在文件路径中查找隐藏的扩展

Question

确定文件路径是否包含隐藏扩展名的最佳方式是什么？例如，当恶意软件试图隐藏.exe如“LegitimateFile.pdf.exe”时。

这是我到目前为止尝试过的，但有几个问题。首先，扩展名不一定总是3个字符，例如.js。另一个问题是某些合法文件将被命名为“GoodInstaller.V2.5.exe”，因此也会产生问题。

Dim HiddenExtension As Boolean = False 
Dim firstExtension As String = System.IO.Path.GetFileNameWithoutExtension(ProcessPath) 
Dim secondExtension As String = Path.GetExtension(firstExtension) 
If secondExtension.StartsWith(".") And secondExtension.Length = 4 And secondExtension Like ".*" Then HiddenExtension = True 

Answer 1

您可以创建的所有可执行般的扩展名的列表（如.EXE，.BAT，..）和所有喜欢文档扩展名的列表（例如.DOC，.PDF，...）然后您可以依靠这些列表来确定文件是否危险。下面是一个代码示例：

Function IsDangerous(filename As String) As Boolean 

    Dim first_extension = Path.GetExtension(filename) 

    If first_extension = String.Empty Or Not IsExecutableExtension(first_extension) Then Return False 

    Dim filename_without_first_extension As String = Path.GetFileNameWithoutExtension(filename) 

    Dim second_extension As String = Path.GetExtension(filename_without_first_extension) 

    If second_extension = String.Empty Or Not IsDocumentExtension(second_extension) Then Return False 

    Return True 

End Function 

Function IsExecutableExtension(extension As String) As Boolean 
    Dim executable_extensions = New String() {".exe", ".bat"} 'We need to add more items to this array 
    Return executable_extensions.Contains(extension) 
End Function 

Function IsDocumentExtension(extension As String) As Boolean 
    Dim document_extensions = New String() {".pdf", ".doc", ".xls"} 'We need to add more items to this array 
    Return document_extensions.Contains(extension) 
End Function 

并且你使用这样的：

Dim dangerous = IsDangerous("test.pdf.exe")