确定文件路径是否包含隐藏扩展名的最佳方法是什么,例如恶意软件试图隐藏.exe,例如“LegitimateFile.pdf.exe”。
这是我到目前为止所尝试的内容,但有几个问题。首先,扩展名可能不总是3个字符,例如.js。另一个问题是一些合法文件将命名为“GoodInstaller.V2.5.exe”,因此也会产生问题。
Dim HiddenExtension As Boolean = False
Dim firstExtension As String = System.IO.Path.GetFileNameWithoutExtension(ProcessPath)
Dim secondExtension As String = Path.GetExtension(firstExtension)
If secondExtension.StartsWith(".") And secondExtension.Length = 4 And secondExtension Like ".*" Then HiddenExtension = True
答案 0 :(得分:1)
您可以创建所有类似可执行文件的扩展名列表(例如.exe,.bat,..)和所有类似文档的扩展名列表(例如.doc,.pdf,...)然后就可以了依赖这些列表来确定文件是否危险。这是一个代码示例:
Function IsDangerous(filename As String) As Boolean
Dim first_extension = Path.GetExtension(filename)
If first_extension = String.Empty Or Not IsExecutableExtension(first_extension) Then Return False
Dim filename_without_first_extension As String = Path.GetFileNameWithoutExtension(filename)
Dim second_extension As String = Path.GetExtension(filename_without_first_extension)
If second_extension = String.Empty Or Not IsDocumentExtension(second_extension) Then Return False
Return True
End Function
Function IsExecutableExtension(extension As String) As Boolean
Dim executable_extensions = New String() {".exe", ".bat"} 'We need to add more items to this array
Return executable_extensions.Contains(extension)
End Function
Function IsDocumentExtension(extension As String) As Boolean
Dim document_extensions = New String() {".pdf", ".doc", ".xls"} 'We need to add more items to this array
Return document_extensions.Contains(extension)
End Function
你这样使用它:
Dim dangerous = IsDangerous("test.pdf.exe")