Open masbicudo opened 1 year ago
joachimmetz
commented
1 year ago @masbicudo there is a lot of variation in shell items, let me check my samples. If you have more context which version of Windows in which context you saw the extension block that would be useful
masbicudo
commented
1 year ago @joachimmetz Yeah, actually it is a sample in the docs itself... the example in the docs contradicts the table describing the fields. The table with description says the Size value should be 74, but in the example that follows, the value is 70.
joachimmetz
commented
1 year ago If I recall correctly (and agree that this could be more explicit in the documentation), the "example" (I assume you mean "Shell item from Windows 7 BagMRU (Search Home)") here is a note about an observed shell item that is different.
masbicudo
commented
1 year ago Oh, I see. I'm asking this because I am building an implementation of the LNK specification in .Net. So I think that I will have to handle different sizes of this extension block, and probably a lot of the other things too will have this behavior so I'll have to relax the size constraint.
Thank you very much @joachimmetz
p.s. Some questions:
joachimmetz
commented
1 year ago FYI shell items are a big unknown, they keep changing and the internals are not widely understood. So tread with caution, be very defensive in your implementation on how you parse them. I would recommend to be overly strict instead of relaxed. Maybe interesting for context: https://osdfir.blogspot.com/2020/09/testing-digital-forensic-data.html
May I contribute in this repository with my findings? How can I contribute?
You can always share your findings, ideally as test data that can be reproduced. Also see some experimental code to generate them https://github.com/dfirlabs/wsi-specimens (definitely not comprehensive). Or send a PR, my time is limited so I might not respond quickly.
Do you have a dataset of shell links so that I can create tests for the library I am implementing?
I have data sets that I unfortunately cannot share, but look at the wsi-specimens, helping improve that will help you build reproducible test data.
May I link references to your repository with attribution? Is there a preferred attribution format?
yes that is fine, reference the project, that is the most inclusive for other people that contributed over the years.
joachimmetz
commented
1 year ago Looks like https://github.com/dfirlabs/wsi-specimens is still empty, early experiments are here https://github.com/libyal/assorted/blob/main/src/winshellfolder.c
It is said in the docs that this extension block has 74 bytes, but in the example shown it consists of 70 bytes. There is one Unknown field more than in the example:
Field 1: Size = [46 00] = 70 (table says this should be 74) Field 2: Version = [01 00] = 1 (ok) Field 3: Signature = [17 00 ef be] = 0xbeef0017 (ok) Field 4: Unknown (zero) = [00 00 00 00] (ok) Field 5: Unknown = [01 00 00 00] (ok) Field 6: Unknown = [02 00 00 80] (ok) Field 7: Unknown = [01 00 00 00] (ok) Field 8: Unknown = [01 00 00 00] (ok) Field 9: Unknown = [02 00 00 00] (ok) Field 10: Unknwon = [00 00 00 00 00 00 00 00] (ok) Field 11: Unknown = [02 00 00 00] (ok) Field 12: Unknown = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00] (ok) Field 13: First extension block version offset = [14 00] = 20 (ok)