GithubHelp home page GithubHelp logo

admintest0 / sharpwxdump Goto Github PK

View Code? Open in Web Editor NEW
4.1K 4.1K 574.0 48 KB

微信客户端取证,可获取用户个人信息(昵称/账号/手机/邮箱/数据库密钥(用来解密聊天记录));支持获取多用户信息,不定期更新新版本偏移,目前支持所有新版本、正式版本

C# 100.00%

sharpwxdump's People

Contributors

admintest0 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

shincehor hck8288 agelovito root13920 savior-only 0xelope ares-x t1ck-h irony0egoist steward007 km269 crackercat himalaya-pamir sallychang h1d3r functfan whitesharks anti-ghosts 1in3r zhaomengshan666 codechina888 petermond zhiqiansecfork replenishlica syhacker boyrobot flyinbedxyz armchir ningblue mocent monarchsolutions nanitool s0x06 yukar1z0e test1213145 klinklinklin yycunhua t0s7 cross2to highbor amjiyu qianniaoge grn0bmp anqisec zhanggx96 nnnnnr geekmc shimotsukisakura yan1990y mdss426 gysf666 akunwin michaelqiush huayanqiaq kenuoseclab zesiar0 expzhizhuo zeoday xinxiemy 1337g dandll tonyha7 s0u1 muyeyingyang fuckgitb gongsunmolan zzhsec bowman03 atk7r yifaang flash455 zhrbing qcmuu wfclym fangnaf ckevens libaizaishuijiao bignewbie js2thon shmilylty liehu n0lll fooxi sinxiaji litelshit systemime git-stateless liusishan s627995568 rixoye hackerderek xkm123 n1ko61 gxpeng mxm-tools zy0803wyl sec-fork currycao j1ezds hxzzy60

sharpwxdump's Issues

无法获取数据库

微信聊天记录没有放在默认地址,程序无法获取数据库

PS E:\浏览器下载\SharpWxDump-master\SharpWxDump-master> .\Program.exe
[+] WeChatProcessPID: 32228
[-] WeChat Base Address Get Faild
[+] Done

安装

怎么打开呀 点哪个打开

3.9.6.19版本偏移

image

匹配3.9.6.19版本的偏移为:
{3.9.6.19,{61997688,61997464,61997496,38986104,61998960}}

数据库解密失败

版本:3.9.6.33
成功获取数据库密钥,但是解密数据库提示密码错误
图片

微信版本3.8.0.25未支持

今天,2022年11月20日调试了一下程序SharpWxDump.exe,提示“WeChat Current Version Is: 3.8.0.25 Not Support”。
这时候我执行:wx-dump-key-v0.1.1.exe ,也提示未支持,但微信WeChat Key还是获取到了。
我把微信升级到了版本3.8.0.41,倒是完美支持了。希望可以互相借鉴一下,wx-dump-key-v0.1.1.exe获取key似乎不受版本影响:

关于wx-dump-key-v0.1.1.exe 的项目地址是:
https://github.com/sn00pyd0g3/wechat-export
关于wx-dump-key-v0.1.1.exe 的文章地址是:
https://www.t00ls.com/thread-66924-1-1.html
他文章里提到的关键代码:
`// 内存搜索
func patternScan(proc win32.HANDLE, pat []byte) ([]win32.PVOID, error) {
var next_region uintptr
next_region = 0
allowed_protections := []int{
PAGE_EXECUTE_READ,
PAGE_EXECUTE_READWRITE,
PAGE_READWRITE,
PAGE_READONLY,
}
var foundAddrs []win32.PVOID

for {
   mi, err := win32.QueryMemoryInfo(proc, win32.LPCVOID(next_region))
   if err != nil {
     break
   }
   next_region = uintptr(mi.BaseAddress) + uintptr(mi.RegionSize)
   if mi.NoAccess || !lo.Contains(allowed_protections, int(mi.Protect)) || mi.State != MEM_COMMIT {
     continue
   }

   memBuf, err := win32.NtReadVirtualMemory(proc, win32.PVOID(mi.BaseAddress), int64(mi.RegionSize))
   if err != nil {
     continue
   }

   // indexAll
   baseOffset := 0
   for {
     offset := bytes.Index(memBuf, pat)
     if offset > -1 {
      addr := mi.BaseAddress + win32.PVOID(baseOffset) + win32.PVOID(offset)
      foundAddrs = append(foundAddrs, addr)
      memBuf = memBuf[offset+len(pat):] // offset+len(pat) or offset ?
      baseOffset += offset + len(pat)
     } else {
      break
     }
   }
}
return foundAddrs, nil

}`

微信获取

建议使用Win API替换掉C#自带的获取进程模块句柄和模块基址

发现Any CPU编译无法获取x86的模块,可以用下面这几个API进行替换,函数原型如下:

        [StructLayout(LayoutKind.Sequential)]
        public struct MODULEINFO
        {
            public IntPtr lpBaseOfDll;
            public uint SizeOfImage;
            public IntPtr EntryPoint;
        }

        [DllImport("psapi.dll", SetLastError = true)]
        public static extern bool EnumProcessModules(
             IntPtr hProcess,
             [Out] IntPtr lphModule,
             UInt32 cb,
             [MarshalAs(UnmanagedType.U4)] out UInt32 lpcbNeeded);

        [DllImport("psapi.dll")]
        static extern uint GetModuleFileNameEx(
            IntPtr hProcess,
            IntPtr hModule,
            [Out] StringBuilder lpBaseName,
            [In][MarshalAs(UnmanagedType.U4)] int nSize);


        [DllImport("psapi.dll", SetLastError = true)]
        public static extern bool GetModuleInformation(
            IntPtr hProcess,
            IntPtr hModule,
            out MODULEINFO lpmodinfo,
            uint cb);

关于支持获取实时消息内存地址有计划吗

希望能够实时获取微信接收消息的内存地址,这个功能比较实用,可以扩展很多有用的功能,本人自己也找了下,发现地址每次微信启动都会变化,没有找到相对的偏移地址,可能我方法不对,希望大佬指导下或者下一次版本发布新增下这个地址,感谢。

3.7.6.44微信版本不支持

大佬可以帮忙适配下 新版微信吗 微信版本会自动升级最新的 。这个偏移地址自己怎么设置,能出个教程吗

内存基址如何获取

授人以鱼不如授人以渔,建议作者可以详细讲讲如何获取版本对应list里的内存基址(最好是cheat engine的教程)

3.9.7.25版本偏移 

"3.9.7.25": [
    63482760,
    63484096,
    63482568,
    0,
    63484032
]
顺便推荐一下自动获取偏移地址脚本  https://github.com/xaoyaoo/PyWxDump.git ,已经添加了自动更新偏移地址脚本,但是需要已经获取得到的key之类的,才能获取新版本的偏移地址。

3.9.2.26

方便更新下最新版本不

3.9.6.8版本偏移

匹配3.9.6.8版本的偏移为:
{3.9.6.8,{61960264,61960040,61960072,38986104,61961536}}

3.9.6.29版本偏移

image
匹配3.9.6.29版本的偏移为:
{3.9.6.29,{62030536,62030312,62030344,38986104,62031808}}

最后一次更新,以后有版本更新 需要偏移的请留言

3.9.6.13版本偏移

匹配3.9.6.13版本的偏移为:
{3.9.6.13,{61964312,61964088,61964120,38986104,61965584}}
image

3.9.6.17版本偏移

匹配3.9.6.17版本的偏移为:
{3.9.6.17,{61972568,61972344,61972376,38986104,61973840}}
image

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.