删除链接和取消隐藏隐藏文件c＃

Question

我们最近感染了thumbs.db2病毒，该病毒创建了我们网络驱动器上所有Word和Excel文档的快捷方式，并隐藏了真实文件。我已经能够编写代码遍历所有文件夹并找到快捷方式并删除，但我需要能够取消隐藏我无法实现的隐藏文件。

我的代码如下，写的很快，所以请善待:)

public static IEnumerable<string> GetFiles(string root, string searchPattern) 
    { 
     Stack<string> pending = new Stack<string>(); 
     pending.Push(root); 
     while (pending.Count != 0) 
     { 
      var path = pending.Pop(); 
      string[] next = null; 
      try 
      { 
       next = Directory.GetFiles(path, searchPattern); 
      } 
      catch { } 
      if (next != null && next.Length != 0) 
       foreach (var file in next) yield return file; 
      try 
      { 
       next = Directory.GetDirectories(path); 
       foreach (var subdir in next) pending.Push(subdir); 
      } 
      catch { } 
     } 
    } 
    static void Main() 
    { 
     string lines = ""; 
     string startFolder = @"S:\"; 

     // Take a snapshot of the file system. 
     System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder); 
     dir.GetDirectories("*.*"); 
     // This method assumes that the application has discovery permissions 
     // for all folders under the specified path. 
     IEnumerable<String> fileList = GetFiles(startFolder,"*.lnk"); 

     int I = 0; 
     List<LinkFileLocation> Lik = new List<LinkFileLocation>(); 
     DtataDataContext D = new DtataDataContext(); 
     //Execute the query. This might write out a lot of files! 
     foreach (string fi in fileList) 
     { 
      LinkFileLocation L = new LinkFileLocation(); 
      // Console.WriteLine(fi.FullName) ; 
      WshShell shell = new WshShell(); 
      WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi); 
      FileInfo F = new FileInfo(fi); 
      var fs = F.GetAccessControl(); 

      var sid = fs.GetOwner(typeof(SecurityIdentifier)); 
      Console.WriteLine(sid); // SID 
      try 
      { 
       var ntAccount = sid.Translate(typeof(NTAccount)); 
       Console.WriteLine(ntAccount); // DOMAIN\username 
       L.UserCreated = ntAccount.Value.ToString(); 
      } 
      catch { 
       L.UserCreated = "Not Known"; 
      } 

      L.CreationTime = F.CreationTime; 
      if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe")) 
      { 



       L.Arguments = shortcut.Arguments; 
       L.Description = shortcut.Description; 
       L.FullName = shortcut.FullName; 
       L.HotKey = shortcut.Hotkey; 
       L.IconLocation = shortcut.IconLocation; 
       Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine); 
       lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine; 
       I++; 

      } 
      D.LinkFileLocations.InsertOnSubmit(L); 
      D.SubmitChanges(); 

     } 

     // Compose a string that consists of three lines. 


     // Write the string to a file. 
     System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt"); 
     file.WriteLine(lines); 
     file.Flush(); 
     file.Close(); 
     Console.WriteLine("Press any key to exit"); 
     Console.ReadKey(); 
    } 

如何在C＃中

任何帮助将大大appriciated取消隐藏文件。

最亲切的问候 SP

Answer 1

正如你可以MSDN看到它很容易从文件中删除隐藏属性：

var attributes = File.GetAttributes(fi); 
if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden) 
{ 
    attributes &= ~FileAttributes.Hidden; 
    File.SetAttributes(fi, attributes); 
} 

但是，如果你没有获得这样做或有任何其他问题，请在你的问题中解释。

Answer 2

对于任何人谁具有同样的问题，这是我们用来删除的共享链接和取消隐藏文件使用System.Collections.Generic

using System; 

代码;使用System.Linq的 ; using System.Text;使用IWshRuntimeLibrary的 ;使用System.IO的 ; using System.Security.Principal;

namespace HiddenFilesHow { using Microsoft.Win32.SafeHandles; 类FindFileByExtension {

