📄 main.pas
字号:
unit Main;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Clipbrd, Tlhelp32, Registry, Buttons, ExtCtrls, ComCtrls,
XPMan, ImgList, jpeg;
type
TMainForm = class(TForm)
StatusBar1: TStatusBar;
Panel1: TPanel;
FlushProcBtn: TSpeedButton;
CopyMsgBtn: TSpeedButton;
EndProcBtn: TSpeedButton;
Timer1: TTimer;
GroupBox1: TGroupBox;
Console: TMemo;
KillAntivirusBtn: TSpeedButton;
ImageList1: TImageList;
XPManifest1: TXPManifest;
Image1: TImage;
ProgressBar1: TProgressBar;
StaticText1: TStaticText;
CloseBtn: TSpeedButton;
AboutBtn: TSpeedButton;
StopBtn: TSpeedButton;
TaskList: TListBox;
autoFlushTimer: TTimer;
autoFlushProcListCBtn: TCheckBox;
StaticText2: TStaticText;
SearchDirEdit: TEdit;
SelectDirBtn: TSpeedButton;
procedure CopyMsgBtnClick(Sender: TObject);
procedure FlushProcBtnClick(Sender: TObject);
procedure EndProcBtnClick(Sender: TObject);
procedure KillAntivirusBtnClick(Sender: TObject);
procedure FormCreate(Sender: TObject);
procedure AboutBtnClick(Sender: TObject);
procedure CloseBtnClick(Sender: TObject);
procedure StopBtnClick(Sender: TObject);
procedure LockBtn;
procedure UnLockBtn;
procedure autoFlushTimerTimer(Sender: TObject);
procedure autoFlushProcListCBtnClick(Sender: TObject);
procedure SelectDirBtnClick(Sender: TObject);
private
FStream: TStream;
FDateTime: TDateTime;
ScanFinished:Boolean;
procedure DelVirusFile(AFile: String);
function CompareFileNames(CompName:String; NameList:TStringList): Boolean;
function RepairRegedit: Boolean;
function ScanDir(ScanPath:String): Boolean;
function ProcessStopMsg: Boolean;
{ Private declarations }
public
{ Public declarations }
end;
var
MainForm: TMainForm;
gWinPath: String;
TrojanCnt,MemTrojanCnt,DiskTrojanCnt,RegTrojanCnt,SkipTrojanCnt:Integer;
ForceStop:Boolean;
TrojanNameList:TStringList;
gSearchPath : String;
ProcTrojanProcName:String;//记录进程中的木马程序路径
ProcTrojanDLLName:String;//记录进程中的木马钩子路径
const
QQProcName = 'qq.exe';
TrojanProcName = 'apple.exe';
TrojanDLLName = 'apple.dll';
TrojanScanLogName = 'apple_Log.txt';
implementation
uses About, SelectDir;
{$R *.dfm}
function FindProcByName(AProc: String): THandle;
var
hHandle : THandle;
PE32 : TProcessEntry32;
bFind : Boolean;
CharDec : LongInt;
EndPos : LongInt;
i : Integer;
begin
Result := 0;
CharDec := 0;
EndPos := 0;
hHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if hHandle <= 0 then
begin
Exit;
end;
PE32.dwSize := SizeOf(TProcessEntry32);
bFind := Process32First(hHandle, PE32);
while bFind do
begin
if (LowerCase(AProc) = LowerCase(PE32.szExeFile)) or
(LowerCase(AProc) = LowerCase(ExtractFileName(PE32.szExeFile))) then
begin
Result := PE32.th32ProcessID;
ProcTrojanProcName:=PE32.szExeFile;//记录木马EXE程序
for i:=0 to Length(PE32.szExeFile) do
begin
CharDec:=Integer(PE32.szExeFile[i]);
//ShowMessage(AnsiChar(PE32.szExeFile[i])+'#'+IntToStr(EndPos)+'#');
if CharDec=0 then
begin
EndPos:=i;
break;
end;
end;
ProcTrojanDLLName:=Copy(PE32.szExeFile, 0, EndPos-4)+'.dll';//记录木马DLL程序
//添加木马到查杀列表
//ShowMessage( ProcTrojanDLLName+'#'+TrojanNameList.Strings[0] +IntToStr(TrojanNameList.IndexOf('apple.exe')));
if (LowerCase(ProcTrojanProcName)<>'qq.exe') and (TrojanNameList.IndexOf(ProcTrojanProcName)<0) then
