lnk plugin issue

[naderhabbbab]

Dear Team,

im getting the following issue when execute target-query test.tar -f lnk
it extract 28 from 441 lnk the i get the following error

2022-12-23T14:25:22.066848Z [error ] Unicode link_info_header encountered. Size bigger than 0x00000024. Size encountered:36 [dissect.shellitem.lnk.lnk]
Traceback (most recent call last):
File "/usr/local/bin/target-query", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.10/dist-packages/dissect/target/tools/query.py", line 234, in main
for record_entries in entry:
File "/usr/local/lib/python3.10/dist-packages/dissect/target/plugins/os/windows/lnk.py", line 78, in lnk
lnk_file = Lnk(entry)
File "/usr/local/lib/python3.10/dist-packages/dissect/shellitem/lnk/lnk.py", line 381, in init
self.linkinfo = LnkInfo(self.fh)
File "/usr/local/lib/python3.10/dist-packages/dissect/shellitem/lnk/lnk.py", line 202, in init
raise NotImplementedError("Unicode link_info_header parsing not yet implemented")
NotImplementedError: Unicode link_info_header parsing not yet implemented

[Horofic]

Hey @naderhabbbab Thank you for using Dissect! It looks like you encountered an edge-case we were not able to implement yet.

If possible, would you be willing to share the 'lnk' in question file with us? This way we can implement this edge-case more effectively.

If not, would you be able to provide more information about this specific lnk file? Like, on which version of Windows was this encountered, name of the lnk file, path to the lnk file.

[naderhabbbab]

dear team,
after upgrade to the new dissect.target and run it over the link i get the following error

OS system : Windows Server 2012 R2 Standard (NT 6.3) 9600

Traceback (most recent call last):
File "/usr/local/bin/target-query", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.10/dist-packages/dissect/target/tools/query.py", line 234, in main
for record_entries in entry:
File "/usr/local/lib/python3.10/dist-packages/dissect/target/plugins/os/windows/lnk.py", line 105, in lnk
lnk_file.linkinfo.common_path_suffix.decode(codepage) if lnk_file.flag("has_link_info") else None
File "/usr/lib/python3.10/encodings/cp1252.py", line 15, in decode
return codecs.charmap_decode(input,errors,decoding_table)
UnicodeDecodeError: 'charmap' codec can't decode byte 0x90 in position 0: character maps to

previous error was on OS windows Windows 8.1 Pro (NT 6.3) 9600

2023-01-12T19:29:57.203367Z [error ] Unicode link_info_header encountered. Size bigger than 0x00000024. Size encountered:36 [dissect.shellitem.lnk.lnk]
Traceback (most recent call last):
File "/usr/local/bin/target-query", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.10/dist-packages/dissect/target/tools/query.py", line 234, in main
for record_entries in entry:
File "/usr/local/lib/python3.10/dist-packages/dissect/target/plugins/os/windows/lnk.py", line 78, in lnk
lnk_file = Lnk(entry)
File "/usr/local/lib/python3.10/dist-packages/dissect/shellitem/lnk/lnk.py", line 381, in init
self.linkinfo = LnkInfo(self.fh)
File "/usr/local/lib/python3.10/dist-packages/dissect/shellitem/lnk/lnk.py", line 202, in init
raise NotImplementedError("Unicode link_info_header parsing not yet implemented")
NotImplementedError: Unicode link_info_header parsing not yet implemented

[Horofic]

Hey @naderhabbbab thank you for reporting a new issue and OS information. I will talk about the second error first. Is it possible for you to provide us information about the LNK file that I mentioned above? To reiterate, this was name of the LNK file, path to the LNK file, and possibly the LNK file itself.

Then about the first error. Is this a fresh install of Windows Server 2012 R2 Standard (NT 6.3) 9600 machine? Either way, I will start looking into the first error!

[naderhabbbab]

Hi @Horofic
for the first machine i will give a sample of .lnk file that corrupted during the execution of the command as well i have attach a copy of output of the other files that i have facing same issue the lnk extention changed from .lnk to .zip for uploading
42.zip
sue
20230116142339_LECmd_Output.csv

the other issur regarding the server i will try to test on which file it fail and try to report it as the server is not fresh installation

[Horofic]

Hey @naderhabbbab thank you for providing the LNK file! I will start looking into the UnicodeDecodeError issue.

[Horofic]

Seems like the UnicodeDecodeError issue is resolved in the PR mentioned above! The NotImplementedError you mentioned still has to be resolved. Keeping this issue opened until then.

[naderhabbbab]

Hi , Thank you if you refer to the CSV file provided it was using different tool to extract the output as I can’t provided if the provided link it not produce I will try to find other link as I will double check with the current dev release

On Thu, 19 Jan 2023 at 18:19 Stefan de Reuver ***@***.***> wrote: Seems like the UnicodeDecodeError issue is resolved in the PR mentioned above! The NotImplementedError you mentioned still has to be resolved. Keeping this issue opened until then. — Reply to this email directly, view it on GitHub <#15>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJ5ANZX3DVJHCID2XKMLIDWTFLONANCNFSM6AAAAAATHZG7Q4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Mobile

[Horofic]

@naderhabbbab Are you still able to provide the other link file you mentioned?

[Horofic]

Moved this issue to dissect.shellitem. @naderhabbbab Do you perhaps have any updates on the link file?

[Horofic]

Will be closing this issue for now. The way the Unicode link_info_header error is handled has been changed. This way the plugin still runs, logs the encountered header, and tries to parse the rest of the lnk file.

@naderhabbbab if you encounter new issues or find a lnk file which produced this error, feel free to open a new issue!