Expand description
lnk-core — a reader for Windows Shell Link (.lnk) files.
Parses the [MS-SHLLINK] Shell Link (.LNK) Binary File Format into a typed
ShellLink: the ShellLinkHeader (flags, attributes, the three target
FILETIMEs, file size, icon index, show command, hotkey), the optional
LinkInfo (the VolumeID drive type / volume serial number / label and
the local base path, plus a CommonNetworkRelativeLink for network targets),
the StringData block, and the ExtraData TrackerDataBlock (the origin
machine NetBIOS name and the distributed-link-tracking droid GUIDs).
The input is attacker-controllable evidence: parsing is bounds-checked, never
panics, and never trusts a length field. No unsafe. Malformed headers yield
None rather than a partial/garbage value. The format constants live in
forensicnomicon::shlink (knowledge-only); the parsing algorithm lives
here.
§Authoritative source
[MS-SHLLINK] — Shell Link (.LNK) Binary File Format:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943
Modules§
- drive_
type DriveTypevalues ([MS-SHLLINK]§2.3.1 / Win32GetDriveType).
Structs§
- Common
Network Relative Link - The
CommonNetworkRelativeLink([MS-SHLLINK]§2.3.2). - Droid
Guids - A
Droidvolume/object GUID pair, rendered in the canonical 8-4-4-4-12 form. - Link
Info - The
LinkInfoblock ([MS-SHLLINK]§2.3). - Link
Target IdList - The raw
LinkTargetIDList([MS-SHLLINK]§2.2) — PIDL bytes kept verbatim. - Shell
Link - A fully parsed Windows Shell Link.
- Shell
Link Header - The
ShellLinkHeader([MS-SHLLINK]§2.1). - String
Data - The decoded
StringDatablock ([MS-SHLLINK]§2.4). - Tracker
Data Block - The
TrackerDataBlock([MS-SHLLINK]§2.5.10) — origin machine + droid GUIDs. - Volume
Id - The
VolumeID([MS-SHLLINK]§2.3.1).
Functions§
- parse_
shell_ link - Parse a Shell Link from its bytes.