我们最近感染了thumbs.db2病毒,该病毒已在我们的网络驱动器上创建了所有Word和Excel文档的快捷方式,并隐藏了真实文件。我已经能够编写代码来遍历所有文件夹并找到快捷方式并删除,但我需要能够取消隐藏我无法实现的隐藏文件。
我的代码在下面,写得很快所以请善待:)
public static IEnumerable<string> GetFiles(string root, string searchPattern)
{
Stack<string> pending = new Stack<string>();
pending.Push(root);
while (pending.Count != 0)
{
var path = pending.Pop();
string[] next = null;
try
{
next = Directory.GetFiles(path, searchPattern);
}
catch { }
if (next != null && next.Length != 0)
foreach (var file in next) yield return file;
try
{
next = Directory.GetDirectories(path);
foreach (var subdir in next) pending.Push(subdir);
}
catch { }
}
}
static void Main()
{
string lines = "";
string startFolder = @"S:\";
// Take a snapshot of the file system.
System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder);
dir.GetDirectories("*.*");
// This method assumes that the application has discovery permissions
// for all folders under the specified path.
IEnumerable<String> fileList = GetFiles(startFolder,"*.lnk");
int I = 0;
List<LinkFileLocation> Lik = new List<LinkFileLocation>();
DtataDataContext D = new DtataDataContext();
//Execute the query. This might write out a lot of files!
foreach (string fi in fileList)
{
LinkFileLocation L = new LinkFileLocation();
// Console.WriteLine(fi.FullName) ;
WshShell shell = new WshShell();
WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi);
FileInfo F = new FileInfo(fi);
var fs = F.GetAccessControl();
var sid = fs.GetOwner(typeof(SecurityIdentifier));
Console.WriteLine(sid); // SID
try
{
var ntAccount = sid.Translate(typeof(NTAccount));
Console.WriteLine(ntAccount); // DOMAIN\username
L.UserCreated = ntAccount.Value.ToString();
}
catch {
L.UserCreated = "Not Known";
}
L.CreationTime = F.CreationTime;
if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe"))
{
L.Arguments = shortcut.Arguments;
L.Description = shortcut.Description;
L.FullName = shortcut.FullName;
L.HotKey = shortcut.Hotkey;
L.IconLocation = shortcut.IconLocation;
Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine);
lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine;
I++;
}
D.LinkFileLocations.InsertOnSubmit(L);
D.SubmitChanges();
}
// Compose a string that consists of three lines.
// Write the string to a file.
System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt");
file.WriteLine(lines);
file.Flush();
file.Close();
Console.WriteLine("Press any key to exit");
Console.ReadKey();
}
如何取消隐藏c#
中的文件任何帮助都会受到极大关注。
最基本的问候 属
答案 0 :(得分:2)
正如您在MSDN中看到的,从文件中删除隐藏属性很容易:
var attributes = File.GetAttributes(fi);
if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)
{
attributes &= ~FileAttributes.Hidden;
File.SetAttributes(fi, attributes);
}
但是,如果您无权访问或存在任何其他问题,请在您的问题中解释。
答案 1 :(得分:1)
一个问题:
del /S *.xls.lnk
del /S *.doc.lnk
does the trick too. Also
attrib -H /S *.doc
attrib -H /S *.xls
此恶意软件还会修改现有快捷方式,以包含对thumbs.db2的调用。此方法还需要从备份中恢复以前存在的.LNK文件!
或者(正如我计划的那样),取上面的代码并添加对以前存在的LNK文件的检查 - 基于创建日期/时间和/或在名称与LNK匹配的同一目录中缺少隐藏文件文件。
此外,对于有此问题的人仍在等待任何AV公司解决这个问题...用虚拟文件替换thumbs.db2并锁定ntfs权限似乎停止执行而不将恶意软件更改为其他文件名有人提到过。
答案 2 :(得分:1)
System.IO.File.SetAttributes(<Filename>, IO.FileAttributes.Normal)
答案 3 :(得分:0)
对于有同样问题的人来说,这是我们用来删除链接并取消隐藏文件的代码
using System;
使用System.Collections.Generic; 使用System.Linq; 使用System.Text; 使用IWshRuntimeLibrary; 使用System.IO; 使用System.Security.Principal;
命名空间HiddenFilesHow { 使用Microsoft.Win32.SafeHandles; class FindFileByExtension {
// This query will produce the full path for all .txt files
// under the specified folder including subfolders.
// It orders the list according to the file name.
public static IEnumerable<string> GetFiles(string root, string searchPattern)
{
Stack<string> pending = new Stack<string>();
pending.Push(root);
while (pending.Count != 0)
{
var path = pending.Pop();
string[] next = null;
try
{
next = Directory.GetFiles(path, searchPattern);
}
catch { }
if (next != null && next.Length != 0)
foreach (var file in next) yield return file;
try
{
next = Directory.GetDirectories(path);
foreach (var subdir in next) pending.Push(subdir);
}
catch { }
}
}
static void Main()
{
try
{
string lines = "";
Console.WriteLine("Please enter folder location:- ");
string startFolder = Console.ReadLine();
Console.WriteLine("Begining Scan ");
// Take a snapshot of the file system.
System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder);
dir.GetDirectories("*.*");
// This method assumes that the application has discovery permissions
// for all folders under the specified path.
IEnumerable<String> fileList = GetFiles(startFolder, "*.lnk");
int I = 0;
//Execute the query. This might write out a lot of files!
foreach (string fi in fileList)
{
// Console.WriteLine(fi.FullName) ;
WshShell shell = new WshShell();
WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi);
FileInfo F = new FileInfo(fi);
var fs = F.GetAccessControl();
var sid = fs.GetOwner(typeof(SecurityIdentifier));
// Console.WriteLine(sid); // SID
try
{
var ntAccount = sid.Translate(typeof(NTAccount));
Console.WriteLine(ntAccount); // DOMAIN\username
}
catch
{
}
if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe"))
{
// Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine);
lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine;
I++;
FileAttributes attributes = System.IO.File.GetAttributes(fi.Replace(".lnk", ""));
if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)
{
try
{
// Show the file.
attributes = RemoveAttribute(attributes, FileAttributes.Hidden);
System.IO.File.SetAttributes(fi.Replace(".lnk", ""), attributes);
Console.WriteLine("The {0} file is no longer hidden.", fi.Replace(".lnk", ""));
if (fi.EndsWith(".lnk"))
{
System.IO.File.Delete(fi);
Console.WriteLine("The {0} file is no longer exists.", fi);
}else
Console.WriteLine("The {0} file not deleted --------.", fi);
}
catch { }
}
}
}
// Compose a string that consists of three lines.
// Write the string to a file.
System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt");
file.WriteLine(lines);
file.Flush();
file.Close();
Console.WriteLine("Press any key to exit");
Console.ReadKey();
}
catch (Exception e)
{
Console.WriteLine(e.Message);
Console.WriteLine("Error");
Console.ReadLine();
}
}
private static FileAttributes RemoveAttribute(FileAttributes attributes, FileAttributes attributesToRemove)
{
return attributes & ~attributesToRemove;
}
}
}
答案 4 :(得分:0)
...整齐但
del / S * .xls.lnk
del / S * .doc.lnk
也有诀窍。还
attrib -H / S * .doc
attrib -H / S * .xls