已完成微信基址数据的获取；问题：中文字符串未能正常显示，仍是乱码。

source/hook/WeChats/Global.cpp

@@ -46,7 +46,7 @@ int GetIniInfo(LPCTSTR lpIniDir /* = NULL */, LPCTSTR lpIniName /* = NULL */)
 	TCHAR szFna[_MAX_DIR] = { 0 };
 	TCHAR szExt[_MAX_DIR] = { 0 };
 	::GetModuleFileName(NULL, g_szModulePath, sizeof(g_szModulePath) / sizeof(TCHAR));
-	swprintf_s(g_szModuleFileName, _T("%s"), g_szModulePath);
+	_stprintf_s(g_szModuleFileName, _T("%s"), g_szModulePath);
 
 	_tsplitpath_s(g_szModulePath, szDrive, szDir, szFna, szExt);
 	_tcscpy_s(g_szModulePath, szDrive);
@@ -871,6 +871,7 @@ BOOL getWeChatPath()
 
 BOOL OpenWeChat()
 {
+#if 1
 	STARTUPINFO si;
 	PROCESS_INFORMATION pi;
 	ZeroMemory(&si, sizeof(si));
@@ -887,6 +888,8 @@ BOOL OpenWeChat()
 		NULL,				// 默认线程安全性
 		FALSE,				// 指定当前进程内的句柄不可以被子进程继承
 		//CREATE_SUSPENDED,	// 挂起进程;CREATE_SUSPENDED
+		//NORMAL_PRIORITY_CLASS,
+		//CREATE_NEW_CONSOLE,
 		NULL,
 		NULL,				// 使用本进程的环境变量
 		NULL,				// 使用本进程的驱动器和目录
@@ -923,6 +926,28 @@ BOOL OpenWeChat()
 		// 当进程挂起时,是无法修改关闭微信句柄;
 		PatchWeChat();
 	}
+#else
+
+	SHELLEXECUTEINFO sei;
+	memset(&sei, 0, sizeof(SHELLEXECUTEINFO));
+	sei.cbSize = sizeof(SHELLEXECUTEINFO);
+	sei.hwnd = NULL;
+	sei.lpVerb = _T("open");
+	//sei.lpVerb = _T("runas");
+	//sei.fMask = SEE_MASK_NOCLOSEPROCESS;
+	sei.lpFile = g_szWeChatPath;
+	sei.lpParameters = NULL;
+	sei.lpDirectory = NULL;
+	sei.nShow = SW_NORMAL;
+	sei.hInstApp = NULL;
+
+	if ( !ShellExecuteEx(&sei) )
+	{
+		DWORD dw = GetLastError();
+		return FALSE;
+	}
+	PatchWeChat();
+#endif
 
 	return TRUE;
 }

source/hook/WeChats/WeChats.cpp

@@ -43,7 +43,7 @@ typedef ULONG   PPS_POST_PROCESS_INIT_ROUTINE;
 
 
 // 以下声明，都是系统未公开的定义;
-
+//
 typedef enum {
 	ProcessBasicInformation = 0,
 	ProcessDebugPort = 7,
@@ -146,7 +146,7 @@ NTSTATUS GetProcessModules(HANDLE hProcess, LPCTSTR lpTypName, LPCTSTR lpName)
 	PROCESS_BASIC_INFORMATION ProcessInfo;
 	PPEB	pPeb;
 
-	ZwQueryInformationProcess = (pfZwQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQueryInformationProcess");
+	ZwQueryInformationProcess = (pfZwQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "ZwQueryInformationProcess");
 	if (ZwQueryInformationProcess == NULL)
 	{
 		WriteTextLog(_T("查找进程模块名称失败"));
@@ -198,16 +198,14 @@ BOOL CWeChatsApp::InitInstance()
 // 	}
 // 	GetProcessModules(::GetCurrentProcess(), _T("Mutant"), _T("_WeChat_Instance_Identity_Mutex_Name"));
 
-	
-#if _DEBUG // 创建进程，并挂起;
 
-	getWeChatPath();
-	for (int i = 0; i < 10; i++)
-		OpenWeChat();
 	
-#endif
+// 	int nCount = 3;
+// 	getWeChatPath();
+// 	for (int i = 0; i < nCount; i++)
+// 		OpenWeChat();
+
 
