cyonjan/PyWxDump
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v2.3.3 新增简化版info获取

Browse Source
This commit is contained in:
xaoyaoo 2023-12-08 17:07:04 +08:00
parent 8322a157df
commit 6eef35d41c
5 changed files with 276 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/CHANGELOG.md
View File

@ -1,5 +1,15 @@
# 更新日志 # 更新日志
## v2.3.3 (2023-12-08)
### 新功能
- 新增简化版info获取只能获取数据库路径和wxid
### 优化
- 修复部分bug
## v2.3.2 (2023-12-06) ## v2.3.2 (2023-12-06)
### 新功能 ### 新功能

2
pywxdump/ui/view_chat.py
View File

@ -216,7 +216,7 @@ def export_html(user, outpath, MSG_ALL_db_path, MediaMSG_all_db_path, FileStorag
for i in range(0, chatCount, page_size): for i in range(0, chatCount, page_size):
start_index = i start_index = i
data = load_chat_records(username, start_index, page_size, user, MSG_ALL_db_path, MediaMSG_all_db_path, data = load_chat_records(username, start_index, page_size, user, MSG_ALL_db_path, MediaMSG_all_db_path,
FileStorage_path) FileStorage_path, [user])
if len(data) == 0: if len(data) == 0:
break break
save_path = os.path.join(outpath, f"{name_save}_{int(i / page_size)}.html") save_path = os.path.join(outpath, f"{name_save}_{int(i / page_size)}.html")

