![create lnk file create lnk file](https://www.trustwave.com/images/slblog-03-02-2018-10-57-10/spiderlabs/a0a971a3-6971-40a0-9541-d1730b20b541.png)
This was improved by "encrypting" each byte of the EXE file data using XOR, and "decrypting" it using Powershell. The EXE file is clearly visible when opening the LNK file in a hex-editor. This was fixed by setting the shortcut description (using the HasName flag) to "Type: Text Document\nSize: 5.23 KB\nDate modified: 11:23".Ħ.
![create lnk file create lnk file](https://www.uperesia.com/img/articles/shortcut/booby_trapped_shortcut_artifacts.png)
Hovering over the LNK file displays the location as "cmd". This was fixed by setting the icon location (using the HasIconLocation flag) to "%windir%\system32\notepad.exe".ĥ. The LNK file has an executable file icon. This overflows the text field in the "Properties" dialog and only displays spaces.Ĥ. This was fixed by prefixing the target field with 512 space characters. The Powershell command is visible when viewing the "Properties" of the LNK file. This was fixed by storing the length of the original LNK file (not including the appended EXE data) in the Powershell command.ģ. Finding the offset of the EXE data within the LNK. This was fixed by storing the total size of the LNK file inside the Powershell command, and checking all *.LNK files in the current directory to find one with a matching file-size.Ģ. We could hard-code the file-name, but this is not a reliable fix. When executing the Powershell commands to extract the EXE from the LNK, we don't know the file-name of the LNK file that has been executed. Some issues were encountered with this method:ġ. I have developed a program which creates a LNK from a target EXE file. The LNK file executes some Powershell commands to read the contents of the EXE from the end of the LNK, copies it to a file in the %TEMP% folder, and executes it. This was achieved by creating a LNK file with the EXE file appended to the end. I set myself the challenge to create a LNK file with an EXE file embedded inside, without the need for external downloads. These link files generally execute a script (Powershell, VBScript, etc) which downloads an external payload.
![create lnk file create lnk file](https://thinkdfir.files.wordpress.com/2022/02/image.png)
I have seen various malicious LNK files in the wild.