From 6eef35d41cc87523e6a06c87ca0ad3616374cb94 Mon Sep 17 00:00:00 2001 From: xaoyaoo Date: Fri, 8 Dec 2023 17:07:04 +0800 Subject: [PATCH] =?UTF-8?q?v2.3.3=20=E6=96=B0=E5=A2=9E=E7=AE=80=E5=8C=96?= =?UTF-8?q?=E7=89=88info=E8=8E=B7=E5=8F=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/CHANGELOG.md | 10 ++ pywxdump/ui/view_chat.py | 2 +- pywxdump/wx_info/get_wx_info.py | 58 ++++--- pywxdump/wx_info/simplify_wx_info.py | 232 +++++++++++++++++++++++++++ setup.py | 2 +- 5 files changed, 276 insertions(+), 28 deletions(-) create mode 100644 pywxdump/wx_info/simplify_wx_info.py diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index bdc1f97..372a8e2 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,5 +1,15 @@ # 更新日志 +## v2.3.3 (2023-12-08) + +### 新功能 + +- 新增简化版info获取,只能获取数据库路径和wxid + +### 优化 + +- 修复部分bug + ## v2.3.2 (2023-12-06) ### 新功能 diff --git a/pywxdump/ui/view_chat.py b/pywxdump/ui/view_chat.py index 47bc3f7..2484d78 100644 --- a/pywxdump/ui/view_chat.py +++ b/pywxdump/ui/view_chat.py @@ -216,7 +216,7 @@ def export_html(user, outpath, MSG_ALL_db_path, MediaMSG_all_db_path, FileStorag for i in range(0, chatCount, page_size): start_index = i data = load_chat_records(username, start_index, page_size, user, MSG_ALL_db_path, MediaMSG_all_db_path, - FileStorage_path) + FileStorage_path, [user]) if len(data) == 0: break save_path = os.path.join(outpath, f"{name_save}_{int(i / page_size)}.html") diff --git a/pywxdump/wx_info/get_wx_info.py b/pywxdump/wx_info/get_wx_info.py index f7ccb86..8bcbe21 100644 --- a/pywxdump/wx_info/get_wx_info.py +++ b/pywxdump/wx_info/get_wx_info.py @@ -108,12 +108,15 @@ def get_info_filePath(wxid="all"): if not wxid: return "None" try: - key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Tencent\WeChat", 0, winreg.KEY_READ) - value, _ = winreg.QueryValueEx(key, "FileSavePath") - winreg.CloseKey(key) - w_dir = value + user_profile = os.environ.get("USERPROFILE") + path_3ebffe94 = os.path.join(user_profile, "AppData", "Roaming", "Tencent", "WeChat", "All Users", "config", + "3ebffe94.ini") + with open(path_3ebffe94, "r", encoding="utf-8") as f: + w_dir = f.read() except Exception as e: - # 获取文档实际目录 + w_dir = "MyDocument:" + + if w_dir == "MyDocument:": try: # 打开注册表路径 key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, @@ -124,16 +127,15 @@ def get_info_filePath(wxid="all"): if "%" in documents_paths[0]: w_dir = os.environ.get(documents_paths[0].replace("%", "")) w_dir = os.path.join(w_dir, os.path.join(*documents_paths[1:])) - print(1, w_dir) + # print(1, w_dir) else: w_dir = documents_path except Exception as e: - profile = os.environ.get("USERPROFILE") # 获取用户目录 + profile = os.environ.get("USERPROFILE") w_dir = os.path.join(profile, "Documents") - if w_dir == "MyDocument:": - profile = os.environ.get("USERPROFILE") - w_dir = os.path.join(profile, "Documents") + msg_dir = os.path.join(w_dir, "WeChat Files") + if wxid == "all" and os.path.exists(msg_dir): return msg_dir @@ -217,12 +219,6 @@ def read_info(version_list, is_logging=False): tmp_rd['pid'] = process.pid tmp_rd['version'] = Dispatch("Scripting.FileSystemObject").GetFileVersion(process.exe()) - bias_list = version_list.get(tmp_rd['version'], None) - if not isinstance(bias_list, list): - error = f"[-] WeChat Current Version {tmp_rd['version']} Is Not Supported" - if is_logging: print(error) - return