wechat/source/hook/hook/dllmain.cpp

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"

HMODULE g_hModule = NULL;
/************************************************************************/
/*  函数：WriteTextLog[7/28/2016 IT];
/*  描述：写文本日志;
/*  参数：;
/*  	[IN] ：;
/*  返回：void;
/*  注意：;
/*  示例：;
/*
/*  修改：;
/*  日期：;
/*  内容：;
/************************************************************************/
void WriteTextLog(const TCHAR *format, ...)
{
	// 解析出日志路径;
	TCHAR szlogpath[MAX_PATH] = { 0 };
	static TCHAR szModulePath[MAX_PATH] = { 0 };
	static TCHAR szFna[MAX_PATH] = { 0 };
	if (szModulePath[0] == _T('\0'))
	{
		TCHAR szDrive[MAX_PATH] = { 0 };
		TCHAR szDir[MAX_PATH] = { 0 };
		TCHAR szExt[MAX_PATH] = { 0 };
		::GetModuleFileName(g_hModule, szModulePath, sizeof(szModulePath) / sizeof(TCHAR));
		_tsplitpath_s(szModulePath, szDrive, szDir, szFna, szExt);
		_tcscpy_s(szModulePath, szDrive);
		_tcscat_s(szModulePath, szDir);
	}

	_stprintf_s(szlogpath, _T("%s%s.txt"), szModulePath, szFna);
	// 打开或创建文件;
	FILE *fp = NULL;
	if (_taccess(szlogpath, 0) != -1)
	{// 存在;
		fp = _tfopen(szlogpath, _T("a+"));
		// 移动到末尾;
		fseek(fp, 0, SEEK_END);
	}
	else
	{// 不存在;
		fp = _tfopen(szlogpath, _T("w+"));
	}

	if ( fp == NULL )
		return;

	// 格式化前设置语言区域;
	TCHAR* old_locale = _tcsdup(_tsetlocale(LC_CTYPE, NULL));
	_tsetlocale(LC_CTYPE, _T("chs"));//设定中文;

	// 格式化日志内容;
	va_list		args = NULL;
	int			len = 0;
	TCHAR		*buffer = NULL;
	va_start(args, format);
	// _vscprintf doesn't count. terminating '\0'
	len = _vsctprintf(format, args) + 1;
	buffer = (TCHAR*)malloc(len * sizeof(TCHAR));
	_vstprintf_s(buffer, len, format, args);
	// 将日志内容输入到文件中;
	// 获取今年年份;
	__time64_t gmt = time(NULL);// 获取当前日历时间(1900-01-01开始的Unix时间戳);
	struct tm gmtm = {0};
	localtime_s(&gmtm, &gmt); // 时间戳转成本地时间;
	_ftprintf(fp, _T("%04d-%02d-%02d %02d:%02d:%02d %s\n"), gmtm.tm_year+1990, gmtm.tm_mon+1, gmtm.tm_mday, gmtm.tm_hour, gmtm.tm_min, gmtm.tm_sec, buffer);

	// 关闭文件，释放资源并设置回原语言区域;
	free(buffer);
	fclose(fp);
	_tsetlocale(LC_CTYPE, old_locale);
	free(old_locale);//还原区域设定;
}

// 本函数使用的都是未公开的Win API
// 即：以后可能会变化的函数;
void killWeChatMutex()
{
}

NTSTATUS GetProcessModules(HANDLE hProcess, LPCTSTR lpTypName, LPCTSTR lpName)
{
	NTSTATUS Status = 0;
	pfZwQueryInformationProcess ZwQueryInformationProcess = NULL;

	PROCESS_BASIC_INFORMATION ProcessInfo;
	PPEB	pPeb;

	ZwQueryInformationProcess = (pfZwQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQueryInformationProcess");
	if (ZwQueryInformationProcess == NULL)
	{
		WriteTextLog(_T("查找进程模块名称失败"));
		return Status;
	}

	Status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcessInfo, sizeof(ProcessInfo), NULL);
	if (NT_SUCCESS(Status))
	{
		pPeb = (PPEB)ProcessInfo.PebBaseAddress;

		for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink;pListEntry != &pPeb->Ldr->InMemoryOrderModuleList;pListEntry = pListEntry->Flink)
		{
			//PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, pListEntry);
			//wprintf(L"%s\n", pEntry->FullDllName.Buffer);
			WriteTextLog(_T("模块名称"));
		}
	}
	else
		WriteTextLog(_T("查找进程模块名称失败1"));

	CloseHandle(hProcess);
	return Status;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	g_hModule = hModule;
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		WriteTextLog(_T("dll已成功注入"));
		GetProcessModules(::GetCurrentProcess(), _T("Mutant"), _T("_WeChat_Instance_Identity_Mutex_Name"));
		break;
	case DLL_THREAD_ATTACH:
		break;
	case DLL_THREAD_DETACH:
		break;
	case DLL_PROCESS_DETACH:
		WriteTextLog(_T("dll已成功卸载"));
		break;
	default:
		break;
	}
	return TRUE;
}