吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 1047|回复: 34
上一主题 下一主题
收起左侧

[.Net] C#实现hook微信收发消息、查询、添加好友

  [复制链接]
跳转到指定楼层
楼主
renxiaofeixia 发表于 2022-8-6 10:19 回帖奖励
本帖最后由 renxiaofeixia 于 2022-8-6 10:20 编辑

C#实现hook微信收发消息、查询、添加好友

https://github.com/renchengxiaofeixia/FridaSharpWeChatHook


免费评分

参与人数 3吾爱币 +13 热心值 +3 收起 理由
苏紫方璇 + 7 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
dayer + 3 + 1 如果能接到公众号信息、收款信息那就更美好了。。
laodan + 3 + 1 确实值得学习。

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

来自 32#
weiyuhero 发表于 2022-8-9 09:36
本帖最后由 weiyuhero 于 2022-8-9 15:54 编辑

厉害  可以了

被置顶了 那我在夸夸楼主   楼主的HOOK微信 确实好用  
推荐
咬字分开念 发表于 2022-8-6 11:33
[C#] 纯文本查看 复制代码
using Binarysharp.MemoryManagement;
using Binarysharp.MemoryManagement.Assembly.CallingConvention;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Windows.Threading;

namespace FridaSharp
{
    public partial class Form1 : Form
    {
        static Frida.DeviceManager deviceManager;
        static List<Frida.Device> Devices;
        static List<Frida.Process> Processes;
        static Frida.Session session;
        static Frida.Script script;
        
        static Process target;


        public Form1()
        {
            InitializeComponent();
        }

        private void Form1_Load(object sender, EventArgs e)
        {
           
        }

        private void Hook()
        {
            try
            {
                Devices = new List<Frida.Device>();
                Processes = new List<Frida.Process>();
                deviceManager = new Frida.DeviceManager(Dispatcher.CurrentDispatcher);
                var devices = deviceManager.EnumerateDevices();
                var device = devices.Where(x => x.Name == "Local System").FirstOrDefault();
                if (device == null)
                {
                    return;
                }
                target = Process.GetProcesses().FirstOrDefault(k=>k.ProcessName == "WeChat");
                session = device.Attach((uint)target.Id);
                try
                {
                    var scriptText = txtScript.Text;
                    script = session.CreateScript(scriptText);
                    script.Message += new Frida.ScriptMessageHandler(script_Message);
                    script.Load();
                    txtLog.Text = "Success......";
                }
                catch (Exception ex)
                {
                    return;
                }
            }
            catch (Exception ex)
            {
            }
        }
        private void script_Message(object sender, Frida.ScriptMessageEventArgs e)
        {
            if (sender == script)
            {
                txtLog.Text = e.Message + "\n" + txtLog.Text;
            }
        }

        private void btnExit_Click(object sender, EventArgs e)
        {
            try
            {
                script.Unload();
                script.Dispose();
                session.Detach();
                session.Dispose();
                deviceManager.Dispose();
                Application.Exit();
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }

        private void btnHook_Click(object sender, EventArgs e)
        {
            Hook();
        }

        private void Form1_FormClosing(object sender, FormClosingEventArgs e)
        {
            script.Dispose();
            session.Dispose();
        }

        private void btnSendTextMsg_Click(object sender, EventArgs e)
        {
            target = Process.GetProcesses().FirstOrDefault(k => k.ProcessName == "WeChat");
            using (var ms = new MemorySharp(target))
            {
                var mod = ms.Modules.RemoteModules.FirstOrDefault(k => k.Name == "WeChatWin.dll");
                var msgAddress = AllocateWxDataStruct(ms,txtMsg.Text);
                var wxIdAddress = AllocateWxDataStruct(ms,txtWxId.Text);
                var tempAddress = AllocatePtr(ms,4);
                var rt = ms.Assembly.InjectAndExecute(
                    new string[] {
                        "push 0",
                        "push 0",
                        "push 1",
                        "push 0",
                        string.Format("push 0x{0}",msgAddress.ToString("X")),
                        string.Format("mov edx, 0x{0} ",wxIdAddress.ToString("X")),
                        string.Format("mov ecx, 0x{0}",tempAddress.ToString("X")),
                        string.Format("call 0x{0}",(mod.BaseAddress.ToInt32()+ 0x55D320).ToString("X")),
                        "add esp,0x14",
                        "ret"
                    });
            }
        }