begin
TrojanNameList.Add( LowerCase(ProcTrojanProcName) );
TrojanNameList.Add( LowerCase(ProcTrojanDLLName) );
end;
Exit;
end;
bFind := Process32Next(hHandle, PE32);
end;
end;
function KillTaskByProc(AProc: THandle): Boolean;
var
hHandle: THandle;
begin
Result := False;
hHandle := OpenProcess(PROCESS_TERMINATE, False, AProc);
if hHandle <= 0 then
begin
Exit;
end;
Result := TerminateProcess(hHandle, 0);
end;
function KillTaskByName(ATask: String): Integer;
var
hHandle, hProc: THandle;
PE32: TProcessEntry32;
bFind: Boolean;
begin
Result := 0;
hHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if hHandle <= 0 then
begin
Result := hHandle;
Exit;
end;
PE32.dwSize := SizeOf(TProcessEntry32);
bFind := Process32First(hHandle, PE32);
while bFind do
begin
if (UpperCase(ATask) = UpperCase(PE32.szExeFile)) or
(UpperCase(ATask) = UpperCase(ExtractFileName(PE32.szExeFile))) then
begin
hProc := OpenProcess(PROCESS_TERMINATE, False, PE32.th32ProcessID);
TerminateProcess(hProc, 0);
end;
bFind := Process32Next(hHandle, PE32);
end;
end;
procedure TMainForm.FormCreate(Sender: TObject);
begin
Sleep(100);
FlushProcBtnClick(Sender);
Sleep(100);
BorderIcons := [biSystemMenu, biMinimize]; //BorderIcons := [biSystemMenu, biMinimize, biMaximize];
SearchDirEdit.Text:=gWinPath + '\System32';
end;
procedure TMainForm.DelVirusFile(AFile: String);
var
iErr: Integer;
begin
if not FileExists(AFile) then
Exit;
if DeleteFile(AFile) then
begin
Console.Lines.Add(' ' + ExtractFileName(AFile) + '删除成功!');
Exit;
end;
iErr := GetLastError;
Console.Lines.Add(' ' + ExtractFileName(AFile) + '删除失败:' + IntToStr(iErr));
if iErr = 2 then Exit;
RenameFile(AFile, AFile + '.bak');
Console.Lines.Add(' ' + ExtractFileName(AFile) + '重命名!');
end;
function TMainForm.RepairRegedit: Boolean;
var
Regist: TRegistry;
DelFilePath:String;
hProc : THandle;
begin
Result := True;
Regist := TRegistry.Create;
try
//删除系统启动项
Regist.RootKey := HKEY_LOCAL_MACHINE;
if Regist.OpenKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Run', True) then
begin
DelFilePath := Regist.ReadString('Apple');
if DelFilePath<>'' then
begin
Inc(TrojanCnt);
Inc(RegTrojanCnt);
Regist.DeleteValue('Apple');//删除Apple键值
end;
if FileExists(DelFilePath) then
begin
////////////////////////////////////////////////////
//先中止该进程然后再删除木马文件
TrojanNameList.Add( LowerCase(ExtractFileName(DelFilePath)) );//添加到查杀列表
TrojanNameList.Add( LowerCase(Copy(ExtractFileName(DelFilePath), 0, Length(ExtractFileName(DelFilePath))-4)+'.dll') );//添加到查杀列表
//ShowMessage(Copy(ExtractFileName(DelFilePath), 0, Length(ExtractFileName(DelFilePath))-4)+'.dll');
//针对注册表文件的启动项,再次扫描并中止Trojan.QQ.Apple木马程序
hProc := FindProcByName(ExtractFileName(DelFilePath));
if hProc <= 0 then
Console.Lines.Add('内存中没有发现Trojan.QQ.Apple木马程序进程 ')
else
begin
Console.Lines.Add('内存中发现Trojan.QQ.Apple木马程序进程,准备中止Trojan.QQ.Apple木马程序进程... ');
case Application.MessageBox(PChar('发现Trojan.QQ.Apple木马程序,确定要杀死所有Trojan.QQ.Apple木马程序吗?'+#13#10+DelFilePath),'确认杀死Trojan.QQ.Apple木马程序',MB_YESNOCANCEL) of
IDYES:
begin
while hProc>0 do
begin
Inc(TrojanCnt);
Inc(MemTrojanCnt);
if not KillTaskByProc(hProc) then
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序失败,杀毒继续!')
