Thanks to visit codestin.com
Credit goes to github.com

Skip to content

wariv/DarkLnk

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
DarkLnk
DarkLnk
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
DarkLnk.sln
DarkLnk.sln
 
 
README.md
README.md
 
 

Repository files navigation

Overview

The purpose of DarkLnk is to exploit the .lnk format and achieve 2 goals:

  1. Allow the attacker to emulate any file extension. docx, mov, pdf, mp3, etc
  2. Retain the the .lnk functionality to call PowerShell

 

The general idea is that a malicious DarkLnk .lnk file will be delivered to a target and the file icon, properties, and context will all appear to be a valid .lnk to a choosen filetype. However, the .lnk file will still point towards PowerShell and execute PowerShell commands.

The Good

  • The icon reflects the extension choosen by the attacker.
  • Hovering over the .lnk also reflects the extension choosen by the attacker.
  • The .lnk properties mostly show the file type properties choosen by the attacker.
  • To an average or even above average user this appears to be a valid .lnk shortcut.

The Bad

  • The attackers PowerShell payload is still in plain text.
  • The PowerShell arguments are visible in the Properties -> Target
  • After running the .lnk Windows Link Healing will "fix" the link and will appear like a normal PowerShell .lnk file.

The Future

  • Add more attacker flexibility (Completed)
  • Add more obfuscation capabilities (Completed)
  • Find out why only PowerShell works and not other binaries like cmd.exe
  • Add additional obfuscation techniques.

 

Change Log

  • v1.0
  • v1.1
    • Fixed an issue where the drive serial field prevented the LNK from executing on computers other than the one it was created.
    • Fixed an issue with relative path fields which would sometimes prevent the lnk from working in certain directories.

 

Usage

 

Example Workflow

With this tool we can generate a .lnk file containing PowerShell (Pretty standard). However, we can also force the .lnk file to think it is a different file type. e.g. pdf, xls, etc. The .lnk will maintain this illusion when the user hovers over the lnk and it will persist until the user actually executes the .lnk. At which point Windows will repair the .lnk file data.

Step 1: Create the .lnk file

 

Observations

  • The target of the .lnk appears as whichever filetype we chose.

 

  • We can still see that the arguments for our powerShell are visible...

 

Step 2: Execute the .lnk file

 

Observations

  • The PowerShell executed and we can see that it created a test directory.
  • Windows link healing repaired the .lnk and it now resembles a PowerShell .lnk

 

Lnk Format

The Lnk file format is like the wild west. Certain sections may be ommitted. The order of list sometimes doesnt matter. It's a wild ride if you ever want to try RE'ing the file format. For this implementation We've elected to only use the basic sections:

  • Header
  • ShellLinkItemIdList
  • ShellLinkInfo

A decent amount of the data has been stripped out as null bytes. Most of everything in these links that is not 0x00 is required for the link to work. Many of these void areas can be modified with the tools obfuscation techniques.

About

Build sneaky & malicious LNK files.

Topics

phishing cybersecurity lnk redteaming

Resources

Readme
Activity

Stars

157 stars

Watchers

1 watching

Forks

15 forks
Report repository

Releases 2

v1.1 Latest
Jul 16, 2025
+ 1 release

Packages

No packages published

Languages