error - wechat_base_address = 0 for module in process.memory_maps(grouped=False): if module.path and 'WeChatWin.dll' in module.path: @@ -235,19 +231,28 @@ def read_info(version_list, is_logging=False): Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, process.pid) - name_baseaddr = wechat_base_address + bias_list[0] - account__baseaddr = wechat_base_address + bias_list[1] - mobile_baseaddr = wechat_base_address + bias_list[2] - mail_baseaddr = wechat_base_address + bias_list[3] - # key_baseaddr = wechat_base_address + bias_list[4] + bias_list = version_list.get(tmp_rd['version'], None) + if not isinstance(bias_list, list) or len(bias_list) <= 4: + error = f"[-] WeChat Current Version Is Not Supported(maybe not get account,mobile,name,mail)" + if is_logging: print(error) + tmp_rd['account'] = "None" + tmp_rd['mobile'] = "None" + tmp_rd['name'] = "None" + tmp_rd['mail'] = "None" + else: + name_baseaddr = wechat_base_address + bias_list[0] + account__baseaddr = wechat_base_address + bias_list[1] + mobile_baseaddr = wechat_base_address + bias_list[2] + mail_baseaddr = wechat_base_address + bias_list[3] + # key_baseaddr = wechat_base_address + bias_list[4] + + tmp_rd['account'] = get_info_without_key(Handle, account__baseaddr, 32) if bias_list[1] != 0 else "None" + tmp_rd['mobile'] = get_info_without_key(Handle, mobile_baseaddr, 64) if bias_list[2] != 0 else "None" + tmp_rd['name'] = get_info_without_key(Handle, name_baseaddr, 64) if bias_list[0] != 0 else "None" + tmp_rd['mail'] = get_info_without_key(Handle, mail_baseaddr, 64) if bias_list[3] != 0 else "None" addrLen = get_exe_bit(process.exe()) // 8 - tmp_rd['account'] = get_info_without_key(Handle, account__baseaddr, 32) if bias_list[1] != 0 else "None" - tmp_rd['mobile'] = get_info_without_key(Handle, mobile_baseaddr, 64) if bias_list[2] != 0 else "None" - tmp_rd['name'] = get_info_without_key(Handle, name_baseaddr, 64) if bias_list[0] != 0 else "None" - tmp_rd['mail'] = get_info_without_key(Handle, mail_baseaddr, 64) if bias_list[3] != 0 else "None" - tmp_rd['wxid'] = get_info_wxid(Handle) tmp_rd['filePath'] = get_info_filePath(tmp_rd['wxid']) if tmp_rd['wxid'] != "None" else "None" tmp_rd['key'] = get_key(tmp_rd['filePath'], addrLen) if tmp_rd['filePath'] != "None" else "None" @@ -330,4 +335,5 @@ def get_wechat_db(require_list: Union[List[str], str] = "all", msg_dir: str = No if __name__ == '__main__': from pywxdump import VERSION_LIST + read_info(VERSION_LIST, is_logging=True) diff --git a/pywxdump/wx_info/simplify_wx_info.py b/pywxdump/wx_info/simplify_wx_info.py new file mode 100644 index 0000000..7981b5f --- /dev/null +++ b/pywxdump/wx_info/simplify_wx_info.py @@ -0,0 +1,232 @@ +# -*- coding: utf-8 -*-# +# ------------------------------------------------------------------------------- +# Name: simplify_wx_info.py +# Description: +# Author: xaoyaoo +# Date: 2023/12/07 +# ------------------------------------------------------------------------------- +import hmac +import hashlib +import ctypes +import os +import winreg +import pymem +import psutil +import sys + +ReadProcessMemory = ctypes.windll.kernel32.ReadProcessMemory +void_p = ctypes.c_void_p + + +# 获取exe文件的位数 +def get_exe_bit(file_path): + """ + 获取 PE 文件的位数: 32 位或 64 位 + :param file_path: PE 文件路径(可执行文件) + :return: 如果遇到错误则返回 64 + """ + try: + with open(file_path, 