public static void GetUserInfoByWxid(int pid, string wxuid)
{
var des = DllManager.Get(nameof(ChatRoomMember) + ".dll");
var baseAddr = Win32Api.LoadLibrary(des.Path);
var funcAddr = Win32Api.GetProcAddress(baseAddr, "GetUserInfoByWxid");
var p = funcAddr - baseAddr + des.BaseAddr;
int hProcess = Win32Api.OpenProcess(0xFFFF, 0, pid);
var c = setByte2(wxuid);
var dllAddr =
Win32Api.VirtualAllocEx((IntPtr)hProcess, IntPtr.Zero, (uint)c.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
bool success = Win32Api.WriteProcessMemory((IntPtr)hProcess, dllAddr, c, (uint)c.Length, out var dummy);
var exeH = Win32Api.CreateRemoteThread((IntPtr)hProcess, IntPtr.Zero, 0, (IntPtr)p, dllAddr, 0, out var tid);
Win32Api.FreeLibrary(baseAddr);
}
public static void Send(int pid, string wXid, string message)
{
var des = DllManager.Get(nameof(SendMessage) + ".dll");
var baseAddr = Win32Api.LoadLibrary(des.Path);
var funcAddr = Win32Api.GetProcAddress(baseAddr, "SendTextMessage");
var p = funcAddr - baseAddr + des.BaseAddr;
int hProcess = Win32Api.OpenProcess(0xFFFF, 0, pid);
string a = $"{wXid}_ejflag_{message}";
var c = setByte2(a);
var dllAddr =
Win32Api.VirtualAllocEx((IntPtr)hProcess, IntPtr.Zero, (uint)c.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
bool success = Win32Api.WriteProcessMemory((IntPtr)hProcess, dllAddr, c, (uint)c.Length, out var dummy);
var exeH = Win32Api.CreateRemoteThread((IntPtr)hProcess, IntPtr.Zero, 0, (IntPtr)p, dllAddr, 0, out var tid);
Win32Api.FreeLibrary(baseAddr);
}
public static IntPtr Inject(int pid, string pathStr)
{
if (File.Exists(pathStr) == false)
{
throw new Exception($"{pathStr}文件不存在");
}
FileInfo fileInfo = new FileInfo(pathStr);
if (pid == 0)
{
throw new Exception("微信没有正确启动");
}
else
{
int hProcess = Win32Api.OpenProcess(0xFFFF, 0, pid);
if (hProcess == 0)
{
throw new Exception("进程打开失败,可能权限不足或关闭了应用");
}
//在微信中申请内存
var dllAddr =
Win32Api.VirtualAllocEx((IntPtr)hProcess, IntPtr.Zero, (uint)pathStr.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
if (dllAddr == IntPtr.Zero)
{
throw new Exception("内存分配失败");
}
var a = Encoding.Default.GetBytes(pathStr);
bool success = Win32Api.WriteProcessMemory((IntPtr)hProcess, dllAddr, a, (uint)a.Length, out var dummy);
if (success == false)
{
throw new Exception("路径写入失败");
}
var k32 = Win32Api.GetModuleHandle("Kernel32.dll");
var loadAddr = Win32Api.GetProcAddress(k32, "LoadLibraryA");
var exeH = Win32Api.CreateRemoteThread((IntPtr)hProcess, IntPtr.Zero, 0, (IntPtr)loadAddr, dllAddr, 0, out var tid);
if (null == exeH)
{
throw new Exception("注入失败");
}
var aaa = Win32Api.WaitForSingleObject((int)exeH, int.MaxValue);
if (Win32Api.GetExitCodeThread(exeH, out var exitCode) == false)
{
throw new Exception("GetExitCodeThread失败");
}
var des = new DllDescription(fileInfo.Name, pathStr, exitCode);
DllManager.Add(des);
if (Win32Api.VirtualFreeEx((IntPtr)hProcess, dllAddr, IntPtr.Zero, (IntPtr)FreeType.MEM_RELEASE) == false)
{
var error = Marshal.GetLastWin32Error();
throw new Exception("释放内存失败");
}
if (Win32Api.CloseHandle(exeH) == false)
{
throw new Exception("关闭远程线程句柄失败");
}
if (Win32Api.CloseHandle((IntPtr)hProcess) == false)
{
throw new Exception("关闭微信句柄失败");
}
return(exeH);
}
}