重构并添加了微信浏览器中的hook

Manfiel · Oct 4, 2023 · 6a9efa8 · 6a9efa8
1 parent cf7cf8d
commit 6a9efa8
Show file tree

Hide file tree

Showing 15 changed files with 227 additions and 13 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,8 +6,7 @@ yarn-debug.log*
 yarn-error.log*
 lerna-debug.log*
 .pnpm-debug.log*
-#exe
-*.exe
+
 
 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json

diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -12,6 +12,36 @@
                 "<node_internals>/**"
             ],
             "program": "${workspaceFolder}\\index.js"
+        },
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "WeChatAppEx.exe",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "program": "${workspaceFolder}\\WeChatAppEx.exe.js",
+            "args": ["8447","x64"]
+        },
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "ERR WeChatAppEx.exe",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "program": "${workspaceFolder}\\WeChatAppEx.exe.js",
+            "args": ["8449","x64"]
+        },
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "WeChatWin.dll",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "program": "${workspaceFolder}\\WeChatWin.dll.js",
+            "args": ["3.9.7.29","x64","C:/Program Files/Tencent/WeChat/[3.9.7.29]"]
         }
     ]
 }
diff --git a/Core/AddressSource.end b/Core/AddressSource.end
@@ -0,0 +1,5 @@
+;
+for(var addressname in address){
+    address[addressname] = parseInt(address[addressname]);
+};
+
diff --git a/Core/AddressSource.head b/Core/AddressSource.head
@@ -0,0 +1 @@
+var address = 
diff --git a/Core/FridaTools.js b/Core/FridaTools.js
diff --git a/Core/WeChatAppEx.exe/address_8447_x64.json b/Core/WeChatAppEx.exe/address_8447_x64.json
@@ -0,0 +1,5 @@
+{
+    "LaunchAppletBegin": "0x1B3FF48",
+    "WechatAppHtml":"0x2EC9FBD",
+    "WechatWebHtml":"0x7C0D6BD"
+}
diff --git a/Core/WeChatAppEx.exe/hook.js b/Core/WeChatAppEx.exe/hook.js
@@ -0,0 +1,64 @@
+//获取WeChatAppEx.exe的基址
+var base = Process.findModuleByName("WeChatAppEx.exe").base
+address.LaunchAppletBegin = base.add(address.LaunchAppletBegin);
+address.WechatAppHtml = base.add(address.WechatAppHtml);
+address.WechatWebHtml = base.add(address.WechatWebHtml);
+
+
+function readStdString(s) {
+    var flag = s.add(23).readU8()
+    if (flag == 0x80) {
+        // 从堆中读取
+        var size = s.add(8).readUInt()
+        return s.readPointer().readUtf8String(size)
+    } else {
+        // 从栈中读取
+        return s.readUtf8String(flag)
+    }
+}
+function writeStdString(s, content) {
+    var flag = s.add(23).readU8()
+    if (flag == 0x80) {
+        // 从堆中写入
+        var orisize = s.add(8).readUInt()
+        if (content.length > orisize) {
+            throw "must below orisize!"
+        }
+        s.readPointer().writeUtf8String(content)
+        s.add(8).writeUInt(content.length)
+    } else {
+        // 从栈中写入
+        if (content.length > 22) {
+            throw "max 23 for stack str"
+        }
+        s.writeUtf8String(content)
+        s.add(23).writeU8(content.length)
+    }
+}
+
+//HOOK 启动配置 
+Interceptor.attach(address.LaunchAppletBegin, {
+    onEnter(args) {
+        send("HOOK到小程序加载! " + readStdString(args[1]))
+        for (var i = 0; i < 0x1000; i+=8) {
+            try {
+                var s = readStdString(args[2].add(i))
+                var s1 = s.replaceAll("md5", "md6").replaceAll('"enable_vconsole":false', '"enable_vconsole": true')
+                if (s !== s1) {
+                    //send("拦截到小程序加载")
+                    writeStdString(args[2].add(i), s1)
+                } 
+            } catch (a) {
+            }
+        }
+    }
+})
+//HOOK F12配置 替换原本内容
+Interceptor.attach(address.WechatAppHtml, {
+    onEnter(args) {
+        this.context.rdx = address.WechatWebHtml;
+        send("已还原完整F12")
+    }
+})
+
+send("WeChatAppEx.exe 注入成功!")
diff --git a/Core/WeChatWin.dll/address_3.9.7.29_x64.json b/Core/WeChatWin.dll/address_3.9.7.29_x64.json
@@ -0,0 +1,3 @@
+{
+    "XwebEnableInspect": "0x1CACFA3"
+}
diff --git a/Core/WeChatWin.dll/hook.js b/Core/WeChatWin.dll/hook.js
@@ -0,0 +1 @@
+//暂无
diff --git a/WeChatAppEx.exe.js b/WeChatAppEx.exe.js
@@ -0,0 +1,61 @@
+//HOOK微信小程序
+let version = (process.argv[2] + "").toLowerCase();
+let bit = (process.argv[3] + "").toLowerCase();
+var frida = require("frida");
+const cmdline = require('cmdline-windows');
+const fs = require('fs');
+const path = require('path');
+
+
+let addressSource = "";
+let addressSourceHeadFilePath = path.join(__dirname, `/Core/AddressSource.head`);
+let addressSourceEndFilePath = path.join(__dirname, `/Core/AddressSource.end`);
+
+let addressFilePath = path.join(__dirname, `/Core/WeChatAppEx.exe/address_${version}_${bit}.json`);
+let hookFilePath = path.join(__dirname, `/Core/WeChatAppEx.exe/hook.js`);
+
+function onMessage(message, data) {
+    if (message.type === 'send') {
+        console.log(message.payload);
+    } else if (message.type === 'error') {
+        console.error(message.stack);
+    }
+}
+
+try {
+    fs.accessSync(addressFilePath);
+    addressSource += fs.readFileSync(addressSourceHeadFilePath);
+    addressSource += fs.readFileSync(addressFilePath);
+    addressSource += fs.readFileSync(addressSourceEndFilePath);
+    addressSource += fs.readFileSync(hookFilePath);
+} catch (error) {
+    console.log(`暂不支持 ${version}_${bit} 的版本!`)
+    return;
+}
+console.log("HOOK文件组装成功!")
+
+;;(async ()=>{
+    var device = await frida.getLocalDevice();
+    var processes = await device.enumerateProcesses();
+    var pid = -1;
+    processes.forEach(async (p_)=>{
+        if(p_.name == "WeChatAppEx.exe"){
+            let commandLine = cmdline.getCmdline(p_.pid);
+            if(commandLine.indexOf("--type=") == -1){
+                pid = p_.pid;
+            }  
+        }
+    })
+    if(pid==-1){
+        console.log("WeChatAppEx.exe 主进程未找到!")
+        return;
+    }
+
+    session = await frida.attach(pid);
+    script = await session.createScript(addressSource);
+    script.message.connect(onMessage);
+    await script.load();
+
+})().catch((error)=>{
+    console.error(error.stack);
+});
diff --git a/WeChatWin.dll.js b/WeChatWin.dll.js
@@ -0,0 +1,37 @@
+
+let version = (process.argv[2] + "").toLowerCase();
+let bit = (process.argv[3] + "").toLowerCase();
+let exePath = (process.argv[4] + "").toLowerCase();
+
+const fs = require('fs');
+const path = require('path');
+try {
+    fs.accessSync(path.join(exePath, "/WeChatWin_old.dll"));
+    console.log(`已经是替换后的WeChatWin.dll! 请勿重复运行`)
+    return;
+} catch {
+
+}
+
+
+let addressFilePath =path.join(__dirname, `/Core/WeChatWin.dll/address_${version}_${bit}.json`);
+let address = null;
+try {
+    fs.accessSync(addressFilePath);
+    address = JSON.parse(fs.readFileSync(addressFilePath));
+} catch (error) {
+    console.log(`暂不支持 ${version}_${bit} 的版本!`)
+    return;
+}
+try {
+    address.XwebEnableInspect = parseInt(address.XwebEnableInspect) + 1;
+    fs.copyFileSync(path.join(exePath, "/WeChatWin.dll"), path.join(exePath, "/WeChatWin_old.dll"));
+    console.log("WeChatWin.dll已备份!", path.join(exePath, "/WeChatWin_old.dll"))
+    let fd = fs.openSync(path.join(exePath, "/WeChatWin.dll"), "r+");
+    let buf = Buffer.alloc(1);
+    buf.hexWrite("85");
+    fs.writeSync(fd, buf, 0, 1, address.XwebEnableInspect)
+    console.log("完成覆盖!")
+} catch (error) {
+    console.log(error)
+}
diff --git a/hook.js → hook__.js b/hook.js → hook__.js
@@ -1,18 +1,22 @@
 
