Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LNK: Various findings #43

Open
ldy985 opened this issue Oct 30, 2018 · 1 comment
Open

LNK: Various findings #43

ldy985 opened this issue Oct 30, 2018 · 1 comment

Comments

@ldy985
Copy link

ldy985 commented Oct 30, 2018

I have found a few LNK files with unknown shellbags and a few that crashes. These LNK's come from random places on the internet so they might be corrupt etc. 0x64 doesn't seem to be documented anywhere, but maybe you have ideas about what it might contain :)

Crashes the parser:
Axure RP 8.lnk
Google Chrome.lnk
IBM Security AppScan Standard.lnk
OpenIV.lnk
WinISO.lnk

Unknown shellbag 0x64:
BRITANIA*.lnk
CADENCE*.lnk

various.zip
@AndrewRathbun
Copy link

AndrewRathbun commented Oct 21, 2024
edited
Loading 

LECmd version 1.5.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/LECmd

Command line: -d M:\Downloads\various --csv M:\Downloads\various

Looking for lnk files in M:\Downloads\various

Found 13 files

Processing M:\Downloads\various\Axure RP 8.lnk

Error opening M:\Downloads\various\Axure RP 8.lnk. Message: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\BRITANIA066701057.lnk

Error opening M:\Downloads\various\BRITANIA066701057.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\BRITANIA066701070.lnk

Error opening M:\Downloads\various\BRITANIA066701070.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\BRITANIA066702070.lnk

Error opening M:\Downloads\various\BRITANIA066702070.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\BRITANIA066702074.lnk

Error opening M:\Downloads\various\BRITANIA066702074.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\CADENCECAF142-110V.lnk

Error opening M:\Downloads\various\CADENCECAF142-110V.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\CADENCEMPR511-220V.lnk

Error opening M:\Downloads\various\CADENCEMPR511-220V.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\CADENCESAN250-110V.lnk

Error opening M:\Downloads\various\CADENCESAN250-110V.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\CADENCEVAP902-110V.lnk

Error opening M:\Downloads\various\CADENCEVAP902-110V.lnk. Message: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
System.Exception: Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\Google Chrome.lnk

Error opening M:\Downloads\various\Google Chrome.lnk. Message: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\IBM Security AppScan Standard.lnk

Error opening M:\Downloads\various\IBM Security AppScan Standard.lnk. Message: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\OpenIV.lnk

Error opening M:\Downloads\various\OpenIV.lnk. Message: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processing M:\Downloads\various\WinISO.lnk

Error opening M:\Downloads\various\WinISO.lnk. Message: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage)
   at Lnk.Lnk.LoadFile(String lnkFile, Int32 codepage)
   at LECmd.Program.ProcessFile(String lnkFile, Boolean quiet, Boolean removableOnly, String datetimeFormat, Boolean nid, Boolean neb, Int32 codepage)

Processed 0 out of 13 files in 0.3156 seconds

Failed files
  M:\Downloads\various\Axure RP 8.lnk ==> (Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.)
  M:\Downloads\various\BRITANIA066701057.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\BRITANIA066701070.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\BRITANIA066702070.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\BRITANIA066702074.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\CADENCECAF142-110V.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\CADENCEMPR511-220V.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\CADENCESAN250-110V.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\CADENCEVAP902-110V.lnk ==> (Unknown shell item ID: 0x64. Please send to [email protected] so support can be added.)
  M:\Downloads\various\Google Chrome.lnk ==> (Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.)
  M:\Downloads\various\IBM Security AppScan Standard.lnk ==> (Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.)
  M:\Downloads\various\OpenIV.lnk ==> (Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.)
  M:\Downloads\various\WinISO.lnk ==> (Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.)

https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf shows this as potentially where the error is hitting on?

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ldy985 @AndrewRathbun