlock [
distributed_tracker.py] - VistaAndAboveIDListDataBlock [
shell_item.py]
- ConsoleDataBlock [
Contributing
Any contribution is welcome. There are still several uncovered parts of LNK Structure. Just fork the project and open a new PR.
Tests
To run tests without installing any dependencies, just run:
python -m unittest discover tests
If you want to use pytest, install it via pip and run:
pytest tests
Also, to see code coverage in HTML output, run:
pytest --cov=LnkParse3 tests --cov-fail-under=80 --cov-report=html --no-cov-on-fail
Code
Make sure to run black auto-formatter before opening a PR. It will keep the code in good shape.
Also, it would be nice to try to make meaningful commit messages and atomic commits.
Authors and acknowledgment
Many thanks to the project's founder @silascutler as well as to @ernix for such a good job refactoring and improving the code.
Related projects
Here is a list of other available LNK parsers:
- pylnk3 - console application and package in Python 3
- lnk-parse - console application in Perl
- pylnker - console application and package in Python 2, based on lnk-parse
- liblnk - robust C library with Python 2/3 bindings
License
Distributed under the MIT License. See LICENSE for more information.
Contact
Source - https://github.com/Matmaus/LnkParse3
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for LnkParse3-1.4.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b3fce4bd444479cebe803881cd79bc1ae84365690401d2b6cffa8b592a258268 |
|
| MD5 | 2c59abcc30a3a0b65122268d32999d60 |
|
| BLAKE2b-256 | 6b75505187d71b5eaf0b7adfa50aa44f22a451cf829b8a5dbbd166f57ae651f6 |