-#if !_DEBUG
 	TCHAR szDllPath[MAX_PATH];
 	ZeroMemory(szDllPath,MAX_PATH);
 	DWORD ss = sizeof(szDllPath);
@@ -216,16 +214,16 @@ BOOL CWeChatsApp::InitInstance()
 	vector<DWORD> vtPID = FindAllProcess(WECHAT);
 	if (vtPID.size() != 0 )
 	{
-		for (int i = 0; i < 100; i++)
+		vector<DWORD>::iterator it = vtPID.begin();
+		//for (int i = 0; i < 1; i++)
+		for (;it != vtPID.end(); it++)
 		{
-			CInjection inject(*vtPID.begin(),szDllPath);
+			CInjection inject(*it,szDllPath);
 			inject.InjectDynamicLibrary();
-			inject.EjectDynamicLibrary();
 			Sleep(3000);
+			inject.EjectDynamicLibrary();
 		}
 	}
-#endif
-
 	// 标准初始化
 	// 如果未使用这些功能并希望减小
 	// 最终可执行文件的大小，则应移除下列

source/hook/WeChats/WeChats.vcproj

@@ -100,7 +100,7 @@
 			OutputDirectory="..\..\..\..\bin\$(SolutionName)"
 			IntermediateDirectory="$(OutDir)\$(ProjectName)\$(ConfigurationName)\"
 			ConfigurationType="1"
-			UseOfMFC="1"
+			UseOfMFC="2"
 			CharacterSet="1"
 			WholeProgramOptimization="1"
 			>
@@ -128,7 +128,7 @@
 				EnableIntrinsicFunctions="true"
 				PreprocessorDefinitions="WIN32;_WINDOWS;NDEBUG"
 				MinimalRebuild="false"
-				RuntimeLibrary="0"
+				RuntimeLibrary="2"
 				EnableFunctionLevelLinking="true"
 				UsePrecompiledHeader="2"
 				WarningLevel="3"

source/hook/WeChats/stdafx.cpp

@@ -23,7 +23,7 @@ HANDLE DuplicateHandleEx(DWORD pid, HANDLE h, DWORD flags)
 }
 
 
-int GetProcIds(LPWSTR Name, DWORD* Pids)
+int GetProcIds(LPTSTR Name, DWORD* Pids)
 {
 	PROCESSENTRY32 pe32 = {sizeof(pe32)};
 	int num = 0;
@@ -34,7 +34,8 @@ int GetProcIds(LPWSTR Name, DWORD* Pids)
 		if(Process32First(hSnap, &pe32))
 		{
 			do {
-				if(!wcsicmp(Name, pe32.szExeFile))
+				//if(!wcsicmp(Name, pe32.szExeFile))
+				if(!_tcsicmp(Name, pe32.szExeFile))
 				{
 					if(Pids)
 					{
@@ -75,7 +76,7 @@ int PatchWeChat()
 
 	DWORD Pids[100] = {0};
 
-	DWORD Num = GetProcIds(L"WeChat.exe", Pids);
+	DWORD Num = GetProcIds(_T("WeChat.exe"), Pids);
 	if(Num == 0)
 	{
 		return 0;

