public static void GetUserInfoByWxid(int pid, string wxuid)
        {
            var des      = DllManager.Get(nameof(ChatRoomMember) + ".dll");
            var baseAddr = Win32Api.LoadLibrary(des.Path);
            var funcAddr = Win32Api.GetProcAddress(baseAddr, "GetUserInfoByWxid");
            var p        = funcAddr - baseAddr + des.BaseAddr;
            int hProcess = Win32Api.OpenProcess(0xFFFF, 0, pid);
            var c        = setByte2(wxuid);
            var dllAddr  =
                Win32Api.VirtualAllocEx((IntPtr)hProcess, IntPtr.Zero, (uint)c.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
            bool success = Win32Api.WriteProcessMemory((IntPtr)hProcess, dllAddr, c, (uint)c.Length, out var dummy);
            var  exeH    = Win32Api.CreateRemoteThread((IntPtr)hProcess, IntPtr.Zero, 0, (IntPtr)p, dllAddr, 0, out var tid);

            Win32Api.FreeLibrary(baseAddr);
        }
Beispiel #2
0
        public static void Send(int pid, string wXid, string message)
        {
            var    des      = DllManager.Get(nameof(SendMessage) + ".dll");
            var    baseAddr = Win32Api.LoadLibrary(des.Path);
            var    funcAddr = Win32Api.GetProcAddress(baseAddr, "SendTextMessage");
            var    p        = funcAddr - baseAddr + des.BaseAddr;
            int    hProcess = Win32Api.OpenProcess(0xFFFF, 0, pid);
            string a        = $"{wXid}_ejflag_{message}";
            var    c        = setByte2(a);
            var    dllAddr  =
                Win32Api.VirtualAllocEx((IntPtr)hProcess, IntPtr.Zero, (uint)c.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
            bool success = Win32Api.WriteProcessMemory((IntPtr)hProcess, dllAddr, c, (uint)c.Length, out var dummy);
            var  exeH    = Win32Api.CreateRemoteThread((IntPtr)hProcess, IntPtr.Zero, 0, (IntPtr)p, dllAddr, 0, out var tid);

            Win32Api.FreeLibrary(baseAddr);
        }
Beispiel #3
0
        public static IntPtr Inject(int pid, string pathStr)
        {
            if (File.Exists(pathStr) == false)
            {
                throw new Exception($"{pathStr}文件不存在");
            }
            FileInfo fileInfo = new FileInfo(pathStr);

            if (pid == 0)
            {
                throw new Exception("微信没有正确启动");
            }
            else
            {
                int hProcess = Win32Api.OpenProcess(0xFFFF, 0, pid);
                if (hProcess == 0)
                {
                    throw new Exception("进程打开失败,可能权限不足或关闭了应用");
                }
                //在微信中申请内存
                var dllAddr =
                    Win32Api.VirtualAllocEx((IntPtr)hProcess, IntPtr.Zero, (uint)pathStr.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
                if (dllAddr == IntPtr.Zero)
                {
                    throw new Exception("内存分配失败");
                }

                var  a       = Encoding.Default.GetBytes(pathStr);
                bool success = Win32Api.WriteProcessMemory((IntPtr)hProcess, dllAddr, a, (uint)a.Length, out var dummy);
                if (success == false)
                {
                    throw new Exception("路径写入失败");
                }

                var k32      = Win32Api.GetModuleHandle("Kernel32.dll");
                var loadAddr = Win32Api.GetProcAddress(k32, "LoadLibraryA");
                var exeH     = Win32Api.CreateRemoteThread((IntPtr)hProcess, IntPtr.Zero, 0, (IntPtr)loadAddr, dllAddr, 0, out var tid);
                if (null == exeH)
                {
                    throw new Exception("注入失败");
                }
                var aaa = Win32Api.WaitForSingleObject((int)exeH, int.MaxValue);
                if (Win32Api.GetExitCodeThread(exeH, out var exitCode) == false)
                {
                    throw new Exception("GetExitCodeThread失败");
                }
                var des = new DllDescription(fileInfo.Name, pathStr, exitCode);
                DllManager.Add(des);
                if (Win32Api.VirtualFreeEx((IntPtr)hProcess, dllAddr, IntPtr.Zero, (IntPtr)FreeType.MEM_RELEASE) == false)
                {
                    var error = Marshal.GetLastWin32Error();
                    throw new Exception("释放内存失败");
                }
                if (Win32Api.CloseHandle(exeH) == false)
                {
                    throw new Exception("关闭远程线程句柄失败");
                }
                if (Win32Api.CloseHandle((IntPtr)hProcess) == false)
                {
                    throw new Exception("关闭微信句柄失败");
                }
                return(exeH);
            }
        }