微信版本:3.9.12.45
账号:两个微信账号,大号用来发消息,小号用来测试
![图片[1]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/2f72e8823a023b79928124985bd1ef4ce259d900ef5067e6e12f7dd271b0ce0d810cbe9cd35ef6f0c65d75d1104d3944?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309003334045-1e0690b0565a4ac7.png&size=1080)
定位消息地址
选择微信进程!
![图片[2]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/be0e1779de8d1db675da1846b99d77d90cf45b652fc1d8797e68862f4184fa4f759cbc9b0aaa8c8d2aebedb01e5f81e9?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309003531575-3171e299997e05f4.png&size=1080)
大号给小号发送消息,扫描类型选择字符串,数值填写消息内容!
![图片[3]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/054f1bb9a8bdce8d22bcea97fb51284c93c1fc947c1471dfc03084d9c6d3d0b764347dc894096c1185de47ce73cf6d29?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309003620823-a13866681e4ccca7.png&size=1080)
重复之上的步骤,不断重复,直到无法定位的时候(我这里有三个),一个个查看浏览器内存区域!
![图片[4]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/22e98aca117727abce78ea5e919eed7b3a6af2654f41d6701c0db5cb320e7fc380cf82731a32e4db28e8bea4314e0d28?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309003732156-eee67b615e97541b.png&size=1080)
找到带着wxid和xml格式的就是内存地址!
![图片[5]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/d785286a362e71a7b976f65348fd83e11e8282019b93dc4ba0a95cc200eaafbc885b1e0db8149eefc96f738e37799ef2?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309003822510-0b3f593cb2a5cf42.png&size=1080)
![图片[6]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/56b6d0f7b628f4e4969450ddbd1dc965e1a31c8aa987d698d727e4809cdf16eb163169cb795b5e724cbd3866a2f37deb?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309003849742-ab262aba4d231bb3.png&size=1080)
x64dbg断点
记录一下当前的微信地址1B6555E11BD,关闭CE修改器,打开x64dbg,附加微信,按住alt+e选择wechatwin.dll
![图片[7]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/2dbdd99930909169a53825d6c64e67a975edcebf9f25b1ebcde1fb54bb88498182ae330b41cc3a5dfd5d2282fff3d48d?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309004019740-4301f41492653928.png&size=1080)
点进去,再内存窗口搜索刚才记录的地址
![图片[8]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/38f6c356c7c2ba400ead688018a32c4f1ef7e1ab40bd749d36f49a1bf72ad07cc31be6b4d3918379333947aa3fe32723?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309004100009-66329857e390bcd6.png&size=1080)
设置写入断点!
![图片[9]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/906aad7bbf39f92b9d35e53231a2dac37ca23fc7b9dff4fdeb370cd49fadc31a044f58160090df9ed9556e18d889b1ce?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309004143152-eadc4cb88c8ab207.png&size=1080)
此时微信大号给小号发送消息,查看堆栈信息
![图片[10]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/936250a0b5f336fffd737ca32c2939c7aa7ffc8e872cff549998282978c4284a2e154a78f722bc47248adc96c2703325?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309004234591-a3767d090afe3769.png&size=1080)
找到有个db的那个(这一步骤是再写入微信数据库之前定位call)
![图片[11]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/f0e11ce572497860192e32a3e67f3ad5ea11d9946f7706e2c9e8169d4be5929d773dba54a8ae013f3e4de11d5822b092?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309004706481-eafbc57a883b57ab.png&size=1080)
选择,右键“在反汇编中转到指定QWORD”
![图片[12]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/67ead4026652e9c83f633763b67be2e17a3ac8a7b532afaf9915d7ff038f0c2d947202b111c6eb32851dbfab46208da8?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309004725335-7a33d88a7336f02c.png&size=1080)
跳转之后,先取消上一个断点
![图片[13]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/8037b90f1623d95f23d7413878b3f47dd7be72a5b4850f173e1082bf7b0cd1c14814d9a7b568c2ca228158e694a0a24c?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309005220343-045264296ceac140.png&size=1080)
然后针对跳转的位置,找到上一个call位置,在call处进行断点
![图片[14]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/118c6b48957e79e79bcf46c7eb3db53d946e9b3be5823fd2fbdd95971cb6860d92c2e0ee29eead050450623b1c6703ca?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309005128733-21c091d7a313ed5c.png&size=1080)
发送消息,断点到了,查看RDI
![图片[15]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/3db305000aa73e833eb0efc93f84a5c62b577aead3489265f4758b63657c51a7537b83c779825b09bf04d57ac3adf895?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309010931157-fab1462ef601f496.png&size=1080)
![图片[16]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/2286b26f9a674176fe28c28689d520e362aefc6493e82838e86b648683020ea71f818d772b9dbf8217d428e9308d6512?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309011204653-ea9d10ce34e3925f.png&size=1080)
在地址栏的第一个双击一下
![图片[17]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/6c255415d5b7d0e319f88d86cbe0ff1d56fa2033c4c1eb9dab7a06d65ccca2aecf17d7d64f17d566556382e6718796ac?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309011236859-9e03af3b54260e11.png&size=1080)
这样我们可以得出
0x48 是 微信id
0x88 是 微信消息的内容
计算偏移
找到断点位置,复制文件偏移!
