#include "framework.h" #include "load_calls.h" #include "receive_msg.h" #include "spy_types.h" #include "util.h" extern HANDLE g_hEvent; extern RpcMessage_t *g_pMsg; extern WxCalls_t g_WxCalls; extern DWORD g_WeChatWinDllAddr; MsgQueue_t g_MsgQueue; DWORD reg_buffer = 0; DWORD recvMsgCallAddr = 0; DWORD recvMsgJumpBackAddr = 0; RpcMessage_t lMsg = { 0 }; void DispatchMsg(DWORD reg) { DWORD* p = (DWORD*)reg; //消息结构基址 memset(&lMsg, 0, sizeof(RpcMessage_t)); lMsg.type = GET_DWORD(*p + g_WxCalls.recvMsg.type); lMsg.self = GET_DWORD(*p + g_WxCalls.recvMsg.isSelf); lMsg.id = GetBstrByAddress(*p + g_WxCalls.recvMsg.msgId); lMsg.xml = GetBstrByAddress(*p + g_WxCalls.recvMsg.msgXml); if (wcsstr(lMsg.xml, L"") == NULL) { // pMsg.roomId = {0}; lMsg.wxId = GetBstrByAddress(*p + g_WxCalls.recvMsg.roomId); } else { lMsg.source = 1; lMsg.wxId = GetBstrByAddress(*p + g_WxCalls.recvMsg.wxId); lMsg.roomId = GetBstrByAddress(*p + g_WxCalls.recvMsg.roomId); } lMsg.content = GetBstrByAddress(*p + g_WxCalls.recvMsg.content); g_MsgQueue.push(lMsg); // 发送消息 SetEvent(g_hEvent); // 发送消息通知 } __declspec(naked) void RecieveMsgHook() { __asm { mov reg_buffer, edi //把值复制出来 } DispatchMsg(reg_buffer); __asm { call recvMsgCallAddr // 这个为被覆盖的call jmp recvMsgJumpBackAddr // 跳回被HOOK指令的下一条指令 } } void ListenMessage() { // MessageBox(NULL, L"ListenMessage", L"ListenMessage", 0); if (g_WeChatWinDllAddr == 0) { return; } DWORD hookAddress = g_WeChatWinDllAddr + g_WxCalls.recvMsg.hook; recvMsgCallAddr = g_WeChatWinDllAddr + g_WxCalls.recvMsg.call; recvMsgJumpBackAddr = hookAddress + 5; BYTE jmpCode[5] = { 0 }; jmpCode[0] = 0xE9; *(DWORD *)&jmpCode[1] = (DWORD)RecieveMsgHook - hookAddress - 5; // 6FB6A350 E8 4B020000 call WeChatWi .6FB6A5A0; WriteProcessMemory(GetCurrentProcess(), (LPVOID)hookAddress, jmpCode, 5, 0); }