const
MaxEquip = $24C0;
// 内存取装备信息 『目标进程』 『返回装备信息』 『成功否』
function GetEquipFromMem(ProcessID: HWND; var equip: string): Boolean;
// 处于9x操作系统
function IsWindows9x(): Boolean;
var
Osi: TOSVersionInfo;
begin
Osi.dwOSVersionInfoSize := SizeOf(Osi);
GetVersionEx(Osi);
Result := Osi.dwPlatformID <> Ver_Platform_Win32_NT;
end;
var
ProcessHndle: HWND;
SysInfo: _SYSTEM_INFO;
MBI: MEMORY_BASIC_INFORMATION;
PMemoAddr: Pointer;
MemoAddr, MaxMemoAddr: DWORD;
nSize, lpNumberOfBytesRead: DWORD;
i : DWORD;
sTmp: string;
begin
Result := false;
equip := '';
ProcessHndle := OpenProcess(PROCESS_VM_OPERATION or
PROCESS_VM_READ or
PROCESS_QUERY_INFORMATION,
False, ProcessID);
if ProcessHndle <= 0 then exit;
GetSystemInfo(SysInfo);
PMemoAddr := SysInfo.lpMinimumApplicationAddress;
MaxMemoAddr := DWORD(SysInfo.lpMaximumApplicationAddress);
try
while true do
begin
VirtualQueryEx(ProcessHndle, PMemoAddr, MBI, SizeOf(MBI));
nSize := MBI.RegionSize;
if MBI.State = MEM_COMMIT then
begin
setlength(sTmp, nSize);
ReadProcessMemory(ProcessHndle, PMemoAddr,
pchar(sTmp), nSize, lpNumberOfBytesRead);
if IsWindows9x() then
i := Pos('On Win95', sTmp)
else begin
i := Pos(#1#1#2#2'WinSock 2.0', sTmp);
if i > 0 then
Inc(i, $105);
end;
if i > 0 then
begin
equip := copy(sTmp, i, MaxEquip);
result := true;
Break;
end;
end;
MemoAddr := DWORD(PMemoAddr) + nSize;
if MemoAddr >= MaxMemoAddr then
Break;
PMemoAddr := Pointer(MemoAddr);
end;
except
end;
setlength(sTmp, 0);
CloseHandle(ProcessHndle);
end;
// 抽取装备信息
function ExtractInfo(const sMem: string): string;
const
_nOffset = 52;
var
sTemp, sTemp1: string;
cc: char;
nOffset, nSize, nLen: integer;
nCount, k, nn1, nn2: integer;
begin
nLen := Length(sMem);
nOffset := $238;
nCount := 1;
Result := '';
repeat
cc := sMem[nOffset];
nSize := Byte(cc);
if (cc = #0) or (nSize > 16) then begin
inc(nOffset, _nOffset);
continue;
end;
sTemp := Copy(sMem, nOffset + 1, nSize);
if pos('{骺躴骺皗骺', sTemp) > 0 then Break;
if nOffset >= MaxEquip then break;
nn1 := Length(sTemp);
nn2 := Length(widestring(sTemp));
if ((nn1 - nn2) < 2) or (2 * nn2 - nn1 > 2) then begin
inc(nOffset, _nOffset);
continue;
end;
k := Pos(sTemp, Result);
if k > 0 then begin
sTemp1 := Copy(Result, 1, k - 1);
Delete(Result, 1, k);
k := Pos(#13#10, Result);
Delete(Result, 1, k + 1);
inc(nCount);
sTemp := sTemp + Int2Str(nCount) + #13#10;
Result := sTemp1 + sTemp + Result;
end else begin
nCount := 1;
Result := Result + sTemp + #13#10;
end;
inc(nOffset, _nOffset);
until nOffset >= nLen;
end;
// 返回装备信息
function GetEquipment_Mir2: string;
begin
if GetEquipFromMem(GetCurrentProcessId(), Result) then
Result := ExtractInfo(Result)
else
Result := 'Liu_mazi';
end;
// 调整信息格式
function ChangeEolFormat(strEolIn: string):string;
var
iPos: Integer;
begin
Result:='';
repeat
iPos:=Pos(#13#10,strEolIn);
if iPos>0 then
begin
Result:=Result+Copy(strEolIn,1,Pred(iPos))+'/';
Delete(strEolIn,1,Succ(iPos));
end;
until iPos<=0;
if Result[Length(Result)]='/' then
Delete(Result,Length(Result),1);
end;
end.
各位我的电脑中总是出现Liu_mazi这样一个程序,在注册表里面可以找到,但是在文件里找不到,也看不出来是哪个进程(98的机器比较干净,很少病毒,用机器4年来病毒查杀总数不超过200个,怎么看都是几个系统进程
,也许把进程隐藏了??!)。
请问各位高手这是一个什么样的东西,如何删除啊。 不胜感激了。
主要是这玩意老搞的Explorer没有响应,再个就是启动任何程序都很慢。
前几天在网上溜圈,在各大反毒论坛也问了一下,有位自称是高手的说是网游木马(还附送了这个代码),还有个自称有类似经历的说是刚出来的QQ盗号病毒,杀不掉,只能格式化。
也有的说是某位菜鸟黑客自己编的垃圾肉鸡客户端(还说他认识那个菜鸟黑客...汗
)。又有一位“高手”说是某情色网站的恶意代码,有超过灰鸽子数倍的强大功能...(我问他什么功能,他说叫我自己慢慢体会...
)。最搞笑的是说这是美国中央情报局下放的黑客监视系统之一...越说越离谱......我见势不妙就撒了..
这是聊天记录!
=http://bbs.db.kingsoft.com/viewthread.php?tid=21064775&fid=3162这是金山的
=http://zsbbs.cn.bbs.yahoo.com/message/read_virus_149879.html还有这个上网助手的
=http://q-zone.qq.com/client/?uin=421082417&url=/fcg-bin/cgi_blog_cont.fcg%3Fuin%3D421082417%26diaryid%3D69499%26voteid%3D1%26getvn%3Dyes%26currentpage%3D1%26type%3D10%26hassign%3D10%26effect%3D0和这里的聊天记录