58
pywxdump/wx_info/get_wx_info.py
View File

@ -108,12 +108,15 @@ def get_info_filePath(wxid="all"):
if not wxid: if not wxid:
return "None" return "None"
try: try:
key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Tencent\WeChat", 0, winreg.KEY_READ) user_profile = os.environ.get("USERPROFILE")
value, _ = winreg.QueryValueEx(key, "FileSavePath") path_3ebffe94 = os.path.join(user_profile, "AppData", "Roaming", "Tencent", "WeChat", "All Users", "config",
winreg.CloseKey(key) "3ebffe94.ini")
w_dir = value with open(path_3ebffe94, "r", encoding="utf-8") as f:
w_dir = f.read()
except Exception as e: except Exception as e:
# 获取文档实际目录 w_dir = "MyDocument:"
if w_dir == "MyDocument:":
try: try:
# 打开注册表路径 # 打开注册表路径
key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, key = winreg.OpenKey(winreg.HKEY_CURRENT_USER,
@ -124,16 +127,15 @@ def get_info_filePath(wxid="all"):
if "%" in documents_paths[0]: if "%" in documents_paths[0]:
w_dir = os.environ.get(documents_paths[0].replace("%", "")) w_dir = os.environ.get(documents_paths[0].replace("%", ""))
w_dir = os.path.join(w_dir, os.path.join(*documents_paths[1:])) w_dir = os.path.join(w_dir, os.path.join(*documents_paths[1:]))
print(1, w_dir) # print(1, w_dir)
else: else:
w_dir = documents_path w_dir = documents_path
except Exception as e: except Exception as e:
profile = os.environ.get("USERPROFILE") # 获取用户目录 profile = os.environ.get("USERPROFILE")
w_dir = os.path.join(profile, "Documents") w_dir = os.path.join(profile, "Documents")
if w_dir == "MyDocument:":
profile = os.environ.get("USERPROFILE")
w_dir = os.path.join(profile, "Documents")
msg_dir = os.path.join(w_dir, "WeChat Files") msg_dir = os.path.join(w_dir, "WeChat Files")
if wxid == "all" and os.path.exists(msg_dir): if wxid == "all" and os.path.exists(msg_dir):
return msg_dir return msg_dir
@ -217,12 +219,6 @@ def read_info(version_list, is_logging=False):
tmp_rd['pid'] = process.pid tmp_rd['pid'] = process.pid
tmp_rd['version'] = Dispatch("Scripting.FileSystemObject").GetFileVersion(process.exe()) tmp_rd['version'] = Dispatch("Scripting.FileSystemObject").GetFileVersion(process.exe())
bias_list = version_list.get(tmp_rd['version'], None)
if not isinstance(bias_list, list):
error = f"[-] WeChat Current Version {tmp_rd['version']} Is Not Supported"
if is_logging: print(error)
return error
wechat_base_address = 0 wechat_base_address = 0
for module in process.memory_maps(grouped=False): for module in process.memory_maps(grouped=False):
if module.path and 'WeChatWin.dll' in module.path: if module.path and 'WeChatWin.dll' in module.path:
@ -235,19 +231,28 @@ def read_info(version_list, is_logging=False):
Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, process.pid) Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, process.pid)
name_baseaddr = wechat_base_address + bias_list[0] bias_list = version_list.get(tmp_rd['version'], None)
account__baseaddr = wechat_base_address + bias_list[1] if not isinstance(bias_list, list) or len(bias_list) <= 4:
mobile_baseaddr = wechat_base_address + bias_list[2] error = f"[-] WeChat Current Version Is Not Supported(maybe not get account,mobile,name,mail)"
mail_baseaddr = wechat_base_address + bias_list[3] if is_logging: print(error)
# key_baseaddr = wechat_base_address + bias_list[4] tmp_rd['account'] = "None"
tmp_rd['mobile'] = "None"
tmp_rd['name'] = "None"
tmp_rd['mail'] = "None"
else:
name_baseaddr = wechat_base_address + bias_list[0]
account__baseaddr = wechat_base_address + bias_list[1]
mobile_baseaddr = wechat_base_address + bias_list[2]
mail_baseaddr = wechat_base_address + bias_list[3]
# key_baseaddr = wechat_base_address + bias_list[4]
tmp_rd['account'] = get_info_without_key(Handle, account__baseaddr, 32) if bias_list[1] != 0 else "None"
tmp_rd['mobile'] = get_info_without_key(Handle, mobile_baseaddr, 64) if bias_list[2] != 0 else "None"
tmp_rd['name'] = get_info_without_key(Handle, name_baseaddr, 64) if bias_list[0] != 0 else "None"
tmp_rd['mail'] = get_info_without_key(Handle, mail_baseaddr, 64) if bias_list[3] != 0 else "None"
addrLen = get_exe_bit(process.exe()) // 8 addrLen = get_exe_bit(process.exe()) // 8
tmp_rd['account'] = get_info_without_key(Handle, account__baseaddr, 32) if bias_list[1] != 0 else "None"
tmp_rd['mobile'] = get_info_without_key(Handle, mobile_baseaddr, 64) if bias_list[2] != 0 else "None"
tmp_rd['name'] = get_info_without_key(Handle, name_baseaddr, 64) if bias_list[0] != 0 else "None"
tmp_rd['mail'] = get_info_without_key(Handle, mail_baseaddr, 64) if bias_list[3] != 0 else "None"
tmp_rd['wxid'] = get_info_wxid(Handle) tmp_rd['wxid'] = get_info_wxid(Handle)
tmp_rd['filePath'] = get_info_filePath(tmp_rd['wxid']) if tmp_rd['wxid'] != "None" else "None" tmp_rd['filePath'] = get_info_filePath(tmp_rd['wxid']) if tmp_rd['wxid'] != "None" else "None"
tmp_rd['key'] = get_key(tmp_rd['filePath'], addrLen) if tmp_rd['filePath'] != "None" else "None" tmp_rd['key'] = get_key(tmp_rd['filePath'], addrLen) if tmp_rd['filePath'] != "None" else "None"
@ -330,4 +335,5 @@ def get_wechat_db(require_list: Union[List[str], str] = "all", msg_dir: str = No
if __name__ == '__main__': if __name__ == '__main__':
from pywxdump import VERSION_LIST from pywxdump import VERSION_LIST
read_info(VERSION_LIST, is_logging=True) read_info(VERSION_LIST, is_logging=True)

