cyonjan/PyWxDump
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

优化代码

Browse Source
This commit is contained in:
xaoyo 2023-10-09 01:34:30 +08:00
parent f43be30408
commit 48139c2456
3 changed files with 276 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

489
Program/get_base_addr.py
View File

@ -9,249 +9,299 @@ import argparse
import ctypes
import json
import re
import time
import psutil
import win32api
from pymem import Pymem
import pymem
ReadProcessMemory = ctypes.windll.kernel32.ReadProcessMemory
void_p = ctypes.c_void_p
def hex2dec(hex):
return int(hex, 16)
def dec2hex(dec):
return hex(dec)
def hex_add(hex1, hex2, base1=16, base2=16):
"""
两个任意进制数相加
:param hex1:
:param hex2:
:return:
"""
return hex(int(hex1, base1) + int(hex2, base2))
def hex_sub(hex1, hex2, base1=16, base2=16):
"""
两个任意进制数相减
:param hex1:
:param hex2:
:return:
"""
return hex(int(hex1, base1) - int(hex2, base2))
def get_pid(keyword):
"""
获取进程id
:param keyword: 关键字
:return:
"""
pids = {}
for proc in psutil.process_iter():
if keyword in proc.name():
pids[proc.pid] = proc
return pids
# def get_pid(keyword):
# """
# 获取进程id
# :param keyword: 关键字
# :return:
# """
# pids = {}
# for proc in psutil.process_iter():
# if keyword in proc.name():
# pids[proc.pid] = proc
# return pids
#
#
# class BaseAddr:
# def __init__(self, pid, proc_module_name="WeChatWin.dll"):
# self.pid = pid
# self.module_name = proc_module_name
# self.proc = psutil.Process(self.pid)
# self.version = self.get_app_version(self.proc.exe())
# self.base_address = 0
# self.end_address = 0
# self.batch = 0
#
# self.key_start_addr = 0
# self.key_end_addr = 0
#
# self.mobile_addr = []
# self.name_addr = []
# self.account_addr = []
# # self.key_addr = []
#
# self.get_base_addr()
#
# def get_app_version(self, executable_path):
# info = win32api.GetFileVersionInfo(executable_path, "\\")
# version = info['FileVersionMS'] >> 16, info['FileVersionMS'] & 0xFFFF, \
# info['FileVersionLS'] >> 16, info['FileVersionLS'] & 0xFFFF
# version_str = ".".join(map(str, version))
#
# return version_str
#
# def get_base_addr(self):
# """
# 获取模块基址
# :param pid: 进程id
# :param module_name: 模块名
# :return:
# """
# base_address = 0
# end_address = 0
# batch = 0
# n = 0
# for module in self.proc.memory_maps(grouped=False):
# if self.module_name in module.path:
# if n == 0:
# base_address = int(module.addr, 16)
# batch = module.rss
# n += 1
# end_address = int(module.addr, 16) + module.rss
#
# self.base_address = base_address
# self.end_address = end_address
# self.batch = batch
# # self.batch = end_address - base_address
#
# def find_all(self, c, string):
# """
# 查找字符串中所有子串的位置
# :param c: 子串 b'123'
# :param string: 字符串 b'123456789123'
# :return:
# """
# return [m.start() for m in re.finditer(re.escape(c), string)]
#
# # 搜索内存地址范围内的值
# def search_memory_value(self, mobile, name, account):
# mobile = mobile.encode("utf-8")
# name = name.encode("utf-8")
# account = account.encode("utf-8")
#
# Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid)
#
# mobile_addr = []
# name_addr = []
# account_addr = []
#
# array = ctypes.create_string_buffer(self.batch)
# for i in range(self.base_address, self.end_address, self.batch):
# if ReadProcessMemory(Handle, void_p(i), array, self.batch, None) == 0:
# continue
#
# hex_string = array.raw # 读取到的内存数据
#
# if mobile in hex_string:
# mobile_addr = mobile_addr + [m.start() + i for m in re.finditer(re.escape(mobile), hex_string)]
# if name in hex_string:
# name_addr = name_addr + [m.start() + i for m in re.finditer(re.escape(name), hex_string)]
# if account in hex_string:
# account_addr = account_addr + [m.start() + i for m in re.finditer(re.escape(account), hex_string)]
#
# self.mobile_addr = mobile_addr
# self.name_addr = name_addr
# self.account_addr = account_addr
# return mobile_addr, name_addr, account_addr
#
# def get_key_addr(self, key):
# """
# 获取key的地址
# :param key:
# :return:
# """
# key = bytes.fromhex(key)
#
# module_start_addr = 34199871460642
# module_end_addr = 0
# for module in self.proc.memory_maps(grouped=False):
# if "WeChat" in module.path:
# start_addr = int(module.addr, 16)
# end_addr = start_addr + module.rss
#
# if module_start_addr > start_addr:
# module_start_addr = start_addr
# if module_end_addr < end_addr:
# module_end_addr = end_addr
#
# Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid)
