matmaus / lnkparse3 Goto Github PK

Some MSI-generated shortcuts are shown in the explorer properties window with the location greyed out.

Example: example.zip

Apparently, those are called "Advertised shortcuts" and the actual link location has to do with the field DarwinDataUnicode in the DARWIN block. This has a format GUID(product code), string(component id), GUID(feature name) where the GUIDs are Base85 encoded.

I would like to request if possible for the automatic decoding of this.

More info:
http://www.laurierhodes.info/?q=node/34
http://metadataconsulting.blogspot.com/2019/12/CSharp-Convert-a-GUID-to-a-Darwin-Descriptor-and-back.html
https://web.archive.org/web/20080323160816/http://support.microsoft.com/kb/243630

Would it be possible instead of printing the json to stdout to make a usable json object ?

LNK files can store the SID of the creating user account in the file. It seems that this may not currently be extracted. Is it possible to add support for extracting this artifact?

Sample LNK files:

• 02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71
• 20ad6fa72982a6ba0f9499361b2aa3a3f5cca73fd397c2969d08a4c5f2866814
• 24ee20d7f254e1e327ecd755848b8b72cd5e6273cf434c3a520f780d5a098ac9
• 2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
• 32febef64410a6fcff07a6f95f51c25506c291ef13bdaa0937e2b9ce08d2d406
• 59d74f7e172a2ee14e5e43b9704ac95428b28741f1dbadbf5c9279dd37a11f86
• 61669c7e59036ae95a2886cf5a42a89633ff8c53cf75e7cb89e0be9f6d4030f4
• 65c40ca3e96786d292bb9c60f2e0b31641a23c129f2af0bbf5622d33186be6e3
• 70b6961af57bce72b89103197c8897a4ae3ce5fdb835ccd050f24acbac52900d
• 843ab931b2bf9ac5cbe5b08189349b440ee586de655130567ab95ae9c86aa2ab
• b0d7118d75c0f2a99fa5b319148b89148800e5db06ee403d6a31c451a8a54f2b
• d627688bb5c853df92555cc3c595cc210d83809f3357e0cbccb478c778712967

Getting a lot of:

C:\Users\Asus-PC\AppData\Local\Programs\Python\Python37\lib\site-packages\LnkParse3\decorators.py:187: UserWarning: Invalid dostime: e1 50 ab 8b
  warnings.warn(msg)

63 warnings for 166 links.

Is it by the design and I am supposed to use this?

with warnings.catch_warnings():
    warnings.simplefilter("ignore")

Hi, I was looking at some new problems that I have with parsing Lnk files, and realized that I should have tried to get one of those branches merged before. I came across Lnk files that are tacking additional data at the very end of the file, after the Terminal Block. I created my own fork of LnkParse3 and had my way of handling it, and I saw that user wmetcalf also did. We took slightly different approaches, and I was wondering if you had a preference. I would be happy to clean my repository, or make a totally new branch to be able to open a proper pull request if you are interested. For reference, this is an example of a malicious file that would benefit from being able to get the content at the end of the normal structure. Just making sure again, please be aware that this file is malicious. :) https://bazaar.abuse.ch/sample/082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203

If you are looking at the git diff from my repository, you will see that I also added handling for UnknownExtra. I see that you since added handling and a warning in extra_factory.py, but I think it would be useful to be able to access that data. For reference, this LNK file has a zip file in such undefined Extra data.

Thank you for your time and the awesome library!