Add to collection(s) Add to saved
  1. Social Science
  2. Political Science
  3. Media

9.1.Link_Files

advertisement 
Link Files
.lnk
Jesse Hager
“The Windows Shortcut File Format”
http://code.google.com/p/8bits/downloads/detail?name=The_Windo
ws_Shortcut_File_Format.pdf&can=2&q=
Shortcut Files
•
•
•
•
•
File extension .lnk
Created whenever an off board file is opened
Contain MAC times (UTC)
Path name
Volume type and S/N
Link File Creation
• Activation of a file from Windows Explorer
• When a file is opened from some applications
• Particularly Microsoft Office files
Clear “Recent Items” WinXP
• Properties of the Start Menu
• Select “Clear List”
.lnk Files
• They appear as “My Recent Documents”
• Form the basis of Jump Lists
• Win XP
• C:\Documents and Settings\User Name\Recent
• Vista & Win7
• \Users\user name\AppData\Roaming\Microsoft\Windows\Recent
• \Users\user name\AppData\Roaming\Microsoft\Office\Recent
• \Users\user name\Links\
Clear “Recent Items” Win 7
To clear “Recent Item List”
Right click on Recent
Items and select clear
Registry Data Shows Settings
WinXP
Start_ShowRecentDocs=0 Do not list Recent Documents
Start_ShowRecentDocs=2 List Recent Documents
Registry Data Shows Settings
Win7
Start_ShowRecentDocs=0 & Start_Tracks=0 Do not list Recent Documents
Start_ShowRecentDocs=2 & Start_Tracks=0 List Recent Documents
Basic File Structure
• File header
• Shell item ID list
Item 1
Item 2
etc.
• File location info
local path
Network path
•
•
•
•
•
•
Description string
Relative path string
Working directory string
Command line string
Icon filename string
Extra stuff
.lnk Header Structure
Offset
Size
Type
Description
0
4 bytes
1 dword
Magic Number 0x0000004C = ‘L’
4
16 bytes
byte
GUID for shortcut files
0x14
4 bytes
1 dword
Flags
0x18
4 bytes
1 dword
File Attributes
0x1C
8 bytes
1 qword
Create time
0x24
8 bytes
1 qword
Last write time
0x2C
8 bytes
1 qword
Last access time
0x34
4 bytes
1 dword
File length
0x38
4 bytes
1 dword
Icon number
0x3C
4 bytes
1 dword
Show Window value
0x40
4 bytes
1 dword
Associated Hot Key
0x44
8 bytes
2 dword
Unknown, always zero
The Flags
Bit
Meaning when 1
Meaning when 0
0
Shell item id list is present
Shell item id list is absent
1
Points to a file or directory
Points to something else
2
Has a descriptive string
No descriptive string
3
Has a relative path
No relative path
4
Has a working directory
No working directory
5
Has command line arguments
No command line arguments
6
Has a custom icon
Has default icon
Shell Item ID List
• Present only if bit 0 is set in flags
• How to get from the desktop to the contents
of the link file
File Location Info
Offset
Size
Contents
0x0
4 bytes
Total length of this structure
0x4
“
Point to the first offset after this structure. 0x1C
0x8
“
Flags
0xC
“
Offset of local volume info
0x10
“
Offset of base pathname on local system
0x14
“
Offset of network volume info
0x18
“
Offset of remaining pathname
lslnk.exe
.lnk File’s
Properties
Cierra’s pics 2.nws.lnk
Magic Number
File Length
0x43A00 =
276992
Lslnk.exe for Win7
Win7 LNK file Properties
More Information in Win7
Related documents
Chapter No. 08
Chapter No. 08
- Communispond
- Communispond
257_101_ch12
257_101_ch12
Development Environment C Toolchain
Development Environment C Toolchain
Database Storage Requirements
Database Storage Requirements
Instructor Notes on Window Analysis - Mabbott
Instructor Notes on Window Analysis - Mabbott
Fragmentation and IP Forwarding
Fragmentation and IP Forwarding
File Analysis Chapter 5 – Harlan Carvey
File Analysis Chapter 5 – Harlan Carvey
Pictures
Pictures
shift-based pattern matching for compressed traffic
shift-based pattern matching for compressed traffic
PPT - Bro
PPT - Bro
Notes
Notes
Download
advertisement