From 2fc599a8f618fe1cdaa3b0dfaa858176c4a588d7 Mon Sep 17 00:00:00 2001 From: xaoyo Date: Mon, 9 Oct 2023 01:47:05 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Program/get_base_addr.py | 220 ++------------------------------------- 1 file changed, 7 insertions(+), 213 deletions(-) diff --git a/Program/get_base_addr.py b/Program/get_base_addr.py index 896c4a5..c9aa19c 100644 --- a/Program/get_base_addr.py +++ b/Program/get_base_addr.py @@ -20,218 +20,6 @@ ReadProcessMemory = ctypes.windll.kernel32.ReadProcessMemory void_p = ctypes.c_void_p -# def get_pid(keyword): -# """ -# 获取进程id -# :param keyword: 关键字 -# :return: -# """ -# pids = {} -# for proc in psutil.process_iter(): -# if keyword in proc.name(): -# pids[proc.pid] = proc -# return pids -# -# -# class BaseAddr: -# def __init__(self, pid, proc_module_name="WeChatWin.dll"): -# self.pid = pid -# self.module_name = proc_module_name -# self.proc = psutil.Process(self.pid) -# self.version = self.get_app_version(self.proc.exe()) -# self.base_address = 0 -# self.end_address = 0 -# self.batch = 0 -# -# self.key_start_addr = 0 -# self.key_end_addr = 0 -# -# self.mobile_addr = [] -# self.name_addr = [] -# self.account_addr = [] -# # self.key_addr = [] -# -# self.get_base_addr() -# -# def get_app_version(self, executable_path): -# info = win32api.GetFileVersionInfo(executable_path, "\\") -# version = info['FileVersionMS'] >> 16, info['FileVersionMS'] & 0xFFFF, \ -# info['FileVersionLS'] >> 16, info['FileVersionLS'] & 0xFFFF -# version_str = ".".join(map(str, version)) -# -# return version_str -# -# def get_base_addr(self): -# """ -# 获取模块基址 -# :param pid: 进程id -# :param module_name: 模块名 -# :return: -# """ -# base_address = 0 -# end_address = 0 -# batch = 0 -# n = 0 -# for module in self.proc.memory_maps(grouped=False): -# if self.module_name in module.path: -# if n == 0: -# base_address = int(module.addr, 16) -# batch = module.rss -# n += 1 -# end_address = int(module.addr, 16) + module.rss -# -# self.base_address = base_address -# self.end_address = end_address -# self.batch = batch -# # self.batch = end_address - base_address -# -# def find_all(self, c, string): -# """ -# 查找字符串中所有子串的位置 -# :param c: 子串 b'123' -# :param string: 字符串 b'123456789123' -# :return: -# """ -# return [m.start() for m in re.finditer(re.escape(c), string)] -# -# # 搜索内存地址范围内的值 -# def search_memory_value(self, mobile, name, account): -# mobile = mobile.encode("utf-8") -# name = name.encode("utf-8") -# account = account.encode("utf-8") -# -# Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid) -# -# mobile_addr = [] -# name_addr = [] -# account_addr = [] -# -# array = ctypes.create_string_buffer(self.batch) -# for i in range(self.base_address, self.end_address, self.batch): -# if ReadProcessMemory(Handle, void_p(i), array, self.batch, None) == 0: -# continue -# -# hex_string = array.raw # 读取到的内存数据 -# -# if mobile in hex_string: -# mobile_addr = mobile_addr + [m.start() + i for m in re.finditer(re.escape(mobile), hex_string)] -# if name in hex_string: -# name_addr = name_addr + [m.start() + i for m in re.finditer(re.escape(name), hex_string)] -# if account in hex_string: -# account_addr = account_addr + [m.start() + i for m in re.finditer(re.escape(account), hex_string)] -# -# self.mobile_addr = mobile_addr -# self.name_addr = name_addr -# self.account_addr = account_addr -# return mobile_addr, name_addr, account_addr -# -# def get_key_addr(self, key): -# """ -# 获取key的地址 -# :param key: -# :return: -# """ -# key = bytes.fromhex(key) -# -# module_start_addr = 34199871460642 -# module_end_addr = 0 -# for module in self.proc.memory_maps(grouped=False): -# if "WeChat" in module.path: -# start_addr = int(module.addr, 16) -# end_addr = start_addr + module.rss -# -# if module_start_addr > start_addr: -# module_start_addr = start_addr -# if module_end_addr < end_addr: -# module_end_addr = end_addr -# -# Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid) -# array = ctypes.create_string_buffer(self.batch) -# for i in range(module_start_addr, module_end_addr, self.batch): -# if ReadProcessMemory(Handle, void_p(i), array, self.batch, None) == 0: -# continue -# -# hex_string = array.raw # 读取到的内存数据 -# if key in hex_string: -# self.key_addr_tmp = i + hex_string.find(key) -# break -# if ((i - module_start_addr) / self.batch) > 300000: -# self.key_addr = 0 -# return -1 -# -# array_key = [] -# for i in range(8): -# byte_value = (self.key_addr_tmp >> (i * 8)) & 0xFF -# hex_string = format(byte_value, '02x') -# byte_obj = bytes.fromhex(hex_string) -# array_key.append(byte_obj) -# # 合并数组 -# array_key = b''.join(array_key) -# -# array = ctypes.create_string_buffer(self.batch) -# for i in range(self.base_address, self.end_address, self.batch): -# if ReadProcessMemory(Handle, void_p(i), array, self.batch, None) == 0: -# continue -# -# hex_string = array.raw # 读取到的内存数据 -# if array_key in hex_string: -# self.key_addr = i + hex_string.find(array_key) -# return self.key_addr -# -# def calculate_offset(self, addr): -# """ -# 计算偏移量 -# :param addr: -# :return: -# """ -# if addr == 0: -# return 0 -# offset = addr - self.base_address -# return offset -# -# def get_offset(self): -# """ -# 计算偏移量 -# :param addr: -# :return: -# """ -# mobile_offset = 0 -# name_offset = 0 -# account_offset = 0 -# key_offset = 0 -# if len(self.mobile_addr) >= 1: -# mobile_offset = self.calculate_offset(self.mobile_addr[0]) -# if len(self.name_addr) >= 1: -# name_offset = self.calculate_offset(self.name_addr[0]) -# if len(self.account_addr) >= 1: -# if len(self.account_addr) >= 2: -# account_offset = self.calculate_offset(self.account_addr[1]) -# else: -# account_offset = self.calculate_offset(self.account_addr[0]) -# -# key_offset = self.calculate_offset(self.key_addr) -# -# self.key_offset = key_offset -# self.mobile_offset = mobile_offset -# self.name_offset = name_offset -# self.account_offset = account_offset -# return name_offset, account_offset, mobile_offset, 0, key_offset -# -# -# def run(mobile, name, account, key): -# proc_name = "WeChat.exe" -# proc_module_name = "WeChatWin.dll" -# -# pids = get_pid(proc_name) -# for pid, proc in pids.items(): -# ba = BaseAddr(pid, proc_module_name) -# ba.search_memory_value(mobile, name, account) -# ba.get_key_addr(key) -# name_offset, account_offset, mobile_offset, _, key_offset = ba.get_offset() -# rdata = {ba.version: [name_offset, account_offset, mobile_offset, 0, key_offset]} -# return rdata - - class BaseAddr: def __init__(self, account, mobile, name, key): self.account = account.encode("utf-8") @@ -244,6 +32,8 @@ class BaseAddr: self.pm = Pymem("WeChat.exe") + self.islogin = True + def find_all(self, c: bytes, string: bytes, base_addr=0): """ 查找字符串中所有子串的位置 @@ -261,6 +51,7 @@ class BaseAddr: ms, ls = info['FileVersionMS'], info['FileVersionLS'] file_version = f"{win32api.HIWORD(ms)}.{win32api.LOWORD(ms)}.{win32api.HIWORD(ls)}.{win32api.LOWORD(ls)}" return file_version + self.islogin = False def search_memory_value(self, value: bytes, module_name="WeChatWin.dll"): # 创建 Pymem 对象 @@ -273,6 +64,7 @@ class BaseAddr: def search_key(self, key: bytes): pid = self.pm.process_id + # print(self.pm.process_base.lpBaseOfDll, self.pm.process_base.SizeOfImage) batch = 4096 @@ -301,13 +93,15 @@ class BaseAddr: if len(key_addr) > 0: key_addr = key_addr[0] break - + # print(key_addr) key = key_addr.to_bytes(8, byteorder='little') result = self.search_memory_value(key, self.module_name) return result def run(self): self.version = self.get_file_version(self.process_name) + if not self.islogin: + return "[-] WeChat No Run" key_bias = self.search_key(self.key) mobile_bias = self.search_memory_value(self.mobile) name_bias = self.search_memory_value(self.name)