A fast and cross platform LNK Parser written in Rust that gives you the ability to query the records via JMESPath queries. Output is JSONL.
RusyLnk 0.1.0
Matthew Seyer <https://github.com/forensicmatt/RustyLnk>
LNK Parser written in Rust.
USAGE:
RustyLnk.exe [FLAGS] [OPTIONS]
FLAGS:
-b, --bool_expr JMES Query as bool only. (Prints whole record if true.)
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-q, --query <QUERY> JMES Query
-s, --source <PATH> The LNK file or folder with LNK files to parse.
Example Output
{
"header": {
"header_size": 76,
"guid": "00021401-0000-0000-C000-000000000046",
"data_flags": "HAS_TARGET_ID_LIST | HAS_LINK_INFO | HAS_RELATIVE_PATH | HAS_WORKING_DIR | IS_UNICODE",
"file_flags": "FILE_ATTRIBUTE_ARCHIVE",
"created": "2012-03-08 22:11:26.372",
"accessed": "2012-03-16 20:03:34.936",
"modified": "2012-03-08 22:11:26.841",
"file_size": 68346,
"icon_offset": 0,
"window_flag": 1,
"hot_key": 0
},
"target_list": {
"list_size": 310,
"shell_items": [{
"data": {
"class_type": "0x1F",
"unknown": 72,
"content": "BA8F0D4525ADD01198A80800361B1103"
}
},
{
"data": {
"class_type": "0x31",
"unknown": 0,
"content": {
"sub_flags": "DIRECTORY",
"file_size": 0,
"last_modification": "2012-03-12 21:2