3.1.0.41微信Frida hook消息接收

hksnow · 发表于 2021-1-7 18:19

本帖最后由 hksnow 于 2021-1-8 09:33 编辑

好久没发帖子了，直接上图

微信截图_20210107180935.png

[Asm] 纯文本查看 复制代码

*hook [edi]  700ACB75    83C4 04         add esp,0x4     +0x3CCB75     
700ACB78    8BC8            mov ecx,eax     1879755640
700ACB7A    E8 91964500     call WeChatWi.70506210     
700ACB7F    8BCF            mov ecx,edi

具体细节看代码

[Python] 纯文本查看 复制代码

from __future__ import print_function
import frida
import sys

def on_message(message, data):
    if message['payload']['chatroomvxid'] == None:
        print('[个人消息]: ' + message['payload']['wxid'] + ': ' + message['payload']['text'])
    else:
        print('[群消息]: ' + message['payload']['wxid'] + ': ' + message['payload']['chatroomvxid'] + ': ' + message['payload']['text'])

def main(target_process):
    session = frida.attach(target_process)
    script = session.create_script("""
    var ModAddress=Process.findModuleByName('wechatwin.dll');
    //console.log('ModAdress:' + ModAddress.base);
    var hookAddress=ModAddress.base.add('0x3CCB75')
    //console.log('hookAdress' + hookAddress.base)
    Interceptor.attach(hookAddress,{
        onEnter:function(args) {
            //console.log(JSON.stringify(this.context));
            var edi=this.context.edi;
            //console.log('edi:' + Memory.readPointer(edi));
            var edi1=Memory.readPointer(edi)
            var wxid=Memory.readUtf16String(Memory.readPointer(edi1.add('0x40')));
            var text=Memory.readUtf16String(Memory.readPointer(edi1.add('0x68')));
            var chatroomvxid=Memory.readUtf16String(Memory.readPointer(edi1.add('0x164')));
            send({'wxid':wxid,'text':text,'chatroomvxid':chatroomvxid})
            //console.log(wxid + ':' + text);
        }
    })
""")
    script.on('message', on_message)
    script.load()
    print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n")
    sys.stdin.read()
    session.detach()
if __name__ == '__main__':
    main('wechat.exe')

代码还是比较简单的，然后用python回调输出消息。核心就在找call，做hook实现方式很多，最近玩frida比较多，用它比较简单。

chenshunguo · 发表于 2021-5-7 01:08

1、请问mac版的微信    var ModAddress=Process.findModuleByName('wechatwin.dll');
   这里面的 wechatwin.dll 应该咋写？

2、 var hookAddress=ModAddress.base.add('0x3CCB75')
      0x3CCB75 这个是固定的吗

qingbihao · 发表于 2021-1-8 19:24

Fatal Python error: take_gil: NULL tstate

Thread 0x000051ac (most recent call first):
  File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\core.py", line 58 in get_device_matching
  File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\core.py", line 26 in wrapper
  File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\__init__.py", line 90 in get_device_matching
  File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\__init__.py", line 74 in get_local_device
  File "D:\Learn\PyCharm_Project\wechatProject\venv\lib\site-packages\frida\__init__.py", line 62 in attach
  File "D:/Learn/PyCharm_Project/wechatProject/main.py", line 15 in main
  File "D:/Learn/PyCharm_Project/wechatProject/main.py", line 43 in <module>

Process finished with exit code -1073740791 (0xC0000409)

LZ，请问这是什么原因呢，我运行了微信PC版，版本也是对的

森之木源 · 发表于 2021-1-7 18:26

强大的楼主啊，有没更好的分享？

qwertyuiop1822 · 发表于 2021-1-7 19:03

涨姿势了

wujiLINGMAO · 发表于 2021-1-7 19:06

谢谢楼主已经更新谢谢

hui00000 · 发表于 2021-1-7 19:14

感谢分享

QingYi. · 发表于 2021-1-7 19:19

没有看懂这个能干嘛用，还没理解这个帖子的意思

丿昶灬雨 · 发表于 2021-1-7 19:38

强大的楼主啊

Airey · 发表于 2021-1-7 19:41

强噢学习了！

x179 · 发表于 2021-1-7 20:16

一脸懵

不明觉厉

yjy130 · 发表于 2021-1-7 20:20

干嘛用的

帐号		自动登录	找回密码
密码			注册[Register]

[Python 转载] 3.1.0.41微信Frida hook消息接收

免费评分

本帖被以下淘专辑推荐: