search

Matmaus / LnkParse3

Windows Shortcut file (LNK) parser
MIT License
63 stars 13 forks source link

Extraction of SID #23

Closed dspruell-i01 closed 9 months ago

dspruell-i01 commented 9 months ago

LNK files can store the SID of the creating user account in the file. It seems that this may not currently be extracted. Is it possible to add support for extracting this artifact?

Sample LNK files:

Matmaus commented 9 months ago

I think the support was added recently, but it is only in master branch yet. I can make a new release this weekend.

Below is SID parsed from 02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71. Can you please verify it?

S-1-5-21-1499925678-132529631-3571256938-1001

SID was taken from METADATA_PROPERTIES_BLOCK:

        "METADATA_PROPERTIES_BLOCK": {
            "format_id": "46588AE2-4CBC-4338-BBFC-139326986DCE",
            "serialized_property_values": [
                {
                    "id": 4,
                    "value": "S-1-5-21-1499925678-132529631-3571256938-1001",
                    "value_size": 109
                }
            ],
            "size": 149,
            "storage_size": 137,
            "version": "0x53505331"
        },
dspruell-i01 commented 9 months ago

I think the support was added recently, but it is only in master branch yet. I can make a new release this weekend.

Below is SID parsed from 02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71. Can you please verify it?

S-1-5-21-1499925678-132529631-3571256938-1001

Affirmative, that's what I expected to see for that sample. Nice!

Matmaus commented 9 months ago

A new version v1.3.2 with support to extract (not only) SID has been released.