source/hook/hook/WxGlobal.cpp

@@ -0,0 +1,236 @@
+#include "StdAfx.h"
+#include "WxGlobal.h"
+
+#include <io.h>
+// 获取文件版本号函数头文件;
+#include <WinVer.h>		
+#pragma comment(lib,"version.lib")
+using namespace std;
+#include <psapi.h>
+#pragma comment(lib,"Psapi.lib")
+
+HMODULE g_hCurModule = NULL;
+
+/************************************************************************/
+/*  函数：WriteTextLog[7/28/2016 IT];
+/*  描述：写文本日志;
+/*  参数：;
+/*  	[IN] ：;
+/*  返回：void;
+/*  注意：;
+/*  示例：;
+/*
+/*  修改：;
+/*  日期：;
+/*  内容：;
+/************************************************************************/
+void WriteTextLog(const TCHAR *format, ...)
+{
+	// 解析出日志路径;
+	TCHAR szlogpath[MAX_PATH] = { 0 };
+	static TCHAR szModulePath[MAX_PATH] = { 0 };
+	static TCHAR szFna[MAX_PATH] = { 0 };
+	if (szModulePath[0] == _T('\0'))
+	{
+		TCHAR szDrive[MAX_PATH] = { 0 };
+		TCHAR szDir[MAX_PATH] = { 0 };
+		TCHAR szExt[MAX_PATH] = { 0 };
+		::GetModuleFileName(g_hCurModule, szModulePath, sizeof(szModulePath) / sizeof(TCHAR));
+		_tsplitpath_s(szModulePath, szDrive, szDir, szFna, szExt);
+		_tcscpy_s(szModulePath, szDrive);
+		_tcscat_s(szModulePath, szDir);
+	}
+
+	_stprintf_s(szlogpath, _T("%s%s.txt"), szModulePath, szFna);
+	// 打开或创建文件;
+	FILE *fp = NULL;
+	//if (_taccess(szlogpath, 0) != -1)
+#ifndef UNICODE
+	if (_access(szlogpath, 0) != -1)
+#else
+	if (_taccess(szlogpath, 0) != -1)
+#endif
+	{// 存在;
+		fp = _tfopen(szlogpath, _T("a+"));
+		// 移动到末尾;
+		fseek(fp, 0, SEEK_END);
+	}
+	else
+	{// 不存在;
+		fp = _tfopen(szlogpath, _T("w+"));
+	}
+
+	if ( fp == NULL )
+		return;
+
+	// 格式化前设置语言区域;
+	TCHAR* old_locale = _tcsdup(_tsetlocale(LC_CTYPE, NULL));
+	_tsetlocale(LC_CTYPE, _T("chs"));//设定中文;
+
+	// 格式化日志内容;
+	va_list		args = NULL;
+	int			len = 0;
+	TCHAR		*buffer = NULL;
+	va_start(args, format);
+	// _vscprintf doesn't count. terminating '\0'
+	len = _vsctprintf(format, args) + 1;
+	buffer = (TCHAR*)malloc(len * sizeof(TCHAR));
+	_vstprintf_s(buffer, len, format, args);
+	// 将日志内容输入到文件中;
+	// 获取今年年份;
+	__time64_t gmt = time(NULL);// 获取当前日历时间(1900-01-01开始的Unix时间戳);
+	struct tm gmtm = {0};
+	localtime_s(&gmtm, &gmt); // 时间戳转成本地时间;
+	_ftprintf(fp, _T("%04d-%02d-%02d %02d:%02d:%02d %s\n"), gmtm.tm_year+1990, gmtm.tm_mon+1, gmtm.tm_mday, gmtm.tm_hour, gmtm.tm_min, gmtm.tm_sec, buffer);
+
+	// 关闭文件，释放资源并设置回原语言区域;
+	free(buffer);
+	fclose(fp);
+	_tsetlocale(LC_CTYPE, old_locale);
+	free(old_locale);//还原区域设定;
+}
+
+void WriteTextLogW(const WCHAR *format, ...)
+{
+	// 解析出日志路径;
+	WCHAR szlogpath[MAX_PATH] = { 0 };
+	static WCHAR szModulePath[MAX_PATH] = { 0 };
+	static WCHAR szFna[MAX_PATH] = { 0 };
+	if (szModulePath[0] == L'\0')
+	{
+		WCHAR szDrive[MAX_PATH] = { 0 };
+		WCHAR szDir[MAX_PATH] = { 0 };
+		WCHAR szExt[MAX_PATH] = { 0 };
+		::GetModuleFileNameW(g_hCurModule, szModulePath, sizeof(szModulePath) / sizeof(WCHAR));
+		_wsplitpath_s(szModulePath, szDrive, szDir, szFna, szExt);
+		wcscpy_s(szModulePath, szDrive);
+		wcscat_s(szModulePath, szDir);
+	}
+
+	swprintf_s(szlogpath, L"%s%s.txt", szModulePath, szFna);
+	// 打开或创建文件;
+	FILE *fp = NULL;
+	if (_waccess(szlogpath, 0) != -1)
+	{// 存在;
+		fp = _wfopen(szlogpath, L"a+");
+		// 移动到末尾;
+		fseek(fp, 0, SEEK_END);
+	}
+	else
+	{// 不存在;
+		fp = _wfopen(szlogpath, L"w+");
+	}
+
+	if ( fp == NULL )
+		return;
+
