From bd612d22a529fbbb2e3b5fd4363c42adb7fdc520 Mon Sep 17 00:00:00 2001 From: Changhua Date: Wed, 17 Apr 2024 00:45:06 +0800 Subject: [PATCH] Refatoring --- WeChatFerry/sdk/injector.cpp | 31 +++++-------------------------- WeChatFerry/sdk/sdk.cpp | 1 - WeChatFerry/spy/spy.cpp | 16 ++++++++-------- 3 files changed, 13 insertions(+), 35 deletions(-) diff --git a/WeChatFerry/sdk/injector.cpp b/WeChatFerry/sdk/injector.cpp index ca84e7d..cc06298 100644 --- a/WeChatFerry/sdk/injector.cpp +++ b/WeChatFerry/sdk/injector.cpp @@ -1,13 +1,14 @@ #include "framework.h" #include "psapi.h" #include -#include #include #include "injector.h" #include "util.h" -HMODULE GetTargetModuleBase(HANDLE process, std::string dll) +using namespace std; + +HMODULE GetTargetModuleBase(HANDLE process, string dll) { DWORD cbNeeded; HMODULE moduleHandleList[512]; @@ -79,9 +80,7 @@ HANDLE InjectDll(DWORD pid, LPCWSTR dllPath, HMODULE *injectedBase) WaitForSingleObject(hThread, -1); CloseHandle(hThread); - *injectedBase = GetTargetModuleBase(hProcess, std::filesystem::path(Wstring2String(dllPath)).filename().string()); - - printf("hProcess: %p, pRemoteAddress: %p, injectedBase: %p\n", hProcess, pRemoteAddress, *injectedBase); + *injectedBase = GetTargetModuleBase(hProcess, filesystem::path(Wstring2String(dllPath)).filename().string()); VirtualFreeEx(hProcess, pRemoteAddress, 0, MEM_RELEASE); // CloseHandle(hProcess); // Close when exit @@ -93,8 +92,6 @@ bool EjectDll(HANDLE process, HMODULE dllBase) { HANDLE hThread = NULL; - printf("process: %p, dllBase: %p\n", process, dllBase); - // 使目标进程调用 FreeLibrary,卸载 DLL HMODULE k32 = GetModuleHandle(L"kernel32.dll"); if (k32 == NULL) { @@ -102,7 +99,6 @@ bool EjectDll(HANDLE process, HMODULE dllBase) return NULL; } - // FARPROC libAddr = GetProcAddress(k32, "FreeLibrary"); FARPROC libAddr = GetProcAddress(k32, "FreeLibraryAndExitThread"); if (!libAddr) { MessageBox(NULL, L"获取 FreeLibrary 失败", L"InjectDll", 0); @@ -120,16 +116,6 @@ bool EjectDll(HANDLE process, HMODULE dllBase) return true; } -static LPVOID GetFuncAddr(HMODULE dllBase, LPCSTR funcName) -{ - printf("dllBase: %p, funcName: %s\n", dllBase, funcName); - LPVOID absAddr = GetProcAddress(dllBase, funcName); - UINT64 offset = (UINT64)absAddr - (UINT64)dllBase; - - printf("absAddr: %p, offset: %lld\n", absAddr, offset); - return (LPVOID)((UINT64)dllBase + offset); -} - static UINT64 GetFuncOffset(LPCWSTR dllPath, LPCSTR funcName) { HMODULE dll = LoadLibrary(dllPath); @@ -147,7 +133,6 @@ static UINT64 GetFuncOffset(LPCWSTR dllPath, LPCSTR funcName) bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName, LPDWORD ret) { - // LPVOID pFunc = GetFuncAddr(dllBase, funcName); UINT64 offset = GetFuncOffset(dllPath, funcName); if (offset == 0) { return false; @@ -156,7 +141,7 @@ bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcNa if (pFunc <= (UINT64)dllBase) { return false; } - printf("pFunc: %p\n", pFunc); + HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, NULL, 0, NULL); if (hThread == NULL) { return false; @@ -173,11 +158,6 @@ bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcNa bool CallDllFuncEx(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName, LPVOID parameter, size_t sz, LPDWORD ret) { - // LPVOID pFunc = GetFuncAddr(dllBase, funcName); - // if (pFunc == NULL) { - // return false; - // } - UINT64 offset = GetFuncOffset(dllPath, funcName); if (offset == 0) { return false; @@ -187,7 +167,6 @@ bool CallDllFuncEx(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR func return false; } - printf("pFunc: %p\n", pFunc); LPVOID pRemoteAddress = VirtualAllocEx(process, NULL, sz, MEM_COMMIT, PAGE_READWRITE); if (pRemoteAddress == NULL) { MessageBox(NULL, L"申请内存失败", L"CallDllFuncEx", 0); diff --git a/WeChatFerry/sdk/sdk.cpp b/WeChatFerry/sdk/sdk.cpp index 50270ef..063be85 100644 --- a/WeChatFerry/sdk/sdk.cpp +++ b/WeChatFerry/sdk/sdk.cpp @@ -61,7 +61,6 @@ int WxInitSDK(bool debug, int port) pp.port = port; sprintf_s(pp.path, MAX_PATH, "%s", std::filesystem::current_path().string().c_str()); - printf("process: %p, base: %p, path: %s\n", wcProcess, spyBase, pp.path); if (!CallDllFuncEx(wcProcess, spyDllPath, spyBase, "InitSpy", (LPVOID)&pp, sizeof(PortPath_t), NULL)) { MessageBox(NULL, L"初始化失败", L"WxInitSDK", 0); return -1; diff --git a/WeChatFerry/spy/spy.cpp b/WeChatFerry/spy/spy.cpp index 48e73ad..2d6382c 100644 --- a/WeChatFerry/spy/spy.cpp +++ b/WeChatFerry/spy/spy.cpp @@ -11,14 +11,11 @@ DWORD g_WeChatWinDllAddr = 0; void InitSpy(LPVOID args) { - MessageBox(NULL, L"InitSpy", L"InitSpy", 0); -#if 1 + wchar_t version[16] = { 0 }; PortPath_t *pp = (PortPath_t *)args; - int port = pp->port; - std::string path(pp->path); - InitLogger(path); + InitLogger(pp->path); g_WeChatWinDllAddr = (DWORD)GetModuleHandle(L"WeChatWin.dll"); // 获取wechatWin模块地址 if (g_WeChatWinDllAddr == 0) { LOG_ERROR("获取 wechatWin.dll 模块地址失败"); @@ -36,10 +33,13 @@ void InitSpy(LPVOID args) return; } - // RpcStartServer(port); -#endif + // RpcStartServer(pp->port); } -void CleanupSpy() { /*RpcStopServer();*/ MessageBox(NULL, L"CleanupSpy", L"CleanupSpy", 0);} +void CleanupSpy() +{ + LOG_DEBUG("CleanupSpy"); + // RpcStopServer(); +} int IsLogin(void) { return (int)GET_DWORD(g_WeChatWinDllAddr + g_WxCalls.login); }