'rb') as f: + dos_header = f.read(2) + if dos_header != b'MZ': + print('get exe bit error: Invalid PE file') + return 64 + # Seek to the offset of the PE signature + f.seek(60) + pe_offset_bytes = f.read(4) + pe_offset = int.from_bytes(pe_offset_bytes, byteorder='little') + + # Seek to the Machine field in the PE header + f.seek(pe_offset + 4) + machine_bytes = f.read(2) + machine = int.from_bytes(machine_bytes, byteorder='little') + + if machine == 0x14c: + return 32 + elif machine == 0x8664: + return 64 + else: + print('get exe bit error: Unknown architecture: %s' % hex(machine)) + return 64 + except IOError: + print('get exe bit error: File not found or cannot be opened') + return 64 + + +def pattern_scan_all(handle, pattern, *, return_multiple=False, find_num=100): + next_region = 0 + found = [] + user_space_limit = 0x7FFFFFFF0000 if sys.maxsize > 2 ** 32 else 0x7fff0000 + while next_region < user_space_limit: + try: + next_region, page_found = pymem.pattern.scan_pattern_page( + handle, + next_region, + pattern, + return_multiple=return_multiple + ) + except Exception as e: + print(e) + break + if not return_multiple and page_found: + return page_found + if page_found: + found += page_found + if len(found) > find_num: + break + return found + + +def get_info_wxid(h_process): + find_num = 100 + addrs = pattern_scan_all(h_process, br'\\Msg\\FTSContact', return_multiple=True, find_num=find_num) + wxids = [] + for addr in addrs: + array = ctypes.create_string_buffer(80) + if ReadProcessMemory(h_process, void_p(addr - 30), array, 80, 0) == 0: return "None" + array = bytes(array) # .split(b"\\")[0] + array = array.split(b"\\Msg")[0] + array = array.split(b"\\")[-1] + wxids.append(array.decode('utf-8', errors='ignore')) + wxid = max(wxids, key=wxids.count) if wxids else "None" + return wxid + + +def get_info_filePath(wxid="all"): + if not wxid: + return "None" + try: + user_profile = os.environ.get("USERPROFILE") + path_3ebffe94 = os.path.join(user_profile, "AppData", "Roaming", "Tencent", "WeChat", "All Users", "config", + "3ebffe94.ini") + with open(path_3ebffe94, "r", encoding="utf-8") as f: + w_dir = f.read() + except Exception as e: + w_dir = "MyDocument:" + + if w_dir == "MyDocument:": + try: + # 打开注册表路径 + key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, + r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders") + documents_path = winreg.QueryValueEx(key, "Personal")[0] # 读取文档实际目录路径 + winreg.CloseKey(key) # 关闭注册表 + documents_paths = os.path.split(documents_path) + if "%" in documents_paths[0]: + w_dir = os.environ.get(documents_paths[0].replace("%", "")) + w_dir = os.path.join(w_dir, os.path.join(*documents_paths[1:])) + # print(1, w_dir) + else: + w_dir = documents_path + except Exception as e: + profile = os.environ.get("USERPROFILE") + w_dir = os.path.join(profile, "Documents") + + msg_dir = os.path.join(w_dir, "WeChat Files") + + if wxid == "all" and os.path.exists(msg_dir): + return msg_dir + + filePath = os.path.join(msg_dir, wxid) + return filePath if os.path.exists(filePath) else "None" + + +def get_key(db_path, addr_len): + def read_key_bytes(h_process, address, address_len=8): + array = ctypes.create_string_buffer(address_len) + if ReadProcessMemory(h_process, void_p(address), array, address_len, 0) == 0: return "None" + address = int.from_bytes(array, byteorder='little') # 