Refatoring
This commit is contained in:
Changhua
parent
5bf45402a8
commit
bd612d22a5
@ -1,13 +1,14 @@
|
|||||||
#include "framework.h"
|
#include "framework.h"
|
||||||
#include "psapi.h"
|
#include "psapi.h"
|
||||||
#include <filesystem>
|
#include <filesystem>
|
||||||
#include <stdio.h>
|
|
||||||
#include <string>
|
#include <string>
|
||||||
|
|
||||||
#include "injector.h"
|
#include "injector.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
HMODULE GetTargetModuleBase(HANDLE process, std::string dll)
|
using namespace std;
|
||||||
|
|
||||||
|
HMODULE GetTargetModuleBase(HANDLE process, string dll)
|
||||||
{
|
{
|
||||||
DWORD cbNeeded;
|
DWORD cbNeeded;
|
||||||
HMODULE moduleHandleList[512];
|
HMODULE moduleHandleList[512];
|
||||||
@ -79,9 +80,7 @@ HANDLE InjectDll(DWORD pid, LPCWSTR dllPath, HMODULE *injectedBase)
|
|||||||
WaitForSingleObject(hThread, -1);
|
WaitForSingleObject(hThread, -1);
|
||||||
CloseHandle(hThread);
|
CloseHandle(hThread);
|
||||||
|
|
||||||
*injectedBase = GetTargetModuleBase(hProcess, std::filesystem::path(Wstring2String(dllPath)).filename().string());
|
*injectedBase = GetTargetModuleBase(hProcess, filesystem::path(Wstring2String(dllPath)).filename().string());
|
||||||
|
|
||||||
printf("hProcess: %p, pRemoteAddress: %p, injectedBase: %p\n", hProcess, pRemoteAddress, *injectedBase);
|
|
||||||
|
|
||||||
VirtualFreeEx(hProcess, pRemoteAddress, 0, MEM_RELEASE);
|
VirtualFreeEx(hProcess, pRemoteAddress, 0, MEM_RELEASE);
|
||||||
// CloseHandle(hProcess); // Close when exit
|
// CloseHandle(hProcess); // Close when exit
|
||||||
@ -93,8 +92,6 @@ bool EjectDll(HANDLE process, HMODULE dllBase)
|
|||||||
{
|
{
|
||||||
HANDLE hThread = NULL;
|
HANDLE hThread = NULL;
|
||||||
|
|
||||||
printf("process: %p, dllBase: %p\n", process, dllBase);
|
|
||||||
|
|
||||||
// 使目标进程调用 FreeLibrary,卸载 DLL
|
// 使目标进程调用 FreeLibrary,卸载 DLL
|
||||||
HMODULE k32 = GetModuleHandle(L"kernel32.dll");
|
HMODULE k32 = GetModuleHandle(L"kernel32.dll");
|
||||||
if (k32 == NULL) {
|
if (k32 == NULL) {
|
||||||
@ -102,7 +99,6 @@ bool EjectDll(HANDLE process, HMODULE dllBase)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
// FARPROC libAddr = GetProcAddress(k32, "FreeLibrary");
|
|
||||||
FARPROC libAddr = GetProcAddress(k32, "FreeLibraryAndExitThread");
|
FARPROC libAddr = GetProcAddress(k32, "FreeLibraryAndExitThread");
|
||||||
if (!libAddr) {
|
if (!libAddr) {
|
||||||
MessageBox(NULL, L"获取 FreeLibrary 失败", L"InjectDll", 0);
|
MessageBox(NULL, L"获取 FreeLibrary 失败", L"InjectDll", 0);
|
||||||
@ -120,16 +116,6 @@ bool EjectDll(HANDLE process, HMODULE dllBase)
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static LPVOID GetFuncAddr(HMODULE dllBase, LPCSTR funcName)
|
|
||||||
{
|
|
||||||
printf("dllBase: %p, funcName: %s\n", dllBase, funcName);
|
|
||||||
LPVOID absAddr = GetProcAddress(dllBase, funcName);
|
|
||||||
UINT64 offset = (UINT64)absAddr - (UINT64)dllBase;
|
|
||||||
|
|
||||||
printf("absAddr: %p, offset: %lld\n", absAddr, offset);
|
|
||||||
return (LPVOID)((UINT64)dllBase + offset);
|
|
||||||
}
|
|
||||||
|
|
||||||
static UINT64 GetFuncOffset(LPCWSTR dllPath, LPCSTR funcName)
|
static UINT64 GetFuncOffset(LPCWSTR dllPath, LPCSTR funcName)
|
||||||
{
|
{
|
||||||
HMODULE dll = LoadLibrary(dllPath);
|
HMODULE dll = LoadLibrary(dllPath);
|
||||||
@ -147,7 +133,6 @@ static UINT64 GetFuncOffset(LPCWSTR dllPath, LPCSTR funcName)
|
|||||||
|
|
||||||
bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName, LPDWORD ret)
|
bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName, LPDWORD ret)
|
||||||
{
|
{
|
||||||
// LPVOID pFunc = GetFuncAddr(dllBase, funcName);
|
|
||||||
UINT64 offset = GetFuncOffset(dllPath, funcName);
|
UINT64 offset = GetFuncOffset(dllPath, funcName);
|
||||||
if (offset == 0) {
|
if (offset == 0) {
|
||||||
return false;
|
return false;
|
||||||
@ -156,7 +141,7 @@ bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcNa
|
|||||||
if (pFunc <= (UINT64)dllBase) {
|
if (pFunc <= (UINT64)dllBase) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
printf("pFunc: %p\n", pFunc);
|
|
||||||
HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, NULL, 0, NULL);
|
HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, NULL, 0, NULL);
|
||||||
if (hThread == NULL) {
|
if (hThread == NULL) {
|
||||||
return false;
|
return false;
|
||||||
@ -173,11 +158,6 @@ bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcNa
|
|||||||
bool CallDllFuncEx(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName, LPVOID parameter, size_t sz,
|
bool CallDllFuncEx(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName, LPVOID parameter, size_t sz,
|
||||||
LPDWORD ret)
|
LPDWORD ret)
|
||||||
{
|
{
|
||||||
// LPVOID pFunc = GetFuncAddr(dllBase, funcName);
|
|
||||||
// if (pFunc == NULL) {
|
|
||||||
// return false;
|
|
||||||
// }
|
|
||||||
|
|
||||||
UINT64 offset = GetFuncOffset(dllPath, funcName);
|
UINT64 offset = GetFuncOffset(dllPath, funcName);
|
||||||
if (offset == 0) {
|
if (offset == 0) {
|
||||||
return false;
|
return false;
|
||||||
@ -187,7 +167,6 @@ bool CallDllFuncEx(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR func
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
printf("pFunc: %p\n", pFunc);
|
|
||||||
LPVOID pRemoteAddress = VirtualAllocEx(process, NULL, sz, MEM_COMMIT, PAGE_READWRITE);
|
LPVOID pRemoteAddress = VirtualAllocEx(process, NULL, sz, MEM_COMMIT, PAGE_READWRITE);
|
||||||
if (pRemoteAddress == NULL) {
|
if (pRemoteAddress == NULL) {
|
||||||
MessageBox(NULL, L"申请内存失败", L"CallDllFuncEx", 0);
|
MessageBox(NULL, L"申请内存失败", L"CallDllFuncEx", 0);
|
||||||
|
|||||||
@ -61,7 +61,6 @@ int WxInitSDK(bool debug, int port)
|
|||||||
pp.port = port;
|
pp.port = port;
|
||||||
sprintf_s(pp.path, MAX_PATH, "%s", std::filesystem::current_path().string().c_str());
|
sprintf_s(pp.path, MAX_PATH, "%s", std::filesystem::current_path().string().c_str());
|
||||||
|
|
||||||
printf("process: %p, base: %p, path: %s\n", wcProcess, spyBase, pp.path);
|
|
||||||
if (!CallDllFuncEx(wcProcess, spyDllPath, spyBase, "InitSpy", (LPVOID)&pp, sizeof(PortPath_t), NULL)) {
|
if (!CallDllFuncEx(wcProcess, spyDllPath, spyBase, "InitSpy", (LPVOID)&pp, sizeof(PortPath_t), NULL)) {
|
||||||
MessageBox(NULL, L"初始化失败", L"WxInitSDK", 0);
|
MessageBox(NULL, L"初始化失败", L"WxInitSDK", 0);
|
||||||
return -1;
|
return -1;
|
||||||
|
|||||||
@ -11,14 +11,11 @@ DWORD g_WeChatWinDllAddr = 0;
|
|||||||
|
|
||||||
void InitSpy(LPVOID args)
|
void InitSpy(LPVOID args)
|
||||||
{
|
{
|
||||||
MessageBox(NULL, L"InitSpy", L"InitSpy", 0);
|
|
||||||
#if 1
|
|
||||||
wchar_t version[16] = { 0 };
|
wchar_t version[16] = { 0 };
|
||||||
PortPath_t *pp = (PortPath_t *)args;
|
PortPath_t *pp = (PortPath_t *)args;
|
||||||
int port = pp->port;
|
|
||||||
std::string path(pp->path);
|
|
||||||
|
|
||||||
InitLogger(path);
|
InitLogger(pp->path);
|
||||||
g_WeChatWinDllAddr = (DWORD)GetModuleHandle(L"WeChatWin.dll"); // 获取wechatWin模块地址
|
g_WeChatWinDllAddr = (DWORD)GetModuleHandle(L"WeChatWin.dll"); // 获取wechatWin模块地址
|
||||||
if (g_WeChatWinDllAddr == 0) {
|
if (g_WeChatWinDllAddr == 0) {
|
||||||
LOG_ERROR("获取 wechatWin.dll 模块地址失败");
|
LOG_ERROR("获取 wechatWin.dll 模块地址失败");
|
||||||
@ -36,10 +33,13 @@ void InitSpy(LPVOID args)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// RpcStartServer(port);
|
// RpcStartServer(pp->port);
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void CleanupSpy() { /*RpcStopServer();*/ MessageBox(NULL, L"CleanupSpy", L"CleanupSpy", 0);}
|
void CleanupSpy()
|
||||||
|
{
|
||||||
|
LOG_DEBUG("CleanupSpy");
|
||||||
|
// RpcStopServer();
|
||||||
|
}
|
||||||
|
|
||||||
int IsLogin(void) { return (int)GET_DWORD(g_WeChatWinDllAddr + g_WxCalls.login); }
|
int IsLogin(void) { return (int)GET_DWORD(g_WeChatWinDllAddr + g_WxCalls.login); }
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user