WX项目说明

项目基本架构图示

项目工程

该项目主要模块如下

服务端（C# net core）

服务端主要完成的任务：
1、接收客户端上传的数据，处理之后入库
2、界面管理端请求数据时，将请求数据库处理并返回

代码示例如下：

C++ hook注入模块

图示

代码示例

/*
    hook通讯录实现
*/
DWORD aEax = 0;
DWORD aEcx = 0;
DWORD aEdx = 0;
DWORD aEbx = 0;
DWORD aEsp = 0;
DWORD aEbp = 0;
DWORD aEsi = 0;
DWORD aEdi = 0;
void GetAddressBook(DWORD userData) {
    DWORD dwWxidAddr = userData + 0x10;            //wxid
    DWORD dwUserIDAddr = userData + 0x44;        //微信号
    //DWORD wxidV1Add = userData + 0x58;
    DWORD dwNickNameAddr = userData + 0x8C;        //昵称
    //DWORD headPicAdd = userData + 0x11C;

    wchar_t wxid[0x100] = { 0 };

    if ((LPVOID *)dwWxidAddr) {
        swprintf_s(wxid, L"%s", *((LPVOID *)dwWxidAddr));
        int nRet = std::count(wxids.begin(), wxids.end(), wxid);
        if (nRet > 0) {    //过滤wxid
            return;
        }
        else {
            wxids.push_back(wxid);
        }
    }

    wchar_t nick[0x200] = { 0 };
    if ((LPVOID *)dwNickNameAddr) {
        swprintf_s(nick, L"%s", *((LPVOID *)dwNickNameAddr));
    }

    wchar_t wxuserID[0x200] = { 0 };
    if ((LPVOID *)dwUserIDAddr) {
        swprintf_s(wxuserID, L"%s", *((LPVOID *)dwUserIDAddr));
    }
    
    
    std::wstring info;
    info.append(L"{\"NickName\":\"");
    info.append(nick);
    info.append(L"\",\"WxID\":\"");
    info.append(wxid);
    info.append(L"\",\"WxName\":\"");
    info.append(wxuserID);
    info.append(L"\",\"ReMark\":\"\",\"Pid\":\"");
    info.append(szProcessID);
    info.append(L"\"}");

    char szWxid[0x500] = { 0 };
    char *p = wideCharToMultiByte(info.c_str());
    strcpy_s(szWxid, p);
    delete p;
    MsgToQueue(szWxid);    //hook信息到服务端 127.0.0.1:18600
}

hook记录（截选）

版本 2.9.0.123

 _QQ_jc检索的数据：

Executable modules, 条目 11
基址=677C0000
大小=01945000 (26497024.)
入口=68514616 WeChatWi.<ModuleEntryPoint>
名称=WeChatWi
文件版本=2.9.0.112
路径=C:\Program Files (x86)\Tencent\WeChat\WeChatWin.dll

关键数据

发消息	微信ID地址	esp+0x58
	消息地址	esp+0x80
	hook地址	getWechatWin() + 0x346074
收消息	微信ID地址	esi-0x1D0
	消息地址	esi-0x1A8
	hook地址	getWechatWin() + 0x37845F

发消息

0F866020    899D 18FEFFFF   mov dword ptr ss:[ebp-0x1E8],ebx

0F866026    8945 D8         mov dword ptr ss:[ebp-0x28],eax

0F866029    8D8D E0FDFFFF   lea ecx,dword ptr ss:[ebp-0x220]

0F86602F    8D45 18         lea eax,dword ptr ss:[ebp+0x18]

0F866032    50              push eax

0F866033    E8 C8EF1300     call WeChatWi.0F9A5000

0F866038    8B85 18FEFFFF   mov eax,dword ptr ss:[ebp-0x1E8]

0F86603E    83F8 02         cmp eax,0x2

0F866041    74 23           je XWeChatWi.0F866066

0F866043    83F8 05         cmp eax,0x5

0F866046    74 1E           je XWeChatWi.0F866066

0F866048    83F8 06         cmp eax,0x6

0F86604B    74 19           je XWeChatWi.0F866066

0F86604D    83F8 07         cmp eax,0x7

0F866050    74 14           je XWeChatWi.0F866066

0F866052    E8 098FD2FF     call WeChatWi.0F58EF60

0F866057    51              push ecx

0F866058    8D85 E0FDFFFF   lea eax,dword ptr ss:[ebp-0x220]

0F86605E    50              push eax

0F86605F    E8 FCCEF6FF     call WeChatWi.0F7D2F60

0F866064    EB 77           jmp XWeChatWi.0F8660DD

0F866066    E8 F58ED2FF     call WeChatWi.0F58EF60

0F86606B    6A 01           push 0x1

0F86606D    8D85 E0FDFFFF   lea eax,dword ptr ss:[ebp-0x220]      

0F866073    50              push eax

0F866074    E8 47CEF6FF     call WeChatWi.0F7D2EC0                                ; 位置

 

0F866079    EB 62           jmp XWeChatWi.0F8660DD

0F86607B    0F1005 E0AD9010 movups xmm0,dqword ptr ds:[0x1090ADE0]

0F866082    83EC 10         sub esp,0x10

0F866085    8BC4            mov eax,esp

0F866087    83EC 10         sub esp,0x10

0F86608A    0F1100          movups dqword ptr ds:[eax],xmm0

0F86608D    8BC4            mov eax,esp

0F86608F    83EC 10         sub esp,0x10

0F866092    0F1100          movups dqword ptr ds:[eax],xmm0

0F866095    8BC4            mov eax,esp

0F866097    83EC 10         sub esp,0x10

0F86609A    0F1100          movups dqword ptr ds:[eax],xmm0

0F86609D    8BC4            mov eax,esp

0F86609F    83EC 10         sub esp,0x10

0F8660A2    0F1100          movups dqword ptr ds:[eax],xmm0

0F8660A5    8BC4            mov eax,esp

0F8660A7    83EC 10         sub esp,0x10

0F8660AA    8BCC            mov ecx,esp

0F8660AC    FF75 0C         push dword ptr ss:[ebp+0xC]

0F8660AF    0F1100          movups dqword ptr ds:[eax],xmm0

0F8660B2    FF75 08         push dword ptr ss:[ebp+0x8]

0F8660B5    E8 866CD1FF     call WeChatWi.0F57CD40

0F8660BA    68 34949710     push WeChatWi.10979434                            ; ASCII "not found send msg msgId=%d"

0F8660BF    68 387B9810     push WeChatWi.10987B38                                ; ASCII "SendMessageMgr"

0F8660C4    68 447C9810     push WeChatWi.10987C44                                ; ASCII "updateMsgState"

0F8660C9    6A 6B           push 0x6B

0F8660CB    BA 687B9810     mov edx,WeChatWi.10987B68                     ; ASCII "02_manager\SendMessageMgr.cpp"

0F8660D0    B9 04000000     mov ecx,0x4

0F8660D5    E8 56161C00     call WeChatWi.0FA27730

特征码

push 0x1

lea eax,dword ptr ss:[ebp-0x220]

push eax

Hook地址

 

项目概览

线上运行示例