纯python实现微信发文本消息（附完整代码，无需注入，非frida）_个非寻wechathook

寻找发送文本消息CALL

其实这个寻找的过程网上有很多教程，大家可以参考：
PC微信逆向：发送与接收消息的分析与代码实现

以下是我查找到的call，偏移是：0xDE22D0，微信版本3.9.8.12
目前其他功能以开发完成，并编译为DLL，具体文档可以看：个非寻的 wechathook 文档
以上仅供学习交流使用。

第一个eax：空结构体指针
第二个eax：消息内容结构体指针
第三个eax：wxid结构体指针
ecx：缓冲区

python写入内存的工具函数

# 将数据写入内存，并返回地址
def WriteMemory(handle,**kwargs):
    adddict = {}
    for key,value in kwargs.items():
        if isinstance(value,c_wchar_p) or isinstance(value,c_char_p) or isinstance(value,c_void_p):
            add = kernel32.VirtualAllocEx(int(handle), None, len(value.value)*2, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
            kernel32.WriteProcessMemory(int(handle), add, value, len(value.value)*2, None)
            adddict[key] = add
        elif isinstance(value,Structure):
            add = kernel32.VirtualAllocEx(int(handle), None, 500, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
            kernel32.WriteProcessMemory(int(handle), add, byref(value), 500, None)
            adddict[key] = add
        else:
            add = kernel32.VirtualAllocEx(int(handle), None, 4, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
            kernel32.WriteProcessMemory(int(handle), add, byref(value), 4, None)
            adddict[key] = add
    return adddict

# 释放缓存地址，释放句柄，防止占用内存增加，降低检测风险
def FreeMemory(handle,adddict,end=True):
    for key,value in adddict.items():
        kernel32.VirtualFreeEx(int(handle), value, None, MEM_RELEASE)
    if end == True:
        kernel32.CloseHandle(int(handle))

# 置入汇编代码，以便远程调用
def WriteMachineCode(Handle,Add,Asm):
    ks = Ks(KS_ARCH_X86, KS_MODE_32)
    machine_code, _ = ks.asm(Asm)
    byte_code = (c_char * len(machine_code))()
    for i, v in enumerate(machine_code):
        byte_code[i] = v
    kernel32.WriteProcessMemory(int(Handle), Add, byte_code, len(machine_code), None)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

python发消息代码

kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
def SendTextMsg(pid,to_wxid,msg):
    handle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
    WeChatWinAdd = GetProcessImageBase(pid, "WeChatWin.dll")
    call = WeChatWinAdd + 0xDE22D0
    calladd = kernel32.VirtualAllocEx(int(handle), None, 1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)

    # 将参数写入内存
    AddDict:dict = WriteMemory(handle, wxidadd=c_wchar_p(to_wxid), msgadd=c_wchar_p(msg))
    class WxidStruct(Structure):
        _fields_ = (
            ('wxid', c_int),
            ('wxidlen1', c_int),
            ('wxidlen2', c_int),
            ('buff', c_char*8),
        )
    # 组装结构体
    pbuff = WxidStruct()  #空结构体指针
    pwxid = WxidStruct(c_int(AddDict['wxidadd']),c_int(len(to_wxid)),c_int(len(to_wxid)))  # wxid结构体
    pmsg = WxidStruct(c_int(AddDict['msgadd']),c_int(len(msg)),c_int(len(msg)))  # msg结构体
    buff1 = (c_char*0x14D8)()  # 缓冲区
    # 将结构体写入内存
    AddDict1:dict = WriteMemory(handle, pbuff=pbuff, pwxid=pwxid, pmsg=pmsg, buff1=buff1)
    asm=f'''
	    pushad
	    push 0
	    push 0
	    mov eax, {AddDict1['pbuff']}
	    push 0X1
	    push 0X1
	    push eax
	    mov eax, {AddDict1['pmsg']}
	    push eax
	    mov edx, {AddDict1['pwxid']}
	    mov ecx, {AddDict1['buff1']}
	    call {call-calladd}
	    add esp, 0x18
	    popad
	    ret
    '''
    # 置入汇编代码
    WriteMachineCode(handle,calladd,asm)
    # 远程线程调用
    handle_creat = kernel32.CreateRemoteThread(int(handle), None, 0, calladd, 0, 0, None)
    kernel32.WaitForSingleObject(int(handle_creat), INFINITE)
    # 释放缓存
    FreeMemory(handle,AddDict,False)
    FreeMemory(handle, AddDict1)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

以上为使用python调用call发送消息的代码，我将在后续持续开发各种python调用微信call的功能，其它功能已做成DLL，具体功能可点击查看：交流学习的可以QQ：3122142139
个非寻的 wechathook 文档