# array = ctypes.create_string_buffer(self.batch)
# for i in range(module_start_addr, module_end_addr, self.batch):
# if ReadProcessMemory(Handle, void_p(i), array, self.batch, None) == 0:
# continue
#
# hex_string = array.raw # 读取到的内存数据
# if key in hex_string:
# self.key_addr_tmp = i + hex_string.find(key)
# break
# if ((i - module_start_addr) / self.batch) > 300000:
# self.key_addr = 0
# return -1
#
# array_key = []
# for i in range(8):
# byte_value = (self.key_addr_tmp >> (i * 8)) & 0xFF
# hex_string = format(byte_value, '02x')
# byte_obj = bytes.fromhex(hex_string)
# array_key.append(byte_obj)
# # 合并数组
# array_key = b''.join(array_key)
#
# array = ctypes.create_string_buffer(self.batch)
# for i in range(self.base_address, self.end_address, self.batch):
# if ReadProcessMemory(Handle, void_p(i), array, self.batch, None) == 0:
# continue
#
# hex_string = array.raw # 读取到的内存数据
# if array_key in hex_string:
# self.key_addr = i + hex_string.find(array_key)
# return self.key_addr
#
# def calculate_offset(self, addr):
# """
# 计算偏移量
# :param addr:
# :return:
# """
# if addr == 0:
# return 0
# offset = addr - self.base_address
# return offset
#
# def get_offset(self):
# """
# 计算偏移量
# :param addr:
# :return:
# """
# mobile_offset = 0
# name_offset = 0
# account_offset = 0
# key_offset = 0
# if len(self.mobile_addr) >= 1:
# mobile_offset = self.calculate_offset(self.mobile_addr[0])
# if len(self.name_addr) >= 1:
# name_offset = self.calculate_offset(self.name_addr[0])
# if len(self.account_addr) >= 1:
# if len(self.account_addr) >= 2:
# account_offset = self.calculate_offset(self.account_addr[1])
# else:
# account_offset = self.calculate_offset(self.account_addr[0])
#
# key_offset = self.calculate_offset(self.key_addr)
#
# self.key_offset = key_offset
# self.mobile_offset = mobile_offset
# self.name_offset = name_offset
# self.account_offset = account_offset
# return name_offset, account_offset, mobile_offset, 0, key_offset
#
#
# def run(mobile, name, account, key):
# proc_name = "WeChat.exe"
# proc_module_name = "WeChatWin.dll"
#
# pids = get_pid(proc_name)
# for pid, proc in pids.items():
# ba = BaseAddr(pid, proc_module_name)
# ba.search_memory_value(mobile, name, account)
# ba.get_key_addr(key)
# name_offset, account_offset, mobile_offset, _, key_offset = ba.get_offset()
# rdata = {ba.version: [name_offset, account_offset, mobile_offset, 0, key_offset]}
# return rdata
class BaseAddr:
def __init__(self, pid, proc_module_name="WeChatWin.dll"):
self.pid = pid
self.module_name = proc_module_name
self.proc = psutil.Process(self.pid)
self.version = self.get_app_version(self.proc.exe())
self.base_address = 0
self.end_address = 0
self.batch = 0
def __init__(self, account, mobile, name, key):
self.account = account.encode("utf-8")
self.mobile = mobile.encode("utf-8")
self.name = name.encode("utf-8")
self.key = bytes.fromhex(key)
self.key_start_addr = 0
self.key_end_addr = 0
self.process_name = "WeChat.exe"
self.module_name = "WeChatWin.dll"
self.mobile_addr = []
self.name_addr = []
self.account_addr = []
# self.key_addr = []
self.pm = Pymem("WeChat.exe")
self.get_base_addr()
def get_app_version(self, executable_path):
info = win32api.GetFileVersionInfo(executable_path, "\\")
version = info['FileVersionMS'] >> 16, info['FileVersionMS'] & 0xFFFF, \
info['FileVersionLS'] >> 16, info['FileVersionLS'] & 0xFFFF
version_str = ".".join(map(str, version))
return version_str
def get_base_addr(self):
"""
获取模块基址
:param pid: 进程id
:param module_name: 模块名
:return:
"""
base_address = 0
end_address = 0
batch = 0
n = 0
for module in self.proc.memory_maps(grouped=False):
if self.module_name in module.path:
if n == 0:
base_address = int(module.addr, 16)
batch = module.rss
n += 1
end_address = int(module.addr, 16) + module.rss
self.base_address = base_address
self.end_address = end_address
self.batch = batch
# self.batch = end_address - base_address
def find_all(self, c, string):
def find_all(self, c: bytes, string: bytes, base_addr=0):
"""
查找字符串中所有子串的位置
:param c: 子串 b'123'
:param string: 字符串 b'123456789123'
:return:
"""
return [m.start() for m in re.finditer(re.escape(c), string)]
return [base_addr + m.start() for m in re.finditer(re.escape(c), string)]
# 搜索内存地址范围内的值
def search_memory_value(self, mobile, name, account):
mobile = mobile.encode("utf-8")
name = name.encode("utf-8")
account = account.encode("utf-8")
def get_file_version(self, process_name):
for process in psutil.process_iter(['name', 'exe', 'pid', 'cmdline']):
if process.name() == process_name:
file_path = process.exe()
info = win32api.GetFileVersionInfo(file_path, "\\")
ms, ls = info['FileVersionMS'], info['FileVersionLS']
file_version = f"{win32api.HIWORD(ms)}.{win32api.LOWORD(ms)}.{win32api.HIWORD(ls)}.{win32api.LOWORD(ls)}"
return file_version
Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid)
def search_memory_value(self, value: bytes, module_name="WeChatWin.dll"):
# 创建 Pymem 对象
pm = self.pm
module = pymem.process.module_from_name(pm.process_handle, module_name)
mem_data = pm.read_bytes(module.lpBaseOfDll, module.SizeOfImage)
result = self.find_all(value, mem_data)
result = result[-1] if len(result) > 0 else 0
return result
mobile_addr = []
name_addr = []
account_addr = []
def search_key(self, key: bytes):
