本篇文章只作为记录
警告
网络不是法外之地,本篇文章仅供技术交流,相关具体实现过程我将省略!
获取微信处理消息的函数
我们可以反复向通过CE搜索消息,获取消息所在的内存地址,然后下硬件写入断点,在栈里找到相关函数,这里你可以自行按上面方法进行搜索。
使用MinHook hook该消息函数
// Initialize MinHook.
if (MH_Initialize() != MH_OK)
{
return 1;
}
DWORD windllAddress = (DWORD)GetModuleHandle(L"WeChatWin.dll");
if (windllAddress == 0) {
printf("Module Address Get Error: 0x%x\n", windllAddress);
return 0;
}
DWORD ReceiveHookAddress = windllAddress + 0x*****; // 偏移地址请查看下方
// Create a hook for MessageBoxW, in disabled state.
if (MH_CreateHook((LPVOID)ReceiveHookAddress, &ReceiveWxMessage,
reinterpret_cast<LPVOID*>(&_receiveMsgFunc)) != MH_OK)
{
printf("MH_CreateHook Error: 0x%x\n", ReceiveHookAddress);
return 0;
}
...
消息Hook函数
...
void ReceiveWxMessage(DWORD r_eax)
{
try
{
// 检查进程是否有权限访问指定的内存块
if (IsBadReadPtr((void*)r_eax, 4)
|| IsBadReadPtr((void*)(r_eax + MsgTypeOffset), 4)
|| IsBadReadPtr((void*)(r_eax + MsgContentOffset), 4)
|| IsBadReadPtr((void*)(r_eax + WxidOffset), 4)
|| IsBadReadPtr((void*)(r_eax + GroupMsgSenderOffset), 4)
|| IsBadReadPtr((void*)(r_eax + MsgSourceOffset), 4)
) {
return;
}
// 取出消息内容
LPVOID pContent = *((LPVOID*)(r_eax + MsgContentOffset));
// 取出微信ID/群ID
LPVOID pWxid = *((LPVOID*)(r_eax + WxidOffset));
if (!wcscmp((wchar_t*)pWxid, L"filehelper")) {
wprintf(L"Receive Msg\n Wechat ID: %ws \n Content: %ws\n", (wchar_t*)pWxid, (wchar_t*)pContent);
}
}
catch (...)
{
OutputDebugStringA("消息异常");
}
}
...
Hook效果
隐藏资源
66666666
继续