![图片[18]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/cecb23d87132f6a5c10aface249ac49c8f99a482e4a3e79965524108c54f3258df95a20b62be2e3eb91325e40ffa97da?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309011722845-95d13f5bb63dc359.png&size=1080)
然后打开计算器那个图标,用偏移地址+C00
![图片[19]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/64bbe25c8543172dd3503eeb8353a583d93dbe1b62cf46f1eea11690567f2343134c14129ace3275ec35b4c122f10465?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309011752005-264a3cfd2ef4f65e.png&size=1080)
得出结果250AEA7
验证结果
找到断点位置,复制地址
![图片[20]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/8677494db5a15c2d761e3c7e8c55dcce33a1b3fc7c022427d928d6af6ad64ed5e2b0e86a13d64f4e7fea2875500c0933?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309011838272-52a67f9b5aa08450.png&size=1080)
然后按住ALT+E,找到复制wechatwin.dll的基址
![图片[21]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/5330351b6dc3f52b20fb7448e5307ca0a9522e1d818646ffb6f93ee20da5120b0456761fc3f5b94d17516bd181251459?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309011932459-3970cea94ebdeb8e.png&size=1080)
用计算器两者相减得出结果250AEA7
![图片[22]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/4873121e647049794e64f3ea17c6f449dabd23c866a39861a072e97745ed07ebd2afa0f75f96714ca3baa9717a2b520f?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309011945192-39dd644fd5625635.png&size=1080)
结果是对的,此时编写frida脚本
var wechatWin = Module.findBaseAddress("WeChatWin.dll");
if (!wechatWin) {
console.error("WeChatWin.dll模块未找到!");
throw new Error("模块未找到");
}
var hookAddress = wechatWin.add(0x250AEA7);
Interceptor.attach(hookAddress, {
onEnter: function (args) {
var timestamp = this.context.rdi.add(0x44).readInt();
var wxid = this.context.rdi.add(0x48).readPointer().readUtf16String();
var msg = this.context.rdi.add(0x88).readPointer().readUtf16String();
console.log("[++++] "+ timestamp +" "+ wxid +" : "+msg)
}
});
console.log("Hook已安装,等待接收消息...");运行脚本
![图片[23]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/83b79a5af7ca9cb579e681b71be3d72cf7465049399eb12fe2dc76650616854648874359b97bf8f2f035f148693c8f6c?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309012259323-6d1b833fa6adea79.png&size=1080)
发送消息测试
![图片[24]-实现微信Hook消息接收-羚羊公子博客](https://picabstract-preview-ftn.weiyun.com/ftn_pic_abs_v3/9b6a08116ac3faaa6cbbc223691231ed96d3db5618033f81e238232f389c9ac27d6f7d29fe6afea67d3624c088af6fdb?pictype=scale&from=30013&version=3.3.3.3&fname=image-20250309012350422-daf56983822c35d1.png&size=1080)
教程所需文件合集
1个月前
© 版权声明
文章版权归羚羊公子博客所有,未经允许请勿转载。
THE END
请登录后查看评论内容