Closed camptatopenmars closed 1 year ago
Seems there is another lnk module awaiting review from awhile back https://github.com/VirusTotal/yara/pull/1732... that I'm just now noticing of course. Anyways yara needs a lnk module.
Nice one @camptatopenmars! Completely agree that YARA would benefit from a module to parse LNK files. Let me know if you have any feedback for the PR I've put together. I've also done a rough conversion of the docs for the module so far on my blog, which I'm currently doing some posts about the LNK module on: https://bitsofbinary.github.io/yara/2023/01/05/lnk_module_documentation.html
Lnk files are astonishingly complicated things and are nearly an executable type on their own. I've started creating a 'lnk' yara module for parsing these files. I have a series of TODO items in the prologue to lnk.c, but you can at least work out the general target of a lnk file with it as it stands. Submitting a PR for review before doing more work on this.
I've modified the vs2017 project files to build (this is all desperately out of date... but figured it would be best to add vs2022 in an entirely different PR), but have entirely avoided the autoconfig stuff because... I've no idea what I'm doing there. I have compiled this on Unbuntu using a makefile I use to build a private fork of libyara that I use.