+	// 格式化前设置语言区域;
+	WCHAR* old_locale = _wcsdup(_wsetlocale(LC_CTYPE, NULL));
+	_wsetlocale(LC_CTYPE, L"chs");//设定中文;
+
+	// 格式化日志内容;
+	va_list		args = NULL;
+	int			len = 0;
+	WCHAR		*buffer = NULL;
+	va_start(args, format);
+	// _vscprintf doesn't count. terminating '\0'
+	len = _vscwprintf(format, args) + 1;
+	buffer = (WCHAR*)malloc(len * sizeof(WCHAR));
+	vswprintf_s(buffer, len, format, args);
+	// 将日志内容输入到文件中;
+	// 获取今年年份;
+	__time64_t gmt = time(NULL);// 获取当前日历时间(1900-01-01开始的Unix时间戳);
+	struct tm gmtm = {0};
+	localtime_s(&gmtm, &gmt); // 时间戳转成本地时间;
+	fwprintf(fp, L"%04d-%02d-%02d %02d:%02d:%02d %s\n", gmtm.tm_year+1990, gmtm.tm_mon+1, gmtm.tm_mday, gmtm.tm_hour, gmtm.tm_min, gmtm.tm_sec, buffer);
+
+	// 关闭文件，释放资源并设置回原语言区域;
+	free(buffer);
+	fclose(fp);
+	_wsetlocale(LC_CTYPE, old_locale);
+	free(old_locale);//还原区域设定;
+}
+
+BOOL GetWxInfo(WxInfo &wxInfo)
+{
+	HMODULE hWeChatWin = GetModuleHandle(_T("WeChatWin.dll"));
+	if ( hWeChatWin == NULL )
+	{
+		WriteTextLog(_T("找不到WeChatWin.dll"));
+		return FALSE;
+	}
+
+	DWORD dwWeChatWinAddr = DWORD(hWeChatWin);
+	TCHAR szTemp[MAX_PATH] = {0};
+#if 0
+	// 两种方式;
+	_stprintf_s(szTemp, _T("%s"), dwWeChatWinAddr + 0x1131B90);
+#else
+	memcpy(szTemp, (LPVOID)(dwWeChatWinAddr+0x1131B90), MAX_PATH);
+#endif
+	WriteTextLog(_T("微信账号：%s"), szTemp);
+
+	_stprintf_s(szTemp, _T("%s"), *(LPDWORD(dwWeChatWinAddr + 0x1131B78)));
+	WriteTextLog(_T("微信ID：%s"), szTemp);
+	_stprintf_s(szTemp, _T("%s"), *(LPDWORD(dwWeChatWinAddr + 0x1131BEC)));
+	WriteTextLog(_T("微信ID：%s"), szTemp);
+
+
+	_stprintf_s(szTemp, _T("%s"), dwWeChatWinAddr + 0x1131C64);
+	WriteTextLog(_T("微信昵称：%s"), szTemp);
+#if 1
+	// 微信昵称采用的是宽字符;
+	WCHAR wszTemp[MAX_PATH] = {0};
+	//wprintf_s(wszTemp, L"%s", dwWeChatWinAddr + 0x1131C64);
+	memcpy(wszTemp, LPVOID(dwWeChatWinAddr + 0x1131C64), MAX_PATH*sizeof(WCHAR));
+	WriteTextLogW(L"微信昵称：%s", wszTemp);
+#endif
+	_stprintf_s(szTemp, _T("%s"), dwWeChatWinAddr + 0x1131C98);
+	WriteTextLog(_T("微信手机：%s"), szTemp);
+
+	_stprintf_s(szTemp, _T("%s"), dwWeChatWinAddr + 0x1131D50);
+	WriteTextLog(_T("微信省：%s"), szTemp);
+
+	_stprintf_s(szTemp, _T("%s"), dwWeChatWinAddr + 0x1131D68);
+	WriteTextLog(_T("微信市：%s"), szTemp);
+
+	_stprintf_s(szTemp, _T("%s"), dwWeChatWinAddr + 0x1132030);
+	WriteTextLog(_T("微信手机设备：%s"), szTemp);
+
+	_stprintf_s(szTemp, _T("%s"), *(LPDWORD(dwWeChatWinAddr + 0x1131C80)));
+	WriteTextLog(_T("微信邮箱：0x%p, 0x%p"), dwWeChatWinAddr + 0x1131C80, *(LPDWORD(dwWeChatWinAddr + 0x1131C80)) );
+	WriteTextLog(_T("微信邮箱：%s"), szTemp);
+
+
+	return TRUE;
+}
+
+// 获取本进程的模块地址;
+HMODULE FindModuleEx(LPCTSTR lpModuleName)
+{
+	HMODULE hMods[1024] = {0};
+	DWORD cbNeeded = 0;
+	TCHAR szModName[MAX_PATH];
+	BOOL Wow64Process;
+
+	HANDLE hProcess = ::GetCurrentProcess();
+	IsWow64Process(hProcess, &Wow64Process); //判断是32位还是64位进程
+	if ( EnumProcessModulesEx(hProcess, hMods, sizeof(hMods), &cbNeeded, Wow64Process?LIST_MODULES_32BIT:LIST_MODULES_64BIT) )
+	{
+		for (UINT i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ )
+		{
+			GetModuleFileNameEx(hProcess, hMods[i], szModName, _countof(szModName));
+			
+			WriteTextLog(szModName);
+			if (_tcsicmp(lpModuleName, szModName) == 0)
+			{
+				CloseHandle(hProcess);
+				return hMods[i];
+			}
+		}
+	}
+
+	CloseHandle(hProcess);
+
+	return NULL;
+}

