Python實(shí)現(xiàn)向好友發(fā)送微信消息優(yōu)化篇

第Python實(shí)現(xiàn)向好友發(fā)送微信消息優(yōu)化篇目錄前言第二次優(yōu)化第三次優(yōu)化

前言

之前說(shuō)了怎么寫(xiě)機(jī)器碼到內(nèi)存，然后調(diào)用?，F(xiàn)在說(shuō)說(shuō)怎么優(yōu)化。

用Python發(fā)送微信消息給好友

第二次優(yōu)化

再看一遍c語(yǔ)言的代碼

voidSendText(wchar_t*wsTextMsg){

//發(fā)送的好友，filehelper是文件傳輸助手

wchar_twsWxId[0x10]=L"filehelper";

WxBaseStructwxWxid(wsWxId);

//發(fā)送的消息內(nèi)容

WxBaseStructwxTextMsg(wsTextMsg);

wchar_t**pWxmsg=wxTextMsg.buffer;

charbuffer[0x3B0]={0};

charwxNull[0x100]={0};

DWORDdllBaseAddress=(DWORD)GetModuleHandleA("WeChatWin.dll");

//發(fā)消息的函數(shù)call地址

DWORDcallAddress=dllBaseAddress+0x521D30;

__asm{

leaeax,wxNull;

push0x1;

pusheax;

movedi,pWxmsg;

pushedi;

leaedx,wxWxid;

leaecx,buffer;

callcallAddress;

addesp,0xC;

}

上面的代碼真正發(fā)消息的是asm里面的代碼，之前的c代碼都是在組裝內(nèi)存數(shù)據(jù)。那我們是不是可以用Python組裝數(shù)據(jù)，只講下面的匯編轉(zhuǎn)為機(jī)器碼寫(xiě)入內(nèi)存調(diào)用，這樣就少了很多無(wú)用的機(jī)器碼。

改完的SendText函數(shù)如下

wchar_twsWxId[0x10]=Lfilehelper

wchar_twsTextMsg[0x100]=Ltest

WxBaseStructwxWxid(wsWxId);

WxBaseStructwxTextMsg(wsTextMsg);

wchar_t**pWxmsg=wxTextMsg.buffer;

charbuffer[0x3B0]={0};

charwxNull[0x100]={0};

DWORDdllBaseAddress=(DWORD)GetModuleHandleA(WeChatWin.dll;

DWORDcallAddress=dllBaseAddress+0x521D30;

voidSendText(){

__asm{

leaeax,wxNull;

push0x1;

pusheax;

movedi,pWxmsg;

pushedi;

leaedx,wxWxid;

leaecx,buffer;

callcallAddress;

addesp,0xC;

}

}

匯編代碼：

[]里面包含的類(lèi)型和變量名其實(shí)就是地址，只需要將地址改成用Python構(gòu)造的地址就可以了

完整代碼如下：

importos

importpymem

importctypes

importtime

defconvert_addr(addr):

ifisinstance(addr,int):

addr=hex(addr)

ifaddr.startswith("0x")oraddr.startswith("0X"):

addr=addr[2:]

iflen(addr)8:

addr=(8-len(addr))*'0'+addr

tmp=[]

foriinrange(0,8,2):

tmp.append(addr[i:i+2])

tmp.reverse()

return''.join(tmp)

defWxBaseStruct(process_handle,content):

struct_address=pymem.memory.allocate_memory(process_handle,20)

bcontent=content.encode('utf-16le')

content_address=pymem.memory.allocate_memory(process_handle,len(bcontent)+16)

pymem.ressources.kernel32.WriteProcessMemory(process_handle,content_address,bcontent,len(bcontent),None)

pymem.memory.write_int(process_handle,struct_address,content_address)

pymem.memory.write_int(process_handle,struct_address+0x4,len(content))

pymem.memory.write_int(process_handle,struct_address+0x8,len(content)*2)

pymem.memory.write_int(process_handle,struct_address+0xC,0)

pymem.memory.write_int(process_handle,struct_address+0x10,0)

returnstruct_address,content_address

defstart_thread(process_handle,address,params=None):

params=paramsor0

NULL_SECURITY_ATTRIBUTES=ctypes.cast(0,pymem.ressources.structure.LPSECURITY_ATTRIBUTES)

thread_h=pymem.ressources.kernel32.CreateRemoteThread(

process_handle,

NULL_SECURITY_ATTRIBUTES,

address,

params,

ctypes.byref(ctypes.c_ulong(0))

last_error=ctypes.windll.kernel32.GetLastError()

iflast_error:

pymem.logger.warning('Gotanerrorinstartthread,code:%s'%last_error)

pymem.ressources.kernel32.WaitForSingleObject(thread_h,-1)

returnthread_h

defmain(wxpid,wxid,msg):

process_handle=cess.open(wxpid)

wxNull_address=pymem.memory.allocate_memory(process_handle,0x100)

buffer_address=pymem.memory.allocate_memory(process_handle,0x3B0)

wxid_struct_address,wxid_address=WxBaseStruct(process_handle,wxid)

msg_struct_address,msg_address=WxBaseStruct(process_handle,msg)

process_WeChatWin_handle=cess.module_from_name(process_handle,"WeChatWin.dll")

call_address=process_WeChatWin_handle.lpBaseOfDll+0x521D30

call_p_address=pymem.memory.allocate_memory(process_handle,4)

pymem.memory.write_int(process_handle,call_p_address,call_address)

format_code='''

