Expand description
lnk-core — a reader for Windows Shell Link (.lnk) files.
Parses the [MS-SHLLINK] Shell Link (.LNK) Binary File Format into a typed
ShellLink: the ShellLinkHeader (flags, attributes, the three target
FILETIMEs, file size, icon index, show command, hotkey), the optional
LinkInfo (the VolumeID drive type / volume serial number / label and
the local base path, plus a CommonNetworkRelativeLink for network targets),
the StringData block, and the ExtraData TrackerDataBlock (the origin
machine NetBIOS name and the distributed-link-tracking droid GUIDs).
The input is attacker-controllable evidence: parsing is bounds-checked, never
panics, and never trusts a length field. No unsafe. Malformed headers yield
None rather than a partial/garbage value. The format constants live in
forensicnomicon::shlink (knowledge-only); the parsing algorithm lives
here.
§Authoritative source
[MS-SHLLINK] — Shell Link (.LNK) Binary File Format:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943
Modules§
- drive_
type DriveTypevalues ([MS-SHLLINK]§2.3.1 / Win32GetDriveType).
Structs§
- Common
Network Relative Link - The
CommonNetworkRelativeLink([MS-SHLLINK]§2.3.2). - Dest
List Entry - A
DestListstream entry — the per-target MRU metadata that accompanies an embedded shell link in an automatic-destinations Jump List. - Droid
Guids - A
Droidvolume/object GUID pair, rendered in the canonical 8-4-4-4-12 form. - Jump
List - A parsed Jump List.
- Jump
List Entry - One Jump List entry: an embedded shell link plus, for automatic
destinations, its
DestListMRU metadata. - Link
Info - The
LinkInfoblock ([MS-SHLLINK]§2.3). - Link
Target IdList - The
LinkTargetIDList([MS-SHLLINK]§2.2) — the target’s shell-namespace path as anITEMIDLIST(PIDL). The raw blob is kept verbatim and also decoded into typed shell items + a reconstructed path via theshellitemprimitive. - Shell
Link - A fully parsed Windows Shell Link.
- Shell
Link Header - The
ShellLinkHeader([MS-SHLLINK]§2.1). - String
Data - The decoded
StringDatablock ([MS-SHLLINK]§2.4). - Tracker
Data Block - The
TrackerDataBlock([MS-SHLLINK]§2.5.10) — origin machine + droid GUIDs. - Volume
Id - The
VolumeID([MS-SHLLINK]§2.3.1).
Enums§
- Jump
List Kind - Which Jump List family a
JumpListwas parsed from.
Functions§
- parse_
automatic_ destinations - Parse a
*.automaticDestinations-msJump List from its bytes. - parse_
custom_ destinations - Parse a
*.customDestinations-msJump List from its bytes. - parse_
shell_ link - Parse a Shell Link from its bytes.