source/hook/hook/WxGlobal.h

@@ -0,0 +1,142 @@
+#ifndef __WECHAT_GLOBAL__
+#define __WECHAT_GLOBAL__
+
+#include <vector>
+#include <string>
+using namespace std;
+
+#ifdef UNICODE
+typedef wstring TString;
+#else
+typedef string TString;
+#endif
+
+//////////////////////////////////////////////////////////////////////////
+// BEGIN
+// killWeChatMutex函数用到的未公开的声明;
+typedef LONG	NTSTATUS;
+typedef ULONG   PPS_POST_PROCESS_INIT_ROUTINE;  
+#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
+
+// 以下声明，都是系统未公开的定义;
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWCH   Buffer;
+} UNICODE_STRING;
+
+typedef enum {
+	ProcessBasicInformation = 0,
+	ProcessDebugPort = 7,
+	ProcessWow64Information = 26,
+	ProcessImageFileName = 27,
+	ProcessBreakOnTermination = 29,
+	ProcessProtectionInformation = 61,
+}PROCESSINFOCLASS;
+
+typedef struct _PEB_LDR_DATA {
+	BYTE       Reserved1[8];
+	PVOID      Reserved2[3];
+	LIST_ENTRY InMemoryOrderModuleList;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+typedef struct _LDR_DATA_TABLE_ENTRY {
+	PVOID Reserved1[2];
+	LIST_ENTRY InMemoryOrderLinks;
+	PVOID Reserved2[2];
+	PVOID DllBase;
+	PVOID EntryPoint;
+	PVOID Reserved3;
+	UNICODE_STRING FullDllName;
+	BYTE Reserved4[8];
+	PVOID Reserved5[3];
+	union {
+		ULONG CheckSum;
+		PVOID Reserved6;
+	};
+	ULONG TimeDateStamp;
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS {
+	BYTE           Reserved1[16];
+	PVOID          Reserved2[10];
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+
+// 32位下的结构;
+typedef struct _PEB {
+	BYTE                          Reserved1[2];
+	BYTE                          BeingDebugged;
+	BYTE                          Reserved2[1];
+	PVOID                         Reserved3[2];
+	PPEB_LDR_DATA                 Ldr;
+	PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
+	PVOID                         Reserved4[3];
+	PVOID                         AtlThunkSListPtr;
+	PVOID                         Reserved5;
+	ULONG                         Reserved6;
+	PVOID                         Reserved7;
+	ULONG                         Reserved8;
+	ULONG                         AtlThunkSListPtr32;
+	PVOID                         Reserved9[45];
+	BYTE                          Reserved10[96];
+	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
+	BYTE                          Reserved11[128];
+	PVOID                         Reserved12[1];
+	ULONG                         SessionId;
+} PEB, *PPEB;
+// 64位下的结构;
+typedef struct _PEBX64 {
+	BYTE Reserved1[2];
+	BYTE BeingDebugged;
+	BYTE Reserved2[21];
+	PPEB_LDR_DATA LoaderData;
+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+	BYTE Reserved3[520];
+	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
+	BYTE Reserved4[136];
+	ULONG SessionId;
+} PEBX64;
+
+typedef struct _PROCESS_BASIC_INFORMATION {
+	PVOID Reserved1;
+	PPEB PebBaseAddress;
+	PVOID Reserved2[2];
+	ULONG_PTR UniqueProcessId;
+	PVOID Reserved3;
+} PROCESS_BASIC_INFORMATION;
+
+// 声音函数指针;
+typedef NTSTATUS (WINAPI *pfZwQueryInformationProcess)(
+	_In_      HANDLE           ProcessHandle,
+	_In_      PROCESSINFOCLASS ProcessInformationClass,
+	_Out_     PVOID            ProcessInformation,
+	_In_      ULONG            ProcessInformationLength,
+	_Out_opt_ PULONG           ReturnLength
+	);
+
+// END
+//////////////////////////////////////////////////////////////////////////
+
+typedef struct __WECHAT__{
+	TString strWxNick;
+	TString strWxAccount;
+	TString strWxID;
+	TString strWxPhone;
+	TString strWxProvince;
+	TString strWxCity;
+	TString strWxDevice;
+	TString strWxEmail;
+	TString strWxLImgAddr;
+	TString strWxSImgAddr;
+}WxInfo, *pWxInfo;
+
+
+extern HMODULE g_hCurModule;
+extern void WriteTextLog(const TCHAR *format, ...);
+extern void WriteTextLogW(const WCHAR *format, ...);
+extern BOOL GetWxInfo(WxInfo &wxInfo);
+extern HMODULE FindModuleEx(LPCTSTR lpModuleName);
+
+#endif