pm = self.pm
pid = pm.process_id
module = pymem.process.module_from_name(pm.process_handle, "WeChatResource.dll")
start_addr, mem_size = module.lpBaseOfDll, 30918448
array = ctypes.create_string_buffer(self.batch)
for i in range(self.base_address, self.end_address, self.batch):
if ctypes.windll.kernel32.ReadProcessMemory(Handle, ctypes.c_void_p(i), array, self.batch, None) == 0:
batch = 4096
Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, pid)
array = ctypes.create_string_buffer(batch)
key_addr = 0
for i in range(start_addr, start_addr + mem_size, batch):
if ReadProcessMemory(Handle, void_p(i), array, batch, None) == 0:
continue
hex_string = array.raw # 读取到的内存数据
if mobile in hex_string:
mobile_addr = mobile_addr + [m.start() + i for m in re.finditer(re.escape(mobile), hex_string)]
if name in hex_string:
name_addr = name_addr + [m.start() + i for m in re.finditer(re.escape(name), hex_string)]
if account in hex_string:
account_addr = account_addr + [m.start() + i for m in re.finditer(re.escape(account), hex_string)]
self.mobile_addr = mobile_addr
self.name_addr = name_addr
self.account_addr = account_addr
return mobile_addr, name_addr, account_addr
def get_key_addr(self, key):
"""
获取key的地址
:param key:
:return:
"""
key = bytes.fromhex(key)
module_start_addr = 34199871460642
module_end_addr = 0
for module in self.proc.memory_maps(grouped=False):
if "WeChat" in module.path:
start_addr = int(module.addr, 16)
end_addr = start_addr + module.rss
if module_start_addr > start_addr:
module_start_addr = start_addr
if module_end_addr < end_addr:
module_end_addr = end_addr
Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid)
array = ctypes.create_string_buffer(self.batch)
for i in range(module_start_addr, module_end_addr, self.batch):
if ctypes.windll.kernel32.ReadProcessMemory(Handle, ctypes.c_void_p(i), array, self.batch, None) == 0:
continue
hex_string = array.raw # 读取到的内存数据
if key in hex_string:
self.key_addr_tmp = i + hex_string.find(key)
key_addr = self.find_all(key, hex_string, i)
if len(key_addr) > 0:
key_addr = key_addr[0]
break
if ((i - module_start_addr) / self.batch) > 300000:
self.key_addr = 0
return -1
array_key = []
for i in range(8):
byte_value = (self.key_addr_tmp >> (i * 8)) & 0xFF
hex_string = format(byte_value, '02x')
byte_obj = bytes.fromhex(hex_string)
array_key.append(byte_obj)
# 合并数组
array_key = b''.join(array_key)
key = key_addr.to_bytes(8, byteorder='little')
result = self.search_memory_value(key, self.module_name)
return result
array = ctypes.create_string_buffer(self.batch)
for i in range(self.base_address, self.end_address, self.batch):
if ctypes.windll.kernel32.ReadProcessMemory(Handle, ctypes.c_void_p(i), array, self.batch, None) == 0:
continue
hex_string = array.raw # 读取到的内存数据
if array_key in hex_string:
self.key_addr = i + hex_string.find(array_key)
return self.key_addr
def calculate_offset(self, addr):
"""
计算偏移量
:param addr:
:return:
"""
if addr == 0:
return 0
offset = addr - self.base_address
return offset
def get_offset(self):
"""
计算偏移量
:param addr:
:return:
"""
mobile_offset = 0
name_offset = 0
account_offset = 0
key_offset = 0
if len(self.mobile_addr) >= 1:
mobile_offset = self.calculate_offset(self.mobile_addr[0])
if len(self.name_addr) >= 1:
name_offset = self.calculate_offset(self.name_addr[0])
if len(self.account_addr) >= 1:
if len(self.account_addr) >= 2:
account_offset = self.calculate_offset(self.account_addr[1])
else:
account_offset = self.calculate_offset(self.account_addr[0])
key_offset = self.calculate_offset(self.key_addr)
self.key_offset = key_offset
self.mobile_offset = mobile_offset
self.name_offset = name_offset
self.account_offset = account_offset
return name_offset, account_offset, mobile_offset, 0, key_offset
def run(mobile, name, account, key):
proc_name = "WeChat.exe"
proc_module_name = "WeChatWin.dll"
pids = get_pid(proc_name)
for pid, proc in pids.items():
ba = BaseAddr(pid, proc_module_name)
ba.search_memory_value(mobile, name, account)
ba.get_key_addr(key)
name_offset, account_offset, mobile_offset, _, key_offset = ba.get_offset()
rdata = {ba.version: [name_offset, account_offset, mobile_offset, 0, key_offset]}
return rdata
def run(self):
self.version = self.get_file_version(self.process_name)
key_bias = self.search_key(self.key)
mobile_bias = self.search_memory_value(self.mobile)
name_bias = self.search_memory_value(self.name)
account_bias = self.search_memory_value(self.account)
return {self.version: [name_bias, account_bias, mobile_bias, 0, key_bias]}
if __name__ == '__main__':
@ -276,7 +326,10 @@ if __name__ == '__main__':
key = args.key
# 调用 run 函数,并传入参数
rdata = run(mobile, name, account, key)
# rdata = run(mobile, name, account, key)
# print(rdata)
rdata = BaseAddr(account, mobile, name, key).run()
print(rdata)
# 添加到version_list.json

6
README.md
View File

@ -1,8 +1,9 @@
# <center>PyWxDump</center>
* 更新日志(如果有[version_list.json](./Program/version_list.json)缺少的版本,请帮忙添加。)
* 2021.10.07 修改获取基址内存搜索方式,防止进入死循环
* 2021.10.07 增加了3.9.7.29版本的偏移地址
* 2023.10.09 优化代码,删减没必要代码,重新修改获取基址代码,加快运行速度(需要安装新的库 pymem
* 2023.10.07 修改获取基址内存搜索方式,防止进入死循环
* 2023.10.07 增加了3.9.7.29版本的偏移地址
* 2023.10.06 增加命令行解密数据库
* 2023.09.28 增加了数据库部分解析
* 2023.09.15 增加了3.9.7.25版本的偏移地址
@ -14,6 +15,7 @@
该分支是[SharpWxDump](https://github.com/AdminTest0/SharpWxDump)的经过重构python语言版本同时添加了一些新的功能。
*
*如果觉得好用的话的话,帮忙点个[![Star](https://img.shields.io/github/stars/xaoyaoo/PyWxDump.svg?style=social&label=Star)](https://github.com/xaoyaoo/PyWxDump/)
呗**

1
requirements.txt
View File

@ -1,3 +1,4 @@
psutil
pycryptodomex
pywin32
pymem