232
pywxdump/wx_info/simplify_wx_info.py Normal file
View File

@ -0,0 +1,232 @@
# -*- coding: utf-8 -*-#
# -------------------------------------------------------------------------------
# Name: simplify_wx_info.py
# Description:
# Author: xaoyaoo
# Date: 2023/12/07
# -------------------------------------------------------------------------------
import hmac
import hashlib
import ctypes
import os
import winreg
import pymem
import psutil
import sys
ReadProcessMemory = ctypes.windll.kernel32.ReadProcessMemory
void_p = ctypes.c_void_p
# 获取exe文件的位数
def get_exe_bit(file_path):
"""
获取 PE 文件的位数: 32 位或 64
:param file_path: PE 文件路径(可执行文件)
:return: 如果遇到错误则返回 64
"""
try:
with open(file_path, 'rb') as f:
dos_header = f.read(2)
if dos_header != b'MZ':
print('get exe bit error: Invalid PE file')
return 64
# Seek to the offset of the PE signature
f.seek(60)
pe_offset_bytes = f.read(4)
pe_offset = int.from_bytes(pe_offset_bytes, byteorder='little')
# Seek to the Machine field in the PE header
f.seek(pe_offset + 4)
machine_bytes = f.read(2)
machine = int.from_bytes(machine_bytes, byteorder='little')
if machine == 0x14c:
return 32
elif machine == 0x8664:
return 64
else:
print('get exe bit error: Unknown architecture: %s' % hex(machine))
return 64
except IOError:
print('get exe bit error: File not found or cannot be opened')
return 64
def pattern_scan_all(handle, pattern, *, return_multiple=False, find_num=100):
next_region = 0
found = []
user_space_limit = 0x7FFFFFFF0000 if sys.maxsize > 2 ** 32 else 0x7fff0000
while next_region < user_space_limit:
try:
next_region, page_found = pymem.pattern.scan_pattern_page(
handle,
next_region,
pattern,
return_multiple=return_multiple
)
except Exception as e:
print(e)
break
if not return_multiple and page_found:
return page_found
if page_found:
found += page_found
if len(found) > find_num:
break
return found
def get_info_wxid(h_process):
find_num = 100
addrs = pattern_scan_all(h_process, br'\\Msg\\FTSContact', return_multiple=True, find_num=find_num)
wxids = []
for addr in addrs:
array = ctypes.create_string_buffer(80)
if ReadProcessMemory(h_process, void_p(addr - 30), array, 80, 0) == 0: return "None"
array = bytes(array) # .split(b"\\")[0]
array = array.split(b"\\Msg")[0]
array = array.split(b"\\")[-1]
wxids.append(array.decode('utf-8', errors='ignore'))
wxid = max(wxids, key=wxids.count) if wxids else "None"
return wxid
def get_info_filePath(wxid="all"):
if not wxid:
return "None"
try:
user_profile = os.environ.get("USERPROFILE")
path_3ebffe94 = os.path.join(user_profile, "AppData", "Roaming", "Tencent", "WeChat", "All Users", "config",
"3ebffe94.ini")
with open(path_3ebffe94, "r", encoding="utf-8") as f:
w_dir = f.read()
except Exception as e:
w_dir = "MyDocument:"
if w_dir == "MyDocument:":
try:
# 打开注册表路径
key = winreg.OpenKey(winreg.HKEY_CURRENT_USER,
r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders")
documents_path = winreg.QueryValueEx(key, "Personal")[0] # 读取文档实际目录路径
winreg.CloseKey(key) # 关闭注册表
documents_paths = os.path.split(documents_path)
if "%" in documents_paths[0]:
w_dir = os.environ.get(documents_paths[0].replace("%", ""))
w_dir = os.path.join(w_dir, os.path.join(*documents_paths[1:]))
# print(1, w_dir)
else:
w_dir = documents_path
except Exception as e:
profile = os.environ.get("USERPROFILE")
w_dir = os.path.join(profile, "Documents")
msg_dir = os.path.join(w_dir, "WeChat Files")
if wxid == "all" and os.path.exists(msg_dir):
return msg_dir
filePath = os.path.join(msg_dir, wxid)
return filePath if os.path.exists(filePath) else "None"