source/hook/hook/dllmain.cpp

@@ -1,132 +1,21 @@
 // dllmain.cpp : 定义 DLL 应用程序的入口点。
 #include "stdafx.h"
 
-HMODULE g_hModule = NULL;
-/************************************************************************/
-/*  函数：WriteTextLog[7/28/2016 IT];
-/*  描述：写文本日志;
-/*  参数：;
-/*  	[IN] ：;
-/*  返回：void;
-/*  注意：;
-/*  示例：;
-/*
-/*  修改：;
-/*  日期：;
-/*  内容：;
-/************************************************************************/
-void WriteTextLog(const TCHAR *format, ...)
-{
-	// 解析出日志路径;
-	TCHAR szlogpath[MAX_PATH] = { 0 };
-	static TCHAR szModulePath[MAX_PATH] = { 0 };
-	static TCHAR szFna[MAX_PATH] = { 0 };
-	if (szModulePath[0] == _T('\0'))
-	{
-		TCHAR szDrive[MAX_PATH] = { 0 };
-		TCHAR szDir[MAX_PATH] = { 0 };
-		TCHAR szExt[MAX_PATH] = { 0 };
-		::GetModuleFileName(g_hModule, szModulePath, sizeof(szModulePath) / sizeof(TCHAR));
-		_tsplitpath_s(szModulePath, szDrive, szDir, szFna, szExt);
-		_tcscpy_s(szModulePath, szDrive);
-		_tcscat_s(szModulePath, szDir);
-	}
-
-	_stprintf_s(szlogpath, _T("%s%s.txt"), szModulePath, szFna);
-	// 打开或创建文件;
-	FILE *fp = NULL;
-	if (_taccess(szlogpath, 0) != -1)
-	{// 存在;
-		fp = _tfopen(szlogpath, _T("a+"));
-		// 移动到末尾;
-		fseek(fp, 0, SEEK_END);
-	}
-	else
-	{// 不存在;
-		fp = _tfopen(szlogpath, _T("w+"));
-	}
-
-	if ( fp == NULL )
-		return;
-
-	// 格式化前设置语言区域;
-	TCHAR* old_locale = _tcsdup(_tsetlocale(LC_CTYPE, NULL));
-	_tsetlocale(LC_CTYPE, _T("chs"));//设定中文;
-
-	// 格式化日志内容;
-	va_list		args = NULL;
-	int			len = 0;
-	TCHAR		*buffer = NULL;
-	va_start(args, format);
-	// _vscprintf doesn't count. terminating '\0'
-	len = _vsctprintf(format, args) + 1;
-	buffer = (TCHAR*)malloc(len * sizeof(TCHAR));
-	_vstprintf_s(buffer, len, format, args);
-	// 将日志内容输入到文件中;
-	// 获取今年年份;
-	__time64_t gmt = time(NULL);// 获取当前日历时间(1900-01-01开始的Unix时间戳);
-	struct tm gmtm = {0};
-	localtime_s(&gmtm, &gmt); // 时间戳转成本地时间;
-	_ftprintf(fp, _T("%04d-%02d-%02d %02d:%02d:%02d %s\n"), gmtm.tm_year+1990, gmtm.tm_mon+1, gmtm.tm_mday, gmtm.tm_hour, gmtm.tm_min, gmtm.tm_sec, buffer);
-
-	// 关闭文件，释放资源并设置回原语言区域;
-	free(buffer);
-	fclose(fp);
-	_tsetlocale(LC_CTYPE, old_locale);
-	free(old_locale);//还原区域设定;
-}
-
-// 本函数使用的都是未公开的Win API
-// 即：以后可能会变化的函数;
-void killWeChatMutex()
-{
-}
-
-NTSTATUS GetProcessModules(HANDLE hProcess, LPCTSTR lpTypName, LPCTSTR lpName)
-{
