在文件路徑中查找隱藏的擴展

Question

確定文件路徑是否包含隱藏擴展名的最佳方式是什麼？例如，當惡意軟件試圖隱藏.exe如「LegitimateFile.pdf.exe」時。

這是我到目前爲止嘗試過的，但有幾個問題。首先，擴展名不一定總是3個字符，例如.js。另一個問題是某些合法文件將被命名爲「GoodInstaller.V2.5.exe」，因此也會產生問題。

Dim HiddenExtension As Boolean = False 
Dim firstExtension As String = System.IO.Path.GetFileNameWithoutExtension(ProcessPath) 
Dim secondExtension As String = Path.GetExtension(firstExtension) 
If secondExtension.StartsWith(".") And secondExtension.Length = 4 And secondExtension Like ".*" Then HiddenExtension = True 

Answer 1

您可以創建的所有可執行般的擴展名的列表（如.EXE，.BAT，..）和所有喜歡文檔擴展名的列表（例如.DOC，.PDF，...）然後您可以依靠這些列表來確定文件是否危險。下面是一個代碼示例：

Function IsDangerous(filename As String) As Boolean 

    Dim first_extension = Path.GetExtension(filename) 

    If first_extension = String.Empty Or Not IsExecutableExtension(first_extension) Then Return False 

    Dim filename_without_first_extension As String = Path.GetFileNameWithoutExtension(filename) 

    Dim second_extension As String = Path.GetExtension(filename_without_first_extension) 

    If second_extension = String.Empty Or Not IsDocumentExtension(second_extension) Then Return False 

    Return True 

End Function 

Function IsExecutableExtension(extension As String) As Boolean 
    Dim executable_extensions = New String() {".exe", ".bat"} 'We need to add more items to this array 
    Return executable_extensions.Contains(extension) 
End Function 

Function IsDocumentExtension(extension As String) As Boolean 
    Dim document_extensions = New String() {".pdf", ".doc", ".xls"} 'We need to add more items to this array 
    Return document_extensions.Contains(extension) 
End Function 

並且你使用這樣的：

Dim dangerous = IsDangerous("test.pdf.exe")