HOOK微信获取聊天消息

警告

网络不是法外之地，本篇文章仅供技术交流，相关具体实现过程我将省略！

获取微信处理消息的函数

我们可以反复向通过CE搜索消息，获取消息所在的内存地址，然后下硬件写入断点，在栈里找到相关函数，这里你可以自行按上面方法进行搜索。

使用MinHook hook该消息函数

// Initialize MinHook.
if (MH_Initialize() != MH_OK)
{
return 1;
}
DWORD windllAddress = (DWORD)GetModuleHandle(L"WeChatWin.dll");
if (windllAddress == 0) {
printf("Module Address Get Error: 0x%x\n", windllAddress);
return 0;
}
DWORD ReceiveHookAddress = windllAddress + 0x*****; // 偏移地址请查看下方
 
// Create a hook for MessageBoxW, in disabled state.
if (MH_CreateHook((LPVOID)ReceiveHookAddress, &ReceiveWxMessage,
reinterpret_cast<LPVOID*>(&_receiveMsgFunc)) != MH_OK)
{
printf("MH_CreateHook Error: 0x%x\n", ReceiveHookAddress);
return 0;
}
...

消息Hook函数

...
void ReceiveWxMessage(DWORD r_eax)
{
try
{
// 检查进程是否有权限访问指定的内存块
if (IsBadReadPtr((void*)r_eax, 4)
|| IsBadReadPtr((void*)(r_eax + MsgTypeOffset), 4)
|| IsBadReadPtr((void*)(r_eax + MsgContentOffset), 4)
|| IsBadReadPtr((void*)(r_eax + WxidOffset), 4)
|| IsBadReadPtr((void*)(r_eax + GroupMsgSenderOffset), 4)
|| IsBadReadPtr((void*)(r_eax + MsgSourceOffset), 4)
) {
return;
}
 
 
// 取出消息内容
LPVOID pContent = *((LPVOID*)(r_eax + MsgContentOffset));
 
// 取出微信ID/群ID
LPVOID pWxid = *((LPVOID*)(r_eax + WxidOffset));
 
 
if (!wcscmp((wchar_t*)pWxid, L"filehelper")) {
wprintf(L"Receive Msg\n Wechat ID: %ws \n Content: %ws\n", (wchar_t*)pWxid, (wchar_t*)pContent);
}
 
}
catch (...)
{
OutputDebugStringA("消息异常");
}
}
...

Hook效果

接收函数具体地址：windllAddress + 0x1086F0;

打赏