-	NTSTATUS Status = 0;
-	pfZwQueryInformationProcess ZwQueryInformationProcess = NULL;
-
-	PROCESS_BASIC_INFORMATION ProcessInfo;
-	PPEB	pPeb;
-
-	ZwQueryInformationProcess = (pfZwQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQueryInformationProcess");
-	if (ZwQueryInformationProcess == NULL)
-	{
-		WriteTextLog(_T("查找进程模块名称失败"));
-		return Status;
-	}
-
-	Status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcessInfo, sizeof(ProcessInfo), NULL);
-	if (NT_SUCCESS(Status))
-	{
-		pPeb = (PPEB)ProcessInfo.PebBaseAddress;
-
-		for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink;pListEntry != &pPeb->Ldr->InMemoryOrderModuleList;pListEntry = pListEntry->Flink)
-		{
-			//PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, pListEntry);
-			//wprintf(L"%s\n", pEntry->FullDllName.Buffer);
-			WriteTextLog(_T("模块名称"));
-		}
-	}
-	else
-		WriteTextLog(_T("查找进程模块名称失败1"));
-
-	CloseHandle(hProcess);
-	return Status;
-}
 
 BOOL APIENTRY DllMain( HMODULE hModule,
                        DWORD  ul_reason_for_call,
                        LPVOID lpReserved
 					 )
 {
-	g_hModule = hModule;
+	g_hCurModule = hModule;
 	switch (ul_reason_for_call)
 	{
 	case DLL_PROCESS_ATTACH:
-		WriteTextLog(_T("dll已成功注入"));
-		GetProcessModules(::GetCurrentProcess(), _T("Mutant"), _T("_WeChat_Instance_Identity_Mutex_Name"));
+		{
+			WriteTextLog(_T("dll已成功注入"));
+			WxInfo wxInfo;
+			GetWxInfo(wxInfo);
+		}
 		break;
 	case DLL_THREAD_ATTACH:
 		break;

source/hook/hook/hook.vcproj

@@ -21,7 +21,7 @@
 			OutputDirectory="..\..\..\..\bin\$(SolutionName)"
 			IntermediateDirectory="$(OutDir)\$(ProjectName)\$(ConfigurationName)\"
 			ConfigurationType="2"
-			CharacterSet="1"
+			CharacterSet="2"
 			>
 			<Tool
 				Name="VCPreBuildEventTool"
@@ -216,6 +216,10 @@
 					/>
 				</FileConfiguration>
 			</File>
+			<File
+				RelativePath=".\WxGlobal.cpp"
+				>
+			</File>
 		</Filter>
 		<Filter
 			Name="Í·Îļþ"
@@ -230,6 +234,10 @@
 				RelativePath=".\targetver.h"
 				>
 			</File>
+			<File
+				RelativePath=".\WxGlobal.h"
+				>
+			</File>
 		</Filter>
 		<Filter
 			Name="×ÊÔ´Îļþ"

source/hook/hook/stdafx.h

@@ -17,113 +17,8 @@
 #include <time.h> //或者 #include <ctime>
 
 #include <WinDef.h>
+
+#include "WxGlobal.h"
 //#include <ntifs.h>
 //#include <wudfwdm.h> // UNICODE_STRING的头文件;
 
