Skip to content

Fix LNK Parsing Error in Specific Cases in string_data.py #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 18, 2025
Merged

Fix LNK Parsing Error in Specific Cases in string_data.py #39

merged 1 commit into from
Apr 18, 2025

Conversation

Oskar65536
Copy link
Contributor

Hi,
I came across several LNK files that are not parsed correctly by your library, as well as by many other parsers. The issue lies in the StringData class.

The class assumes that the 2 bytes (str_length) preceding each string accurately reflect the number of characters. However, it turns out that str_length can contain large values (e.g., 0xFFFF), while Windows internally enforces a 260-character limit (520 bytes in Unicode) on certain strings within the LNK format.

This behavior applies to the strings name, relative_path, and working_dir, which correspond to the flags HasName, HasRelativePath, and HasWorkingDir.

I've attached files that demonstrate the issue (you can check all of them by right-clicking):

  • original.lnk – a regular file without any parsing problems

  • name_long_ok.lnk – same file, but with a name string exactly 260 characters long. Note that Windows treats the last character as null, even if it's a valid letter (as in this file).

  • name_broken.lnk – here the name string is 261 characters long and breaks the following relative_path string

  • relative_path_long_ok.lnk – similar case for relative_path

  • relative_path_long_broken.lnk – 261 bytes in relative_path corrupt the next string workdir

  • workdir_long_ok.lnk and workdir_long_broken.lnk – similar issue, the arguments string gets corrupted

The arguments string, associated with the HasArguments flag, does not appear to have this 260-character limitation (which makes sense).

Files are here: test.zip

@Matmaus
Copy link
Owner

Matmaus commented Apr 16, 2025

Hi, sorry for my late response. Thank you for the PR and rich description including examples 👍 .
I viewed those files on Windows as you have proposed and saw that some of them were broke. However I did not find some other evidence that these four fields should have such length restriction. It is possible that the restriction only applies for Windows dialog. I would like to investigate more and ideally find a real world example. Maybe, do you have some real world example as well, from VT for example? Or maybe a link to documentation where the limit is mentioned.

@Oskar65536
Copy link
Contributor Author

Of course, here's an LNK file used by the APT group XDSpy in a recent campaign:

@Matmaus
Copy link
Owner

Matmaus commented Apr 18, 2025

Well, I see now, thanks.

@Matmaus Matmaus merged commit 992d064 into Matmaus:master Apr 18, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Oskar65536 @Matmaus