        public IntPtr AllocatePtr(MemorySharp ms, int size)
        {
            var rtPtr = ms.Memory.Allocate(4);
            ms.Write(rtPtr.BaseAddress, ms.Memory.Allocate(4).BaseAddress, false);
            return rtPtr.BaseAddress;
        }

        public IntPtr AllocateAddress(MemorySharp ms)
        {
            var rtPtr = ms.Memory.Allocate(4);
            ms.Write(rtPtr.BaseAddress, 0, false);
            return rtPtr.BaseAddress;
        }

        public IntPtr AllocateAddress(MemorySharp ms, int val)
        {
            var rtPtr = ms.Memory.Allocate(4);
            ms.Write(rtPtr.BaseAddress, val, false);
            return rtPtr.BaseAddress;
        }

        public IntPtr AllocateAddress(MemorySharp ms,string txt)
        {
            var rtPtr = ms.Memory.Allocate(txt.Length);
            ms.WriteString(rtPtr.BaseAddress, txt, Encoding.Unicode, false);
            return rtPtr.BaseAddress;
        }

        public IntPtr AllocateWxDataStruct(MemorySharp ms,string text)
        {
            var textAddr = ms.Memory.Allocate(text.Length);
            ms.WriteString(textAddr.BaseAddress, text, Encoding.Unicode, false);

            var startAddr = ms.Memory.Allocate(4);
            ms.Write(startAddr.BaseAddress, textAddr.BaseAddress, false);
            ms.Write(startAddr.BaseAddress + 4 , text.Length * 2, false);
            ms.Write(startAddr.BaseAddress + 8, text.Length * 2, false);
            return startAddr.BaseAddress;
        }

        public IntPtr AddFriendByWxidParamStruct(MemorySharp ms)
        {
            var startAddr = ms.Memory.Allocate(4);
            ms.Write(startAddr.BaseAddress, 0, false);
            ms.Write(startAddr.BaseAddress + 4, 0, false);
            ms.Write(startAddr.BaseAddress + 8, 0, false);
            ms.Write(startAddr.BaseAddress + 12, 0, false);
            ms.Write(startAddr.BaseAddress + 16, 0, false);
            ms.Write(startAddr.BaseAddress + 20, 0, false);
            return startAddr.BaseAddress;
        }

        private void btnSearchWxInfo_Click(object sender, EventArgs e)
        {
            target = Process.GetProcesses().FirstOrDefault(k => k.ProcessName == "WeChat");
            using (var ms = new MemorySharp(target))
            {
                var mod = ms.Modules.RemoteModules.FirstOrDefault(k => k.Name == "WeChatWin.dll");
                var searchTextAddress = AllocateWxDataStruct(ms, txtPhone.Text.Trim());
                var rt = ms.Assembly.InjectAndExecute(
                    new string[] {
                        string.Format("call 0x{0}",(mod.BaseAddress.ToInt32()+ 0x329C80).ToString("X")),
                        string.Format("mov ebx, 0x{0} ",searchTextAddress.ToString("X")),
                        "push ebx",
                        "mov ecx,eax",
                        string.Format("call 0x{0}",(mod.BaseAddress.ToInt32()+ 0x54AEC0).ToString("X")),
                        "ret"
                    });
            }
        }

        private void btnAddFriend_Click(object sender, EventArgs e)
        {
            target = Process.GetProcesses().FirstOrDefault(k => k.ProcessName == "WeChat");
            
            using (var ms = new MemorySharp(target))
            {
                var desc = AllocateAddress(ms, txtDesc.Text.Trim());
                var v3 = AllocateWxDataStruct(ms, txtV3.Text.Trim());
                var tempAddress = AddFriendByWxidParamStruct(ms);