8D05{wxNull}

6A01

8D3D{wxTextMsg}

8D15{wxWxid}

8D0D{buffer}

FF15{callAddress}

83C40C

shellcode=format_code.format(wxNull=convert_addr(wxNull_address),

wxTextMsg=convert_addr(msg_struct_address),

wxWxid=convert_addr(wxid_struct_address),

buffer=convert_addr(buffer_address),

callAddress=convert_addr(call_p_address))

shellcode=bytes.fromhex(shellcode.replace('','').replace('\n',''))

shellcode_address=pymem.memory.allocate_memory(process_handle,len(shellcode)+5)

pymem.ressources.kernel32.WriteProcessMemory(process_handle,shellcode_address,shellcode,len(shellcode),None)

thread_h=start_thread(process_handle,shellcode_address)

time.sleep(0.5)

pymem.memory.free_memory(process_handle,wxNull_address)

pymem.memory.free_memory(process_handle,buffer_address)

pymem.memory.free_memory(process_handle,wxid_struct_address)

pymem.memory.free_memory(process_handle,wxid_address)

pymem.memory.free_memory(process_handle,msg_struct_address)

pymem.memory.free_memory(process_handle,msg_address)

pymem.memory.free_memory(process_handle,call_p_address)

pymem.memory.free_memory(process_handle,shellcode_address)

cess.close_handle(process_handle)

if__name__=="__main__":

wxpid=16892

wxid="filehelper"

msg="pythontest"

main(wxpid,wxid,msg)

第三次優(yōu)化

直接在Python里寫(xiě)匯編，然后自動(dòng)轉(zhuǎn)機(jī)器碼寫(xiě)入內(nèi)存。使用的是Python的keystone庫(kù)

#-*-coding:utf-8-*-

importos

importpymem

importctypes

importtime

fromkeystoneimportKs,KS_ARCH_X86,KS_MODE_32

defasm2code(asm_code,syntax=0):

ks=Ks(KS_ARCH_X86,KS_MODE_32)

bytes_code,_=ks.asm(asm_code,as_bytes=True)

returnbytes_code

defWxBaseStruct(process_handle,content):

struct_address=pymem.memory.allocate_memory(process_handle,20)

bcontent=content.encode('utf-16le')

content_address=pymem.memory.allocate_memory(process_handle,len(bcontent)+16)

pymem.ressources.kernel32.WriteProcessMemory(process_handle,content_address,bcontent,len(bcontent),None)

pymem.memory.write_int(process_handle,struct_address,content_address)

pymem.memory.write_int(process_handle,struct_address+0x4,len(content))

pymem.memory.write_int(process_handle,struct_address+0x8,len(content)*2)

pymem.memory.write_int(process_handle,struct_address+0xC,0)

pymem.memory.write_int(process_handle,struct_address+0x10,0)

returnstruct_address,content_address

defstart_thread(process_handle,address,params=None):

params=paramsor0

NULL_SECURITY_ATTRIBUTES=ctypes.cast(0,pymem.ressources.structure.LPSECURITY_ATTRIBUTES)

thread_h=pymem.ressources.kernel32.CreateRemoteThread(

process_handle,

NULL_SECURITY_ATTRIBUTES,

address,

params,

ctypes.byref(ctypes.c_ulong(0))

last_error=ctypes.windll.kernel32.GetLastError()

iflast_error:

pymem.logger.warning('Gotanerrorinstartthread,code:%s'%last_error)

pymem.ressources.kernel32.WaitForSingleObject(thread_h,-1)

returnthread_h

defmain(wxpid,wxid,msg):

process_handle=cess.open(wxpid)

wxNull_address=pymem.memory.allocate_memory(process_handle,0x100)

buffer_address=pymem.memory.allocate_memory(process_handle,0x3B0)

wxid_struct_address,wxid_address=WxBaseStruct(process_handle,wxid)

msg_struct_address,msg_address=WxBaseStruct(process_handle,msg)

process_WeChatWin_handle=cess.module_from_name(process_handle,"WeChatWin.dll")

call_address=process_WeChatWin_handle.lpBaseOfDll+0x521D30

call_p_address=pymem.memory.allocate_memory(process_handle,4)

pymem.memory.write_int(process_handle,call_p_address,call_address)

format_asm_code='''

pushedi;

leaeax,dwordptrds:[{wxNull:#02x}];

push0x1;

pusheax;

leaedi,dwordptrds:[{wxTextMsg:#02x}];

pushedi;

leaedx,dwordptrds:[{wxWxid:#02x}];

leaecx,dwordptrds:[{buffer:#02x}];

calldwordptrds:[{callAddress:#02x}];

addesp,0xC;

popedi;

ret;

asm_code=format_asm_code.format(wxNull=wxNull_address,

wxTextMsg=msg_struct_address,

wxWxid=wxid_struct_address,

buffer=buffer_address,

callAddress=call_p_address)

shellcode=asm2code(asm_code.encode())

shellcode_address=pymem.