// This query will produce the full path for all .txt files 
    // under the specified folder including subfolders. 
    // It orders the list according to the file name. 
    public static IEnumerable<string> GetFiles(string root, string searchPattern) 
    { 
     Stack<string> pending = new Stack<string>(); 
     pending.Push(root); 
     while (pending.Count != 0) 
     { 
      var path = pending.Pop(); 
      string[] next = null; 
      try 
      { 
       next = Directory.GetFiles(path, searchPattern); 
      } 
      catch { } 
      if (next != null && next.Length != 0) 
       foreach (var file in next) yield return file; 
      try 
      { 
       next = Directory.GetDirectories(path); 
       foreach (var subdir in next) pending.Push(subdir); 
      } 
      catch { } 
     } 
    } 
    static void Main() 
    { 
     try 
     { 
      string lines = ""; 
      Console.WriteLine("Please enter folder location:- "); 
      string startFolder = Console.ReadLine(); 
      Console.WriteLine("Begining Scan "); 
      // Take a snapshot of the file system. 
      System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder); 
      dir.GetDirectories("*.*"); 
      // This method assumes that the application has discovery permissions 
      // for all folders under the specified path. 
      IEnumerable<String> fileList = GetFiles(startFolder, "*.lnk"); 

      int I = 0; 
      //Execute the query. This might write out a lot of files! 
      foreach (string fi in fileList) 
      { 
       // Console.WriteLine(fi.FullName) ; 
       WshShell shell = new WshShell(); 
       WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi); 
       FileInfo F = new FileInfo(fi); 
       var fs = F.GetAccessControl(); 

       var sid = fs.GetOwner(typeof(SecurityIdentifier)); 
       // Console.WriteLine(sid); // SID 
       try 
       { 
        var ntAccount = sid.Translate(typeof(NTAccount)); 
        Console.WriteLine(ntAccount); // DOMAIN\username 
       } 
       catch 
       { 
       } 





       if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe")) 
       { 



        // Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine); 
        lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine; 
        I++; 
        FileAttributes attributes = System.IO.File.GetAttributes(fi.Replace(".lnk", "")); 
        if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden) 
        { 
         try 
         { 
          // Show the file. 
          attributes = RemoveAttribute(attributes, FileAttributes.Hidden); 
          System.IO.File.SetAttributes(fi.Replace(".lnk", ""), attributes); 
          Console.WriteLine("The {0} file is no longer hidden.", fi.Replace(".lnk", "")); 
          if (fi.EndsWith(".lnk")) 
          { 
           System.IO.File.Delete(fi); 
           Console.WriteLine("The {0} file is no longer exists.", fi); 
          }else 
          Console.WriteLine("The {0} file not deleted --------.", fi); 
         } 
         catch { } 
        } 
       } 


      } 

      // Compose a string that consists of three lines. 


      // Write the string to a file. 
      System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt"); 
      file.WriteLine(lines); 
      file.Flush(); 
      file.Close(); 
      Console.WriteLine("Press any key to exit"); 
      Console.ReadKey(); 
     } 
     catch (Exception e) 
     { 
      Console.WriteLine(e.Message); 
      Console.WriteLine("Error"); 
      Console.ReadLine(); 
     } 
    } 
    private static FileAttributes RemoveAttribute(FileAttributes attributes, FileAttributes attributesToRemove) 
    { 
     return attributes & ~attributesToRemove; 
    } 
} 

}

Answer 3

整洁......但

DEL/S * .xls.lnk

DEL/S * .doc.lnk

这也是一个窍门。此外

ATTRIB -H/S * .DOC

ATTRIB -H/S * .xls的

Answer 4

一个问题：

del /S *.xls.lnk 

del /S *.doc.lnk 

does the trick too. Also 

attrib -H /S *.doc 

attrib -H /S *.xls 

该恶意软件还修改现有的快捷方式，包括电话到thumbs.db2。此方法还需要从备份中恢复先前存在的.LNK文件！

另外（正如我打算这样做），采取上面的代码，并添加一个检查先前存在的LNK文件 - 基于创建日期/时间和/或缺少隐藏文件在同一目录中名称匹配LNK文件。

此外，对于这个问题的人仍然在等待任何AV公司来弄清楚这一点......替换大拇指。具有虚拟文件并锁定ntfs权限的db2似乎停止执行，而不会像某些人提到的那样将恶意软件更改为不同的文件名。

Answer 5

另外，也请其他的.lnk文件的路径在你的网络共享

这种病毒，我们不仅创造.xls.lnk文件和doc.lnk文件的版本，它也改变任何现有的LNK文件

Answer 6

System.IO.File.SetAttributes(<Filename>, IO.FileAttributes.Normal) 

应该这样做，我认为