-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathWeChatHook.cpp
152 lines (139 loc) · 4.52 KB
/
WeChatHook.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#include "pch.h"
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include "resource.h"
#include <atlconv.h>
#include <atlstr.h>
using namespace std;
#define HOOK_LEN 5
#define ReceiveMessageHookOffset 0x550F4C
VOID SendCallbackMsg(LPVOID msg);
BYTE backupCode[HOOK_LEN] { 0 };
VOID MsgForward(DWORD msg)
{
try {
msg = *((DWORD*)msg);
LPVOID msgFrom = (LPVOID)(msg + 0x48);
LPVOID msgContent;
LPVOID msgKey;
LPVOID msgFrom2;
/*if (*(LPCWSTR*)msgFrom == NULL) {
msgFrom = (LPVOID)(msg - 0x240);
msgContent = (LPVOID)(msg - 0x218);
if (msgContent == NULL) msgContent = msgFrom;
msgKey = (LPVOID)(msg - 0x104);
msgFrom2 = msgFrom;
}
else {*/
msgContent = (LPVOID)(msg + 0x70);
if (msgContent == NULL) msgContent = msgFrom;
msgFrom2 = (LPVOID)(msg + 0x170);
msgKey = (LPVOID)(msg + 0x184);
//}
/*
SetDlgItemText(hDlg, FROM, *(LPCWSTR*)msgFrom);
SetDlgItemText(hDlg, CONTENT, *(LPCWSTR*)msgContent);
SetDlgItemText(hDlg, SENDER, *(LPCWSTR*)msgFrom2);
SetDlgItemText(hDlg, KEY, *(LPCWSTR*)msgKey);
Json::Value content;*/
/*
Socket_sendstr((char*)(LPCWSTR)msgContent);
return;
content["from"] = (char*)strFrom.GetBuffer();
content["content"] = (char*)strContent.GetBuffer();
if(!Socket_send(content)) MessageBox(NULL, L"发送失败", L"错误", 0);;
*/
SendCallbackMsg(msgContent);
}
catch (const std::exception&) {
MessageBox(NULL, L"发生未预料的错误", L"错误", 0);
}
}
DWORD GetWechatWinAdd()
{
return (DWORD)LoadLibrary(L"WeChatWin.dll");
}
DWORD cEax = 0;
DWORD cEcx = 0;
DWORD cEdx = 0;
DWORD cEbx = 0;
DWORD cEsp = 0;
DWORD cEbp = 0;
DWORD cEsi = 0;
DWORD cEdi = 0;
DWORD retCallAdd = 0;
DWORD retCallAddNext = 0;
VOID __declspec(naked) MsgProcess()
{
__asm {
mov cEax, eax
mov cEcx, ecx
mov cEdx, edx
mov cEbx, ebx
mov cEsp, esp
mov cEbp, ebp
mov cEsi, esi
mov cEdi, edi
}
MsgForward(cEax);
retCallAddNext = GetWechatWinAdd() + ReceiveMessageHookOffset + 0x5;
retCallAdd = GetWechatWinAdd() + 0xA96350;
__asm {
mov eax, cEax
mov ecx, cEcx
mov edx, cEdx
mov ebx, cEbx
mov esp, cEsp
mov ebp, cEbp
mov esi, cEsi
mov edi, cEdi
}
__asm {
call retCallAdd
jmp retCallAddNext
}
}
VOID HookMessageCall(LPVOID func)
{
//0x37CD13
DWORD hookPoint = GetWechatWinAdd() + ReceiveMessageHookOffset;
BYTE jmpCode[HOOK_LEN] = { 0 };
jmpCode[0] = 0xE9;
*(DWORD*)&jmpCode[1] = (DWORD)func - hookPoint - HOOK_LEN;
HANDLE wx_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
if (ReadProcessMemory(wx_handle, (LPCVOID)hookPoint, backupCode, HOOK_LEN, NULL) == 0) {
MessageBox(NULL, L"内存读取失败", L"错误", 0);
return;
}
if (WriteProcessMemory(wx_handle, (LPVOID)hookPoint, jmpCode, HOOK_LEN, NULL) == 0) {
MessageBox(NULL, L"内存写入失败", L"错误", 0);
return;
}
}
VOID SendCallbackMsg(LPVOID msg) {// 接收消息进程名
CString strOtherWndTitle = L"支付监听回调";
// 获取接收消息进程句柄
HWND hOtherWnd = ::FindWindow(NULL, strOtherWndTitle.GetBuffer(0));
if (hOtherWnd != NULL && ::IsWindow(hOtherWnd))
{
int nLen = WideCharToMultiByte(CP_ACP, 0, *(LPCWSTR*)msg, -1, NULL, 0, NULL, NULL);
char* s = new char[nLen + 1];
WideCharToMultiByte(CP_ACP, 0, *(LPCWSTR*)msg, -1, s, nLen, NULL, NULL);
COPYDATASTRUCT CopyData;
CopyData.dwData = 0;
CopyData.cbData = strlen(s) + 1;
CopyData.lpData = s;
SendMessage(hOtherWnd, WM_COPYDATA, (WPARAM)GetCurrentProcess(), (LPARAM)&CopyData);
delete [] s;
}
else {
DWORD hookPoint = GetWechatWinAdd() + ReceiveMessageHookOffset;
HANDLE wx_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
if (WriteProcessMemory(wx_handle, (LPVOID)hookPoint, backupCode, HOOK_LEN, NULL) == 0) {
MessageBox(NULL, L"内存写入失败", L"错误", 0);
return;
}
MessageBox(NULL, L"句柄无效,请确认主程序是否启动\n监听模块自动卸载", L"错误", 0);
}
}