FREELIBRARY我没试过 我自己写的一个键盘记录木马也是用DLL插入EXPLORER<br><br>以下是我的清除程序 很粗糙 希望有用吧<br><br>function KillTask(ExeFileName: string): Integer;<br>const<br> PROCESS_TERMINATE = $0001;<br>var<br> ContinueLoop: BOOL;<br> FSnapshotHandle: THandle;<br> FProcessEntry32: TProcessEntry32;<br>begin<br> Result := 0;<br> FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);<br> FProcessEntry32.dwSize := SizeOf(FProcessEntry32);<br> ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32);<br>while Integer(ContinueLoop) <> 0 do<br> begin<br> if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) =<br> UpperCase(ExeFileName)) or (UpperCase(FProcessEntry32.szExeFile) =<br> UpperCase(ExeFileName))) then<br> Result := Integer(TerminateProcess(OpenProcess(PROCESS_TERMINATE,BOOL(0),FProcessEntry32.th32ProcessID),0));<br> ContinueLoop := Process32Next(FSnapshotHandle, FProcessEntry32);<br> end;<br> CloseHandle(FSnapshotHandle);<br>end;<br><br>function WindowsDirectory: string;<br> var<br> WinDir: array [0..MAX_PATH] of char;<br> begin<br> GetWindowsDirectory(WinDir, MAX_PATH);<br> Result := WinDir;<br> if Result[Length(Result)] <> '/' then<br> Result := Result + '/';<br>end;<br><br><br>procedure TForm1.Button1Click(Sender: TObject);<br>begin<br>if fileExists(WindowsDirectory+'_ice_.exe') then<br>begin<br>RegDeleteKey(HKEY_LOCAL_MACHINE, 'SOFTWARE/Microsoft/Active Setup/Installed Components/{D7BE2468-E024-79BC-0134-79ACE13578AC}');<br>if EnableDebugPrivilege then<br>KillTask('explorer.exe');<br>deletefile(WindowsDirectory+'_ice_.exe');<br>sleep(500);<br>deletefile(WindowsDirectory+'_ice_.dll');<br>sleep(1000);<br>application.messagebox(pchar('清除完成,请重新启动计算机'), '成功', mb_iconinformation);<br>//winexec('explorer.exe',sw_show);<br>end<br>else<br>application.messagebox(pchar('未发现木马'), '错误', mb_iconinformation);<br>end;