def get_key(db_path, addr_len):
def read_key_bytes(h_process, address, address_len=8):
array = ctypes.create_string_buffer(address_len)
if ReadProcessMemory(h_process, void_p(address), array, address_len, 0) == 0: return "None"
address = int.from_bytes(array, byteorder='little') # 逆序转换为int地址key地址
key = ctypes.create_string_buffer(32)
if ReadProcessMemory(h_process, void_p(address), key, 32, 0) == 0: return "None"
key_bytes = bytes(key)
return key_bytes
def verify_key(key, wx_db_path):
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096
DEFAULT_ITER = 64000
with open(wx_db_path, "rb") as file:
blist = file.read(5000)
salt = blist[:16]
byteKey = hashlib.pbkdf2_hmac("sha1", key, salt, DEFAULT_ITER, KEY_SIZE)
first = blist[16:DEFAULT_PAGESIZE]
mac_salt = bytes([(salt[i] ^ 58) for i in range(16)])
mac_key = hashlib.pbkdf2_hmac("sha1", byteKey, mac_salt, 2, KEY_SIZE)
hash_mac = hmac.new(mac_key, first[:-32], hashlib.sha1)
hash_mac.update(b'\x01\x00\x00\x00')
if hash_mac.digest() != first[-32:-12]:
return False
return True
phone_type1 = "iphone\x00"
phone_type2 = "android\x00"
phone_type3 = "ipad\x00"
pm = pymem.Pymem("WeChat.exe")
module_name = "WeChatWin.dll"
MicroMsg_path = os.path.join(db_path, "MSG", "MicroMsg.db")
type1_addrs = pm.pattern_scan_module(phone_type1.encode(), module_name, return_multiple=True)
type2_addrs = pm.pattern_scan_module(phone_type2.encode(), module_name, return_multiple=True)
type3_addrs = pm.pattern_scan_module(phone_type3.encode(), module_name, return_multiple=True)
type_addrs = type1_addrs if len(type1_addrs) >= 2 else type2_addrs if len(type2_addrs) >= 2 else type3_addrs if len(
type3_addrs) >= 2 else "None"
# print(type_addrs)
if type_addrs == "None":
return "None"
for i in type_addrs[::-1]:
for j in range(i, i - 2000, -addr_len):
key_bytes = read_key_bytes(pm.process_handle, j, addr_len)
if key_bytes == "None":
continue
if verify_key(key_bytes, MicroMsg_path):
return key_bytes.hex()
return "None"
# 读取微信信息(account,mobile,name,mail,wxid,key)
def read_info(is_logging=False):
wechat_process = []
result = []
for process in psutil.process_iter(['name', 'exe', 'pid', 'cmdline']):
if process.name() == 'WeChat.exe':
wechat_process.append(process)
if len(wechat_process) == 0:
error = "[-] WeChat No Run"
if is_logging: print(error)
return error
for process in wechat_process:
tmp_rd = {}
tmp_rd['pid'] = process.pid
# tmp_rd['version'] = Dispatch("Scripting.FileSystemObject").GetFileVersion(process.exe())
Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, process.pid)
addrLen = get_exe_bit(process.exe()) // 8
tmp_rd['wxid'] = get_info_wxid(Handle)
tmp_rd['filePath'] = get_info_filePath(tmp_rd['wxid']) if tmp_rd['wxid'] != "None" else "None"
tmp_rd['key'] = get_key(tmp_rd['filePath'], addrLen) if tmp_rd['filePath'] != "None" else "None"
result.append(tmp_rd)
if is_logging:
print("=" * 32)
if isinstance(result, str): # 输出报错
print(result)
else: # 输出结果
for i, rlt in enumerate(result):
for k, v in rlt.items():
print(f"[+] {k:>8}: {v}")
print(end="-" * 32 + "\n" if i != len(result) - 1 else "")
print("=" * 32)
return result
if __name__ == '__main__':
read_info(is_logging=True)

2
setup.py
View File

@ -3,7 +3,7 @@ from setuptools import setup, find_packages
with open("README.md", "r", encoding="utf-8") as fh: with open("README.md", "r", encoding="utf-8") as fh:
long_description = fh.read() long_description = fh.read()
version = "2.3.2" version = "2.3.3"
install_requires = [ install_requires = [
"psutil", "psutil",