前言
适用:PC端微信 2.8.0.121 版本
更新与于2020年3月14日
本文仅作技术研究
具体原理见上一篇:
https://blog.csdn.net/qq_43572067/article/details/100062493
本次主要是在上次的源码基础上进行更新,适用于当前版本的微信版本
其实就更新了两个地址
1、强制把聊天收发的表情全部保存下来
2、强制把打开收藏的表情全部保存下来
成品:
链接: https://pan.baidu.com/s/1UYXXEU0kKGvpSHNqTFnBcg
提取码: t4qt
源代码:
使用VS2015以上编译
RemoteInject.exe
// RemoteInject.cpp : 定义控制台应用程序的入口点。
#include "stdafx.h"
#include "windows.h"
#include "atlstr.h"
#include <TlHelp32.h>
char* GetProgramDll()
{
static char exeFullPath[MAX_PATH] = { 0 }; // Full path
char *nWeak;
GetModuleFileNameA(NULL, exeFullPath, MAX_PATH);
nWeak = strrchr(exeFullPath, '\\');
memcpy(nWeak + 1, "GetWeChatPic.dll", strlen("GetWeChatPic.dll"));
return exeFullPath;
}
DWORD GetProcessPid(CString nProcessName)
{
PROCESSENTRY32 nPT;
nPT.dwSize = sizeof(nPT);
HANDLE nSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
BOOL nRet = Process32First(nSnapShot, &nPT);
while (nRet)
{
if (nProcessName.MakeLower() == CString(nPT.szExeFile).MakeLower())
{
return nPT.th32ProcessID;
}
nRet = Process32Next(nSnapShot, &nPT);
}
return 0;
}
int main()
{
printf("适用:PC端微信 2.8.0.121版本\r\n更新与2020年3月14日\r\n");
DWORD nPid = GetProcessPid("wechat.exe");
HANDLE nHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nPid);
printf("进程ID:%d - 进程句柄:%d\r\n", nPid, nHandle);
CHAR *DllPath = GetProgramDll();
int nLen = strlen(DllPath)+1;
LPVOID pBuf = VirtualAllocEx(nHandle, NULL, nLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!pBuf)
{
printf("申请内存失败!\r\n");
getchar();
return 0;
}
if (!WriteProcessMemory(nHandle, pBuf, DllPath, nLen, 0))
{
printf("写入内存失败!\r\n");
getchar();
return 0;
}
HANDLE hRemoteThread = CreateRemoteThread(nHandle, NULL, NULL,(LPTHREAD_START_ROUTINE)LoadLibraryA, pBuf, 0, 0);
WaitForSingleObject(hRemoteThread, -1);
CloseHandle(hRemoteThread);
VirtualFreeEx(nHandle, pBuf, 0, MEM_FREE);
printf("注入完成!\r\n");
getchar();
return 0;
}
GetWeChatPic.dll
#include "stdafx.h"
#include "stdio.h"
#include "windows.h"
#include <shellapi.h>
DWORD FileBuff;
DWORD FileSize;
CHAR FileName[MAX_PATH];
FILE *pFile;
DWORD Old_wxam_dec_isWXGF_4;
extern "C" _declspec(dllexport) void ExportFun()
{
}
void MyHook(LPVOID HookAddress, LPVOID NewAddress, DWORD *OldAddress,DWORD HookBytesNum)
{
BYTE JumpByte[6] = { 0x68,0x00,0x00,0x00,0x00,0xc3 };
*(DWORD*)(JumpByte + 1) = (DWORD)HookAddress + HookBytesNum;
*OldAddress = (DWORD)VirtualAlloc(NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy((LPVOID)*OldAddress, HookAddress, HookBytesNum);
memcpy((BYTE*)*OldAddress + HookBytesNum, JumpByte,6);
*(DWORD*)(JumpByte + 1) = (DWORD)NewAddress;
WriteProcessMemory((HANDLE)-1, HookAddress, JumpByte, 6, 0);
}
DWORD GetHash(char *nBuff,int nBuffSize)
{
DWORD nHash = 0;
for (int i = 0; i < nBuffSize; i++)
{
nHash = ((nHash << 25) | (nHash >> 7));
nHash = nHash + nBuff[i];
}
return nHash;
}
char* GetProgramDir()
{
static char exeFullPath[MAX_PATH] = { 0 }; // Full path
char *nWeak;
GetModuleFileNameA(NULL, exeFullPath, MAX_PATH);
nWeak = strrchr(exeFullPath, '\\');
memcpy(nWeak + 1, "GetWeChatPic", strlen("GetWeChatPic"));
return exeFullPath;
}
__declspec(naked) void Hook()
{
__asm
{
pushad;
mov eax, [esp + 36];
mov FileBuff, eax;
mov eax, [esp + 40];
mov FileSize, eax;
}
sprintf_s(FileName, 256, "GetWeChatPic\\%08X.gif", GetHash((char*)FileBuff, FileSize));
fopen_s(&pFile, FileName, "wb+");
fwrite((LPVOID)FileBuff, FileSize, 1, pFile);
fclose(pFile);
__asm
{
popad;
jmp Old_wxam_dec_isWXGF_4;
}
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
{
HMODULE nHmodule = GetModuleHandleA("WeChatWin.dll");
BYTE HookByte2[] = { 0xeb };
//DWORD pFunAddress = (DWORD)nHmodule + 0x7DB79;//聊天收发的表情全部保存下来20190820
DWORD pFunAddress = (DWORD)nHmodule + 0x94016;//聊天收发的表情全部保存下来20200314
WriteProcessMemory((HANDLE)-1, (LPVOID)pFunAddress, HookByte2, 1, 0);
BYTE HookByte5[] = { 0xeb };
//pFunAddress = (DWORD)nHmodule + 0x2841DC;//打开收藏的表情全部保存下来20190820
pFunAddress = (DWORD)nHmodule + 0x2BE71F;//打开收藏的表情全部保存下来20200314
WriteProcessMemory((HANDLE)-1, (LPVOID)pFunAddress, HookByte5, 1, 0);
}
HMODULE nHmodule = GetModuleHandleA("WXAMDecoder.dll");
LPVOID pFunAddress = GetProcAddress(nHmodule, "wxam_dec_isWXGF_4");
if (pFunAddress)
{
MyHook(pFunAddress, Hook, &Old_wxam_dec_isWXGF_4, 9);
SECURITY_ATTRIBUTES SecurityAttributes;
SecurityAttributes.lpSecurityDescriptor = 0;
SecurityAttributes.bInheritHandle = false;
SecurityAttributes.nLength = sizeof(SecurityAttributes);
CreateDirectoryA("GetWeChatPic", &SecurityAttributes);
if (MessageBoxA(0, "注入成功!\r\n是否打开储存的表情文件夹?", "Tips", MB_ICONINFORMATION | MB_YESNO)==IDYES)
ShellExecuteA(NULL, ("open"), ("explorer"), GetProgramDir(), NULL, SW_SHOW);
}
else
{
MessageBoxA(0, "注入失败!请重启微信进入到聊天框内再注入!", "Tips", MB_ICONERROR);
}
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}