-//////////////////////////////////////////////////////////////////////////
-// BEGIN
-// killWeChatMutex函数用到的未公开的声明;
-typedef LONG	NTSTATUS;
-typedef ULONG   PPS_POST_PROCESS_INIT_ROUTINE;  
-#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
-
-// 以下声明，都是系统未公开的定义;
-typedef struct _UNICODE_STRING {
-	USHORT Length;
-	USHORT MaximumLength;
-	PWCH   Buffer;
-} UNICODE_STRING;
-
-typedef enum {
-	ProcessBasicInformation = 0,
-	ProcessDebugPort = 7,
-	ProcessWow64Information = 26,
-	ProcessImageFileName = 27,
-	ProcessBreakOnTermination = 29,
-	ProcessProtectionInformation = 61,
-}PROCESSINFOCLASS;
-
-typedef struct _PEB_LDR_DATA {
-	BYTE       Reserved1[8];
-	PVOID      Reserved2[3];
-	LIST_ENTRY InMemoryOrderModuleList;
-} PEB_LDR_DATA, *PPEB_LDR_DATA;
-
-typedef struct _LDR_DATA_TABLE_ENTRY {
-	PVOID Reserved1[2];
-	LIST_ENTRY InMemoryOrderLinks;
-	PVOID Reserved2[2];
-	PVOID DllBase;
-	PVOID EntryPoint;
-	PVOID Reserved3;
-	UNICODE_STRING FullDllName;
-	BYTE Reserved4[8];
-	PVOID Reserved5[3];
-	union {
-		ULONG CheckSum;
-		PVOID Reserved6;
-	};
-	ULONG TimeDateStamp;
-} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
-
-typedef struct _RTL_USER_PROCESS_PARAMETERS {
-	BYTE           Reserved1[16];
-	PVOID          Reserved2[10];
-	UNICODE_STRING ImagePathName;
-	UNICODE_STRING CommandLine;
-} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
-
-// 32位下的结构;
-typedef struct _PEB {
-	BYTE                          Reserved1[2];
-	BYTE                          BeingDebugged;
-	BYTE                          Reserved2[1];
-	PVOID                         Reserved3[2];
-	PPEB_LDR_DATA                 Ldr;
-	PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
-	PVOID                         Reserved4[3];
-	PVOID                         AtlThunkSListPtr;
-	PVOID                         Reserved5;
-	ULONG                         Reserved6;
-	PVOID                         Reserved7;
-	ULONG                         Reserved8;
-	ULONG                         AtlThunkSListPtr32;
-	PVOID                         Reserved9[45];
-	BYTE                          Reserved10[96];
-	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
-	BYTE                          Reserved11[128];
-	PVOID                         Reserved12[1];
-	ULONG                         SessionId;
-} PEB, *PPEB;
-// 64位下的结构;
-typedef struct _PEBX64 {
-	BYTE Reserved1[2];
-	BYTE BeingDebugged;
-	BYTE Reserved2[21];
-	PPEB_LDR_DATA LoaderData;
-	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
-	BYTE Reserved3[520];
-	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
-	BYTE Reserved4[136];
-	ULONG SessionId;
-} PEBX64;
-
-typedef struct _PROCESS_BASIC_INFORMATION {
-	PVOID Reserved1;
-	PPEB PebBaseAddress;
-	PVOID Reserved2[2];
-	ULONG_PTR UniqueProcessId;
-	PVOID Reserved3;
-} PROCESS_BASIC_INFORMATION;
-
-// 声音函数指针;
-typedef NTSTATUS (WINAPI *pfZwQueryInformationProcess)(
-	_In_      HANDLE           ProcessHandle,
-	_In_      PROCESSINFOCLASS ProcessInformationClass,
-	_Out_     PVOID            ProcessInformation,
-	_In_      ULONG            ProcessInformationLength,
-	_Out_opt_ PULONG           ReturnLength
-	);
-
-// END
-//////////////////////////////////////////////////////////////////////////