else
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序成功,杀毒继续!');
Sleep(100);
hProc := FindProcByName(ExtractFileName(DelFilePath));//如果还有Trojan.QQ.Apple木马程序进程,继续关闭
end;
end;
IDNO:
begin
Inc(TrojanCnt);
Inc(SkipTrojanCnt);
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序跳过,杀毒继续!');
end;
else
begin
Inc(TrojanCnt);
Inc(SkipTrojanCnt);
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序被取消,杀毒中止!');
ProgressBar1.Position:=0;
StatusBar1.Panels.Items[0].Text:='杀毒被中止.';
UnLockBtn;
Exit;
end;
end;
end;
Sleep(100);
////////////////////////////////////////////////////
if DeleteFile(DelFilePath) then
begin
Inc(TrojanCnt);
Inc(DiskTrojanCnt);
Console.Lines.Add(' 发现并删除Trojan.QQ.Apple木马程序>>'+DelFilePath);
StatusBar1.Panels.Items[0].Text:=(' 发现并删除Trojan.QQ.Apple木马程序>>'+DelFilePath);
end;
end;
end;
//删除用户启动项
Regist.RootKey := HKEY_CURRENT_USER;
if Regist.OpenKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Run', True) then
begin
DelFilePath := Regist.ReadString('Apple');
if DelFilePath<>'' then
begin
Inc(TrojanCnt);
Inc(RegTrojanCnt);
Regist.DeleteValue('Apple');//删除Apple键值
end;
Regist.DeleteValue('Apple');//删除Apple键值
if FileExists(DelFilePath) then
begin
////////////////////////////////////////////////////
//先中止该进程然后再删除木马文件
TrojanNameList.Add( LowerCase(ExtractFileName(DelFilePath)) );//添加到查杀列表
TrojanNameList.Add( LowerCase(Copy(ExtractFileName(DelFilePath), 0, Length(ExtractFileName(DelFilePath))-4)+'.dll') );//添加到查杀列表
//针对注册表文件的启动项,再次扫描并中止Trojan.QQ.Apple木马程序
hProc := FindProcByName(ExtractFileName(ExtractFileName(DelFilePath)));
if hProc <= 0 then
Console.Lines.Add('内存中没有发现Trojan.QQ.Apple木马程序进程 ')
else
begin
Console.Lines.Add('内存中发现Trojan.QQ.Apple木马程序进程,准备中止Trojan.QQ.Apple木马程序进程... ');
case Application.MessageBox(PChar('发现Trojan.QQ.Apple木马程序,确定要杀死所有Trojan.QQ.Apple木马程序吗?'+#13#10+DelFilePath),'确认杀死Trojan.QQ.Apple木马程序',MB_YESNOCANCEL) of
IDYES:
begin
while hProc>0 do
begin
Inc(TrojanCnt);
Inc(MemTrojanCnt);
if not KillTaskByProc(hProc) then
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序失败,杀毒继续!')
else
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序成功,杀毒继续!');
Sleep(100);
hProc := FindProcByName(ExtractFileName(DelFilePath));//如果还有Trojan.QQ.Apple木马程序进程,继续关闭
end;
end;
IDNO:
begin
Inc(TrojanCnt);
Inc(SkipTrojanCnt);
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序跳过,杀毒继续!');
end;
else
begin
Inc(TrojanCnt);
Inc(SkipTrojanCnt);
Console.Lines.Add(' 关闭Trojan.QQ.Apple木马程序被取消,杀毒中止!');
ProgressBar1.Position:=0;
StatusBar1.Panels.Items[0].Text:='杀毒被中止.';
UnLockBtn;
Exit;
end;
end;
end;
Sleep(100);
////////////////////////////////////////////////////
if DeleteFile(DelFilePath) then
begin
Inc(TrojanCnt);
Inc(DiskTrojanCnt);
Console.Lines.Add(' 发现并删除Trojan.QQ.Apple木马程序>>'+DelFilePath);
StatusBar1.Panels.Items[0].Text:=(' 发现并删除Trojan.QQ.Apple木马程序>>'+DelFilePath);
end;
end;
end;
//下面禁用一些注册表设置,下面的程序可有可无
Regist.RootKey := HKEY_USERS;
if Regist.OpenKey('.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System', True) then
begin
Regist.WriteInteger('DisableTaskMgr', 0);
Regist.WriteInteger('DisableRegistryTools', 0);
end;
Regist.RootKey := HKEY_CURRENT_USER;
if Regist.OpenKey('Software\Microsoft\Windows\CurrentVersion\Policies\System', True) then
begin
Regist.WriteInteger('DisableTaskMgr', 0);
Regist.WriteInteger('DisableRegistryTools', 0);
end;
except
Result := False;
end;
Regist.CloseKey;
Regist.Free;
end;
function TMainForm.CompareFileNames(CompName:String; NameList:TStringList): Boolean;
var
i:Integer;
begin
Result:=False;
for i:=0 to NameList.Count-1 do
begin
if LowerCase(CompName) = NameList.Strings[0] then
begin
Result:=True;
break;
end;
end;
end;
function TMainForm.ProcessStopMsg: Boolean;
begin
Application.ProcessMessages;
Result:=ForceStop;
if ForceStop then
begin
Console.Lines.Add(' 杀毒被停止,杀毒停止!');
ProgressBar1.Position:=0;
StatusBar1.Panels.Items[0].Text:='杀毒被停止.';
UnLockBtn;
Exit;
end;
end;
function TMainForm.ScanDir(ScanPath:String): Boolean;
var
FSearchRec, DSearchRec: TSearchRec;
FindResult: Integer;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -