2020/03/14更新：獲取、導出微信所有表情

前言

適用：PC端微信 2.8.0.121 版本
更新與於2020年3月14日
本文僅作技術研究

具體原理見上一篇：

https://blog.csdn.net/qq_43572067/article/details/100062493

本次主要是在上次的源碼基礎上進行更新，適用於當前版本的微信版本

其實就更新了兩個地址
1、強制把聊天收發的表情全部保存下來
2、強制把打開收藏的表情全部保存下來

成品：

鏈接: https://pan.baidu.com/s/1UYXXEU0kKGvpSHNqTFnBcg
提取碼: t4qt

源代碼：

使用VS2015以上編譯

RemoteInject.exe

// RemoteInject.cpp : 定義控制檯應用程序的入口點。

#include "stdafx.h"
#include "windows.h"
#include "atlstr.h"
#include <TlHelp32.h>

char* GetProgramDll()
{
	static char exeFullPath[MAX_PATH] = { 0 }; // Full path
	char *nWeak;

	GetModuleFileNameA(NULL, exeFullPath, MAX_PATH);
	nWeak = strrchr(exeFullPath, '\\');

	memcpy(nWeak + 1, "GetWeChatPic.dll", strlen("GetWeChatPic.dll"));

	return exeFullPath;
}


DWORD GetProcessPid(CString nProcessName)
{
	PROCESSENTRY32 nPT;
	nPT.dwSize = sizeof(nPT);
	HANDLE nSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	BOOL nRet = Process32First(nSnapShot, &nPT);
	while (nRet)
	{
		if (nProcessName.MakeLower() == CString(nPT.szExeFile).MakeLower())
		{
			return nPT.th32ProcessID;
		}
		nRet = Process32Next(nSnapShot, &nPT);
	}
	return 0;
}


int main()
{	
	printf("適用：PC端微信 2.8.0.121版本\r\n更新與2020年3月14日\r\n");

	DWORD nPid = GetProcessPid("wechat.exe");
	HANDLE nHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nPid);

	printf("進程ID：%d  -  進程句柄：%d\r\n", nPid, nHandle);


	CHAR *DllPath = GetProgramDll();
	int nLen = strlen(DllPath)+1;
	LPVOID pBuf = VirtualAllocEx(nHandle, NULL, nLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	if (!pBuf)
	{
		printf("申請內存失敗！\r\n");		
		getchar();
		return 0;
	}

	if (!WriteProcessMemory(nHandle, pBuf, DllPath, nLen, 0))
	{
		printf("寫入內存失敗！\r\n");
		getchar();
		return 0;

	}

	HANDLE hRemoteThread = CreateRemoteThread(nHandle, NULL, NULL,(LPTHREAD_START_ROUTINE)LoadLibraryA, pBuf, 0, 0);

	WaitForSingleObject(hRemoteThread, -1);

	CloseHandle(hRemoteThread);

	VirtualFreeEx(nHandle, pBuf, 0, MEM_FREE);

	printf("注入完成！\r\n");
	getchar();
    return 0;
}

GetWeChatPic.dll

#include "stdafx.h"
#include "stdio.h"
#include "windows.h"
#include <shellapi.h>

DWORD FileBuff;
DWORD FileSize;

CHAR FileName[MAX_PATH];

FILE *pFile;

DWORD Old_wxam_dec_isWXGF_4;


extern "C" _declspec(dllexport) void ExportFun()
{
}

void MyHook(LPVOID HookAddress, LPVOID NewAddress, DWORD *OldAddress,DWORD HookBytesNum)
{

	BYTE JumpByte[6] = { 0x68,0x00,0x00,0x00,0x00,0xc3 };

	*(DWORD*)(JumpByte + 1) = (DWORD)HookAddress + HookBytesNum;

	*OldAddress = (DWORD)VirtualAlloc(NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	memcpy((LPVOID)*OldAddress, HookAddress, HookBytesNum);

	memcpy((BYTE*)*OldAddress + HookBytesNum, JumpByte,6);

	*(DWORD*)(JumpByte + 1) = (DWORD)NewAddress;

	WriteProcessMemory((HANDLE)-1, HookAddress, JumpByte, 6, 0);

}

DWORD GetHash(char *nBuff,int nBuffSize)
{
	DWORD nHash = 0;

	for (int i = 0; i < nBuffSize; i++)
	{
		nHash = ((nHash << 25) | (nHash >> 7));
		nHash = nHash + nBuff[i];
	}
	return nHash;
}

char* GetProgramDir()
{
	static char exeFullPath[MAX_PATH] = { 0 }; // Full path
	char *nWeak;

	GetModuleFileNameA(NULL, exeFullPath, MAX_PATH);
	nWeak = strrchr(exeFullPath, '\\');

	memcpy(nWeak + 1, "GetWeChatPic", strlen("GetWeChatPic"));

	return exeFullPath;
}

__declspec(naked) void Hook()
{
	__asm
	{
		pushad;
		mov eax, [esp + 36];
		mov FileBuff, eax;
		mov eax, [esp + 40];
		mov FileSize, eax;
	}

	sprintf_s(FileName, 256, "GetWeChatPic\\%08X.gif", GetHash((char*)FileBuff, FileSize));

	fopen_s(&pFile, FileName, "wb+");

	fwrite((LPVOID)FileBuff, FileSize, 1, pFile);

	fclose(pFile);

	__asm
	{
		popad;
		jmp Old_wxam_dec_isWXGF_4;
	}
}



BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{

		{
			HMODULE nHmodule = GetModuleHandleA("WeChatWin.dll");

			BYTE HookByte2[] = { 0xeb };
			//DWORD pFunAddress = (DWORD)nHmodule + 0x7DB79;//聊天收發的表情全部保存下來20190820
			DWORD pFunAddress = (DWORD)nHmodule + 0x94016;//聊天收發的表情全部保存下來20200314
			WriteProcessMemory((HANDLE)-1, (LPVOID)pFunAddress, HookByte2, 1, 0);

			BYTE HookByte5[] = { 0xeb };
			//pFunAddress = (DWORD)nHmodule + 0x2841DC;//打開收藏的表情全部保存下來20190820
			pFunAddress = (DWORD)nHmodule + 0x2BE71F;//打開收藏的表情全部保存下來20200314
			WriteProcessMemory((HANDLE)-1, (LPVOID)pFunAddress, HookByte5, 1, 0);
		}



		HMODULE nHmodule = GetModuleHandleA("WXAMDecoder.dll");
		LPVOID pFunAddress = GetProcAddress(nHmodule, "wxam_dec_isWXGF_4");

		if (pFunAddress)
		{
			MyHook(pFunAddress, Hook, &Old_wxam_dec_isWXGF_4, 9);

			SECURITY_ATTRIBUTES SecurityAttributes;
			SecurityAttributes.lpSecurityDescriptor = 0;
			SecurityAttributes.bInheritHandle = false;
			SecurityAttributes.nLength = sizeof(SecurityAttributes);
			CreateDirectoryA("GetWeChatPic", &SecurityAttributes);


			if (MessageBoxA(0, "注入成功！\r\n是否打開儲存的表情文件夾？", "Tips", MB_ICONINFORMATION | MB_YESNO)==IDYES)
				ShellExecuteA(NULL, ("open"), ("explorer"), GetProgramDir(), NULL, SW_SHOW);

		}
		else
		{
			MessageBoxA(0, "注入失敗！請重啓微信進入到聊天框內再注入！", "Tips", MB_ICONERROR);
		}

	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}