网站 › 『编程语言区』 › 3.1.0.41微信Frida hook消息接收

hksnow 发表于 2021-1-7 18:19

3.1.0.41微信Frida hook消息接收

本帖最后由 hksnow 于 2021-1-8 09:33 编辑

好久没发帖子了，直接上图



*hook 700ACB75    83C4 04         add esp,0x4   +0x3CCB75   
700ACB78    8BC8            mov ecx,eax   1879755640
700ACB7A    E8 91964500   call WeChatWi.70506210   
700ACB7F    8BCF            mov ecx,edi

具体细节看代码


from __future__ import print_function
import frida
import sys

def on_message(message, data):
    if message['payload']['chatroomvxid'] == None:
      print('[个人消息]: ' + message['payload']['wxid'] + ': ' + message['payload']['text'])
    else:
      print('[群消息]: ' + message['payload']['wxid'] + ': ' + message['payload']['chatroomvxid'] + ': ' + message['payload']['text'])

def main(target_process):
    session = frida.attach(target_process)
    script = session.create_script("""
    var ModAddress=Process.findModuleByName('wechatwin.dll');
    //console.log('ModAdress:' + ModAddress.base);
    var hookAddress=ModAddress.base.add('0x3CCB75')
    //console.log('hookAdress' + hookAddress.base)
    Interceptor.attach(hookAddress,{
      onEnter:function(args) {
            //console.log(JSON.stringify(this.context));
            var edi=this.context.edi;
            //console.log('edi:' + Memory.readPointer(edi));
            var edi1=Memory.readPointer(edi)
            var wxid=Memory.readUtf16String(Memory.readPointer(edi1.add('0x40')));
            var text=Memory.readUtf16String(Memory.readPointer(edi1.add('0x68')));
            var chatroomvxid=Memory.readUtf16String(Memory.readPointer(edi1.add('0x164')));
            send({'wxid':wxid,'text':text,'chatroomvxid':chatroomvxid})
            //console.log(wxid + ':' + text);
      }
    })
""")
    script.on('message', on_message)
    script.load()
    print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n")
    sys.stdin.read()
    session.detach()
if __name__ == '__main__':
    main('wechat.exe')

代码还是比较简单的，然后用python回调输出消息。核心就在找call，做hook实现方式很多，最近玩frida比较多，用它比较简单。

chenshunguo 发表于 2021-5-7 01:08

1、请问mac版的微信   var ModAddress=Process.findModuleByName('wechatwin.dll');
   这里面的 wechatwin.dll 应该咋写？

2、    var hookAddress=ModAddress.base.add('0x3CCB75')
          0x3CCB75 这个是固定的吗

qingbihao 发表于 2021-1-8 19:24

Fatal Python error: take_gil: NULL tstate

Thread 0x000051ac (most recent call first):
File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\core.py", line 58 in get_device_matching
File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\core.py", line 26 in wrapper
File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\__init__.py", line 90 in get_device_matching
File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\__init__.py", line 74 in get_local_device
File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\__init__.py", line 62 in attach
File "D:/Learn/PyCharm_Project/wechatProject/main.py", line 15 in main
File "D:/Learn/PyCharm_Project/wechatProject/main.py", line 43 in <module>

Process finished with exit code -1073740791 (0xC0000409)

LZ，请问这是什么原因呢，我运行了微信PC版，版本也是对的

森之木源 发表于 2021-1-7 18:26

强大的楼主啊，有没更好的分享？

qwertyuiop1822 发表于 2021-1-7 19:03

涨姿势了

wujiLINGMAO 发表于 2021-1-7 19:06

谢谢楼主已经更新   谢谢

hui00000 发表于 2021-1-7 19:14

感谢分享

QingYi. 发表于 2021-1-7 19:19

没有看懂这个能干嘛用，还没理解这个帖子的意思

丿昶灬雨 发表于 2021-1-7 19:38

强大的楼主啊

Airey 发表于 2021-1-7 19:41

强噢   学习了！

x179 发表于 2021-1-7 20:16

一脸懵{:1_896:}   不明觉厉

yjy130 发表于 2021-1-7 20:20

干嘛 用的

查看完整版本: 3.1.0.41微信Frida hook消息接收