Windows Shortcut file (LNK) parser
LnkParse3 is a minimalistic python package for forensics of a binary file with LNK extension aka Microsoft Shell Link aka Windows shortcut. It is aimed to dig up as much data as possible and to process even malformed files. It is not able to create or modify files.
- easy to use
- CLI tool & package
- JSON output
This is a fork of lnkfile
available here.
Improvements:
- much more extracted data
- many bug fixes
- made to not fail on malformed files
NOTE: master
branch history was rewritten and has different commits metadata than the upstream master
.
pip install LnkParse3
Can be used as a package or as a command line tool. It accepts several arguments, including setting the output format to JSON or a more human-readable form. For all parameters, see the program description below.
sage: lnkparse [-h] [-t] [-d DUMP] [-j] [-c CP] [-a] FILE
Windows Shortcut file (LNK) parser
positional arguments:
FILE absolute or relative path to the file
optional arguments:
-h, --help show this help message and exit
-t, --target print shortcut target only
-d DUMP, --dump DUMP dump additional data to a file
-j, --json print output in JSON
-c CP, --codepage CP set codepage of ASCII strings
-a, --all print all extracted data (i.e. offsets and sizes)
$ lnkparse tests/microsoft_example
Windows Shortcut Information:
Link CLSID: 00021401-0000-0000-C000-000000000046
Link Flags: HasTargetIDList | HasLinkInfo | HasRelativePath | HasWorkingDir | IsUnicode | E
nableTargetMetadata - (524443)
File Flags: FILE_ATTRIBUTE_ARCHIVE - (32)
Creation Timestamp: 2008-09-12 20:27:17.101000+00:00
Modified Timestamp: 2008-09-12 20:27:17.101000+00:00
Accessed Timestamp: 2008-09-12 20:27:17.101000+00:00
Icon Index: 0
Window Style: SW_SHOWNORMAL
HotKey: UNSET - UNSET {0x0000}
...more data...
EXTRA BLOCKS:
DISTRIBUTED_LINK_TRACKER_BLOCK
Length: 88
Version: 0
Machine identifier: chris-xps
Droid volume identifier: 94C77840-FA47-46C7-B356-5C2DC6B6D115
Droid file identifier: 7BCD46EC-7F22-11DD-9499-00137216874A
Birth droid volume identifier: 94C77840-FA47-46C7-B356-5C2DC6B6D115
Birth droid file identifier: 7BCD46EC-7F22-11DD-9499-00137216874A
>>> import LnkParse3
>>> with open('tests/samples/microsoft_example', 'rb') as indata:
>>> lnk = LnkParse3.lnk_file(indata)
>>> lnk.print_json()
{
"data": {
"relative_path": ".\\a.txt",
"working_directory": "C:\\test"
},
"extra": {
"DISTRIBUTED_LINK_TRACKER_BLOCK": {
"birth_droid_file_identifier": "7BCD46EC-7F22-11DD-9499-00137216874A",
"birth_droid_volume_identifier": "94C77840-FA47-46C7-B356-5C2DC6B6D115",
"droid_file_identifier": "7BCD46EC-7F22-11DD-9499-00137216874A",
"droid_volume_identifier": "94C77840-FA47-46C7-B356-5C2DC6B6D115",
"length": 88,
"machine_identifier": "chris-xps",
"size": 96,
"version": 0
}
},
...more data...
}
List of data in LNK structure and their current status of implementation. For more information about each data, see Microsoft LNK documentation and Shell item format specification.
- ShellLinkHeader [
lnk_header.py
] - LinkTargetIDList [
lnk_targets.py
]- RootFolder [
root_folder.py
] (incomplete) - CommonPlacesFolder [
common_places_folder.py
] - CompressedFolder [
compressed_folder.py
] - ControlPanel [
control_panel.py
] - Internet [
internet.py
] - MyComputer [
my_computer.py
] - NetworkLocation [
network_location.py
] - Printers [
printers.py
] - ShellFSFolder [
shell_fs_folder.py
] (incomplete) - UsersFilesFolder [
users_files_folder.py
]
- RootFolder [
- LinkInfo [
lnk_info.py
]- Local [
local.py
] - Network [
network.py
]
- Local [
- StringData [
string_data.py
] - ExtraData [
extra_data.py
]- ConsoleDataBlock [
console.py
] - ConsoleFEDataBlock [
code_page.py
] - DarwinDataBlock [
darwin.py
] - EnvironmentVariableDataBlock [
environment.py
] - IconEnvironmentDataBlock [
icon.py
] - KnownFolderDataBlock [
known_folder.py
] - PropertyStoreDataBlock [
shell_item.py
] - ShimDataBlock [
shim_layer.py
] - SpecialFolderDataBlock [
special_folder.py
] - TrackerDataBlock [
distributed_tracker.py
] - MetadataPropertiesBlock [
metadata.py
]
- ConsoleDataBlock [
Any contribution is welcome. There are still several uncovered parts of LNK Structure. Just fork the project and open a new PR.
To run tests without installing any dependencies, just run:
python -m unittest discover tests
If you want to use pytest
, install it via pip
and run:
pytest tests
Also, to see code coverage in HTML output, run:
pytest --cov=LnkParse3 tests --cov-fail-under=85 --cov-report=html --no-cov-on-fail
Make sure to run black
auto-formatter before opening a PR. It will keep the code in good shape.
Also, it would be nice to try to make meaningful commit messages and atomic commits.
Many thanks to the project's founder @silascutler as well as to @ernix for such a good job refactoring and improving the code.
Here is a list of other available LNK parsers:
- pylnk3 - console application and package in Python 3
- lnk-parse - console application in Perl
- pylnker - console application and package in Python 2, based on lnk-parse
- liblnk - robust C library with Python 2/3 bindings
Distributed under the MIT License. See LICENSE for more information.
Source - https://github.com/Matmaus/LnkParse3