silascutler/LnkParse silascutler/LnkParse

  • Stars
    star
    131
  • Rank 275,867 (Top 6 %)
  • Language
    Python
  • Created over 6 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
silascutler/LnkParse
github

silascutler

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Windows Shortcut file (LNK) parser

LnkParse

Windows Shortcut file (LNK) parser

https://msdn.microsoft.com/en-us/library/dd871305.aspx

Install: pip install lnkfile

Example:

$ python lnk_parser.py 70f26580777a87804dd7419c5121f40e 
Windows Shortcut Information:
	Link Flags: HasLinkInfo | IsUnicode | HasTargetIDList | DisableKnownFolderTracking | HasRelativePath - (2097291)
	File Flags: FILE_ATTRIBUTE_ARCHIVE | FILE_ATTRIBUTE_NOT_CONTENT_INDEXED - (8224)

	Creation Timestamp: 2011-09-26 22:23:23
	Modified Timestamp: 2011-09-26 22:23:23
	Accessed Timestamp: 2011-09-26 22:23:23

	File Size: 1555369 (r: 505)
	Icon Index: 0 
	Window Style: SW_NORMAL 
	HotKey: UNSET -  {0x0000} 

	relativePath: ..\..\..\..\..\Downloads\RDP.zip

	EXTRA BLOCKS:
		METADATA_PRPERTIES_BLOCK
		DISTRIBUTED_LINK_TRACKER_BLOCK
			[droid_volume_identifier] 54f13791b375c04eba3e01036f721401
			[birth_droid_volume_identifier] 54f13791b375c04eba3e01036f721401
			[machine_identifier] aris-pc
			[droid_file_identifier] ac9f69364458e8119b2682a5f086db87
			[version] 0
			[birth_droid_file_identifier] ac9f69364458e8119b2682a5f086db87
			[size] 88

and

>>> import lnkfile
>>> indata = open('tests/microsoft_example.lnk', 'rb')
>>> x = lnkfile.lnk_file(indata)
>>> x.print_lnk_file()
Windows Shortcut Information:
	Link Flags: HasLinkInfo | EnableTargetMetadata | HasWorkingDir | IsUnicode | HasTargetIDList | HasRelativePath - (524443)
	File Flags: FILE_ATTRIBUTE_ARCHIVE - (32)

	Creation Timestamp: 2010-10-08 17:14:43
	Modified Timestamp: 2010-10-08 17:14:43
	Accessed Timestamp: 2010-10-08 17:14:43

	File Size: 0 (r: 459)
	Icon Index: 0 
	Window Style: SW_NORMAL 
	HotKey: UNSET -  {0x0000} 

	relativePath: .\a.txt
	workingDirectory: C:\test

	EXTRA BLOCKS:
		DISTRIBUTED_LINK_TRACKER_BLOCK
			[droid_volume_identifier] 4078c79447fac746b3565c2dc6b6d115
			[birth_droid_volume_identifier] 4078c79447fac746b3565c2dc6b6d115
			[machine_identifier] chris-xps
			[droid_file_identifier] ec46cd7b227fdd11949900137216874a
			[version] 0
			[birth_droid_file_identifier] ec46cd7b227fdd11949900137216874a
			[size] 88

>>> x.print_json()
{"header": {"windowstyle": "SW_NORMAL", "rfile_size": "00000000", "linkFlags": 524443, "creation_time": 128657248371010000, "header_size": 76, "rhotkey": 0, "icon_index": 0, "fileFlags": 32, "modified_time": 128657248371010000, "file_size": 0, "hotkey": "UNSET -  {0x0000}", "accessed_time": 128657248371010000, "guid": "0114020000000000c000000000000046", "reserved1": 0, "reserved0": 0, "reserved2": 0}, "data": {"relativePath": ".\\a.txt", "workingDirectory": "C:\\test"}, "extra": {"DISTRIBUTED_LINK_TRACKER_BLOCK": {"droid_volume_identifier": "4078c79447fac746b3565c2dc6b6d115", "birth_droid_volume_identifier": "4078c79447fac746b3565c2dc6b6d115", "machine_identifier": "chris-xps", "droid_file_identifier": "ec46cd7b227fdd11949900137216874a", "version": 0, "birth_droid_file_identifier": "ec46cd7b227fdd11949900137216874a", "size": 88}}}

More Repositories

1

MalPipe

Malware/IOC ingestion and processing engine
Python
102
star
2

awesome-docker-malware-analysis

Repository of tools and resources for analyzing Docker containers
Python
53
star
3

VirusTotalTools

Misc Tools for Virus Total Interaction
Python
35
star
4

IDA_AutoAnalysis

IDA Pro plugin that rename functions on load, based on functionality
Python
19
star
5

Proximity

Sinkhole Operational Framework for Automation and Reporting
Perl
14
star
6

IntelDB

Minimal Indicator Storage System
Python
11
star
7

MiscMalware

Misc malware stuff
Python
10
star
8

PyMSRz

Python module for interacting with Bluetooth MSR card reader/writers
Python
10
star
9

dns-monitor

DNSMonitor is a set of scripts to monitor malware and botnet domains for IP address changes by monitoring TTL values.
9
star
10

PastebinScraper

My personal Pastebin Scraper since 2010
Perl
7
star
11

Masochistic-Linux

A fork of Suicide Linux
Python
7
star
12

CookieMonsterVirus

Humble Shout out to the movie Hackers. For use in CCDC events.
C#
5
star
13

HiveMindDB

Tool to databasing IP addresses and Domains as well as storing notes about the domains.
Perl
4
star
14

ConferenceTalks

Collection of slides from my conference talks
3
star
15

Doom95Aimbot

Source code from https://0x00sec.org/t/doom95-making-an-aimbot/19862 && https://rstforums.com/forum/profile/3859-nytro/content/page/9/?type=forums_topic_post
C++
3
star
16

HamRadioLogbook

A web based logbook for ham radio operators based on Python & Flask
JavaScript
3
star
17

stalkerware-urls

3
star
18

dockerhoneypot-logs

Collection of Docker honeypot logs from 2021 - 2024
Python
3
star
19

pinfo

Simple CLI tool for showing Windows PE Info
Python
2
star
20

SecurityLexicon

Microsoft Office Dictionary of Security Teams
2
star
21

Rosetta

A Chrome Extension that automatically resolves names of various threat groups
Python
2
star
22

RapidSig

Yara + Drinking == Magic
Shell
2
star
23

BTCVendingMachine

1
star
24

ElectricSheepRedux

Continuation of the epic ElectricSheep project
1
star