                var mod = ms.Modules.RemoteModules.FirstOrDefault(k => k.Name == "WeChatWin.dll");
                var ebxParam = AllocateAddress(ms, mod.BaseAddress.ToInt32() + 0x1FBD5F4); // 0x7A3D6E48

                var addFriendByV3ParamAddr = ms.Read<int>(new IntPtr(mod.BaseAddress.ToInt32() + 0x2424518),false);
                var asm = new string[] {
                        "mov edi, 0xF",
                        "sub esp, 0x18",
                        "mov ecx, esp",
                        "mov dword [ebp-0x64], esp",
                        "mov esi, 0",
                        "mov eax, 2",
                        "mov dword [ebp-0x60], eax",
                        "mov dword [ecx], 0x0",
                        "mov dword [ecx+0x14], 0xF",
                        "mov dword [ecx+0x10], 0x0",
                        "mov byte [ecx], 0x0",
                        "sub esp, 0x18",
                        "mov byte [ebp-0x4], 0xB",
                        string.Format("mov eax, 0x{0} ",tempAddress.ToString("X")),
                        "mov ecx, esp",
                        "push eax",
                        string.Format("call 0x{0}",(mod.BaseAddress.ToInt32()+ 0x10A9C0).ToString("X")),
                        "push 0",
                        "push 0xF",
                        string.Format("mov edi, 0x{0} ",desc.ToString("X")),
                        "mov eax, edi",
                        "sub esp, 0x14",
                        "mov ecx, esp",
                        "push -1",
                        "push eax",
                        string.Format("call 0x{0}",(mod.BaseAddress.ToInt32()+ 0x7A83B0).ToString("X")), // 7A83B0
                        "push 2",
                        string.Format("mov eax, 0x{0} ",v3.ToString("X")),
                        "sub esp, 0x14",
                        "mov ecx, esp",
                        "push eax",
                        string.Format("call 0x{0}",(mod.BaseAddress.ToInt32()+ 0x7A84A0).ToString("X")),
                        string.Format("mov ecx, 0x{0}",addFriendByV3ParamAddr.ToString("X")),   
                        string.Format("mov ebx, 0x{0}",ebxParam.ToString("X")),
                        string.Format("call 0x{0}",(mod.BaseAddress.ToInt32()+ 0x496980).ToString("X")),
                        //"popfd",
                        //"popad",
                        "ret"
                    };
                var asmcode = string.Join("\n", asm);
                var rt = ms.Assembly.InjectAndExecute(asm);
            }
        }
    }
}

这是主要源码,hook了汇编地址,应该写个能判断关键点的,这样才支持跨版本
推荐
文西思密达 发表于 2022-8-6 10:42
沙发
graper 发表于 2022-8-6 10:25
有QQ的吗?
3#
hackerbob 发表于 2022-8-6 10:35
厉害厉害,感谢分享
5#
 楼主| renxiaofeixia 发表于 2022-8-6 10:46 |楼主
文西思密达 发表于 2022-8-6 10:42
楼主分享一下找hook的方法吗

网上不是视频教程么
6#
ingdear 发表于 2022-8-6 10:53
不明觉历啊。看上去高大上
7#
文西思密达 发表于 2022-8-6 10:59
renxiaofeixia 发表于 2022-8-6 10:46
网上不是视频教程么

网上的都是2.6版的微信,没新版的教程
8#
 楼主| renxiaofeixia 发表于 2022-8-6 11:03 |楼主
文西思密达 发表于 2022-8-6 10:59
网上的都是2.6版的微信,没新版的教程

差不多吧
9#
放羊的狼 发表于 2022-8-6 11:10
大佬牛!
10#
我真是大宅猫 发表于 2022-8-6 11:11
文西思密达 发表于 2022-8-6 10:59
网上的都是2.6版的微信,没新版的教程

有呀,3.6的,3.7的都有呀
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2022-8-16 14:32

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表