Dan
Reputation: 39
Finding a hidden extension in a file path
What is the best way to figure out if a file’s path contains a hidden extension, for example when malware attempts to hide .exe like “LegitimateFile.pdf.exe”.
Here is what I have tried so far, but there are several issues. First of all, the extension may not always be 3 characters, for example .js. The other issue is that some legitimate files will be named “GoodInstaller.V2.5.exe”, so that creates issues as well.
Dim HiddenExtension As Boolean = False
Dim firstExtension As String = System.IO.Path.GetFileNameWithoutExtension(ProcessPath)
Dim secondExtension As String = Path.GetExtension(firstExtension)
If secondExtension.StartsWith(".") And secondExtension.Length = 4 And secondExtension Like ".*" Then HiddenExtension = True
Upvotes: 0
Views: 148
Answers (1)
Yacoub Massad
Reputation: 27861
You can create a list of all executable-like extensions (e.g. .exe, .bat, ..) and a list of all document-like extensions (e.g. .doc, .pdf ,...) and then you can depend on these lists to determine if a file is dangerous. Here is a code sample:
Function IsDangerous(filename As String) As Boolean
Dim first_extension = Path.GetExtension(filename)
If first_extension = String.Empty Or Not IsExecutableExtension(first_extension) Then Return False
Dim filename_without_first_extension As String = Path.GetFileNameWithoutExtension(filename)
Dim second_extension As String = Path.GetExtension(filename_without_first_extension)
If second_extension = String.Empty Or Not IsDocumentExtension(second_extension) Then Return False
Return True
End Function
Function IsExecutableExtension(extension As String) As Boolean
Dim executable_extensions = New String() {".exe", ".bat"} 'We need to add more items to this array
Return executable_extensions.Contains(extension)
End Function
Function IsDocumentExtension(extension As String) As Boolean
Dim document_extensions = New String() {".pdf", ".doc", ".xls"} 'We need to add more items to this array
Return document_extensions.Contains(extension)
End Function
And you use it like this:
Dim dangerous = IsDangerous("test.pdf.exe")
Upvotes: 1
Related Questions
- Get *only* file path of files without extension [vb.net]
- how can find extension of file
- Search specific extensions in a directory VB
- Get the real extension of a file vb.net
- find a file name knowing only the extension name
- Searching specific folder / extension using vb.net
- How to deal with hidden file extensions
- Filebrowser to hide extension in Vb6
- File Extension of opened file in VB.NET
- Can I find a file by filename only (i.e. extension unknown)