逆序转换为int地址(key地址) + key = ctypes.create_string_buffer(32) + if ReadProcessMemory(h_process, void_p(address), key, 32, 0) == 0: return "None" + key_bytes = bytes(key) + return key_bytes + + def verify_key(key, wx_db_path): + KEY_SIZE = 32 + DEFAULT_PAGESIZE = 4096 + DEFAULT_ITER = 64000 + with open(wx_db_path, "rb") as file: + blist = file.read(5000) + salt = blist[:16] + byteKey = hashlib.pbkdf2_hmac("sha1", key, salt, DEFAULT_ITER, KEY_SIZE) + first = blist[16:DEFAULT_PAGESIZE] + + mac_salt = bytes([(salt[i] ^ 58) for i in range(16)]) + mac_key = hashlib.pbkdf2_hmac("sha1", byteKey, mac_salt, 2, KEY_SIZE) + hash_mac = hmac.new(mac_key, first[:-32], hashlib.sha1) + hash_mac.update(b'\x01\x00\x00\x00') + + if hash_mac.digest() != first[-32:-12]: + return False + return True + + phone_type1 = "iphone\x00" + phone_type2 = "android\x00" + phone_type3 = "ipad\x00" + + pm = pymem.Pymem("WeChat.exe") + module_name = "WeChatWin.dll" + + MicroMsg_path = os.path.join(db_path, "MSG", "MicroMsg.db") + + type1_addrs = pm.pattern_scan_module(phone_type1.encode(), module_name, return_multiple=True) + type2_addrs = pm.pattern_scan_module(phone_type2.encode(), module_name, return_multiple=True) + type3_addrs = pm.pattern_scan_module(phone_type3.encode(), module_name, return_multiple=True) + type_addrs = type1_addrs if len(type1_addrs) >= 2 else type2_addrs if len(type2_addrs) >= 2 else type3_addrs if len( + type3_addrs) >= 2 else "None" + # print(type_addrs) + if type_addrs == "None": + return "None" + for i in type_addrs[::-1]: + for j in range(i, i - 2000, -addr_len): + key_bytes = read_key_bytes(pm.process_handle, j, addr_len) + if key_bytes == "None": + continue + if verify_key(key_bytes, MicroMsg_path): + return key_bytes.hex() + return "None" + + +# 读取微信信息(account,mobile,name,mail,wxid,key) +def read_info(is_logging=False): + wechat_process = [] + result = [] + for process in psutil.process_iter(['name', 'exe', 'pid', 'cmdline']): + if process.name() == 'WeChat.exe': + wechat_process.append(process) + + if len(wechat_process) == 0: + error = "[-] WeChat No Run" + if is_logging: print(error) + return error + + for process in wechat_process: + tmp_rd = {} + + tmp_rd['pid'] = process.pid + # tmp_rd['version'] = Dispatch("Scripting.FileSystemObject").GetFileVersion(process.exe()) + + Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, process.pid) + + addrLen = get_exe_bit(process.exe()) // 8 + + tmp_rd['wxid'] = get_info_wxid(Handle) + tmp_rd['filePath'] = get_info_filePath(tmp_rd['wxid']) if tmp_rd['wxid'] != "None" else "None" + tmp_rd['key'] = get_key(tmp_rd['filePath'], addrLen) if tmp_rd['filePath'] != "None" else "None" + result.append(tmp_rd) + + if is_logging: + print("=" * 32) + if isinstance(result, str): # 输出报错 + print(result) + else: # 输出结果 + for i, rlt in enumerate(result): + for k, v in rlt.items(): + print(f"[+] {k:>8}: {v}") + print(end="-" * 32 + "\n" if i != len(result) - 1 else "") + print("=" * 32) + return result + + +if __name__ == '__main__': + read_info(is_logging=True) diff --git a/setup.py b/setup.py index de1d98e..f765c6b 100644 --- a/setup.py +++ b/setup.py @@ -3,7 +3,7 @@ from setuptools import setup, find_packages with open("README.md", "r", encoding="utf-8") as fh: long_description = fh.read() -version = "2.3.2" +version = "2.3.3" install_requires = [ "psutil",