 
-var base = Process.enumerateModules()[0].base
-send(base)
+
+//var base = Process.enumerateModules()[0].base
+var base = Process.findModuleByName("WeChatAppEx.exe").base
+//Native Pointer
+
+
 //HOOK F12配置 替换原本内容
 
 var pvWechatapphtml = base.add(0x2EC9FBD) 
+
 Interceptor.attach(pvWechatapphtml, {
     onEnter(args) {
-
         this.context.rdx = base.add(0x7C0D6BD);
-        var rdx = this.context.rdx;
-        send(rdx)
+        send("已还原完整F12")
     }
 })
+
 function readStdString(s) {
     var flag = s.add(23).readU8()
     if (flag == 0x80) {
@@ -24,7 +28,6 @@ function readStdString(s) {
         return s.readUtf8String(flag)
     }
 }
-
 function writeStdString(s, content) {
     var flag = s.add(23).readU8()
     if (flag == 0x80) {
@@ -44,8 +47,7 @@ function writeStdString(s, content) {
         s.add(23).writeU8(content.length)
     }
 }
-
-var pvLaunchAppletBegin = base.add(0x1B3FF3C)
+var pvLaunchAppletBegin = base.add(0x1B3FF48) 
 
 //HOOK 启动配置 
 Interceptor.attach(pvLaunchAppletBegin, {
@@ -54,9 +56,7 @@ Interceptor.attach(pvLaunchAppletBegin, {
         for (var i = 0; i < 0x1000; i+=8) {
             try {
                 var s = readStdString(args[2].add(i))
-                if (s) {
-                    //send("got str: " + s)
-                }
+                send(s)
                 var s1 = s.replaceAll("md5", "md6").replaceAll('"enable_vconsole":false', '"enable_vconsole": true')
                 if (s === s1) {
 

diff --git a/index.js → index__.js b/index.js → index__.js
@@ -4,6 +4,7 @@ const fs = require('fs');
 const path = require('path');
 const util = require('util');
 const readFile = util.promisify(fs.readFile);
+debugger;
 function onError(error) {
     console.error(error.stack);
   }

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "@types/frida-gum": "^18.4.3",
     "cmdline-windows": "^1.0.1",
     "frida": "^16.1.4"
   }