Reverse
/
wechat


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291
							#include "stdafx.h"
#include "CWxObject.h"


#define WX_MAIN_WND_NAME _T("微信")
#define WX_MAIN_WND_CLASS_NAME _T("WeChatMainWndForPC")

#define WX_LOGIN_WND_NAME _T("登录")
#define WX_LOGIN_WND_CLASS_NAME _T("WeChatLoginWndForPC")

BOOL ASCII2UNICODE(IN LPCCH lpASCIIStr, OUT PWCH pUNICODEStr, IN CONST INT& nUNICODEStrLen)
{
	if (lpASCIIStr == NULL)
		return FALSE;

	// 获取宽字符字节数;
	int cchWideChar = MultiByteToWideChar(CP_ACP, 0, lpASCIIStr, -1, NULL, 0);
	if (cchWideChar == 0 || cchWideChar >= nUNICODEStrLen)
		return FALSE;

	// 转换成宽字符串;
	memset(pUNICODEStr, 0, sizeof(WCHAR)*nUNICODEStrLen);
	int nWriteNum = MultiByteToWideChar(CP_ACP, 0, lpASCIIStr, -1, pUNICODEStr, cchWideChar);
	if (nWriteNum != cchWideChar)
		return FALSE;

	return TRUE;
}

CWxObject::CWxObject()
	:m_dwWxProcId(0)
	, m_hWxProcess(NULL)
	, m_hWxMainWnd(NULL)
	, m_hWxLoginWnd(NULL)
	, m_lpInjectData(NULL)
	, m_lpEjectData(NULL)
	, m_hInjectThread(NULL)
	, m_hEjectThread(NULL)
	, m_dwPathLen(0)
	, m_bAttached(FALSE)
{

}

CWxObject::CWxObject(DWORD dwProcId, LPCTSTR lpDynamicLibraryPath)
	:m_dwWxProcId(dwProcId)
	, m_hWxProcess(NULL)
	, m_hWxMainWnd(NULL)
	, m_hWxLoginWnd(NULL)
	, m_lpInjectData(NULL)
	, m_lpEjectData(NULL)
	, m_hInjectThread(NULL)
	, m_hEjectThread(NULL)
	, m_dwPathLen(0)
	, m_bAttached(FALSE)
{
	setInjectionObj(dwProcId, lpDynamicLibraryPath);
}

CWxObject::~CWxObject()
{
	// 卸载dll;
	EjectDynamicLibrary();

	// 释放所有资源;
	if (m_hInjectThread)
		CloseHandle(m_hInjectThread);
	m_hInjectThread = NULL;

	if (m_hEjectThread)
		CloseHandle(m_hEjectThread);
	m_hEjectThread = NULL;

	if (m_lpInjectData)
		VirtualFreeEx(m_hWxProcess, m_lpInjectData, m_dwPathLen, MEM_RELEASE);
	m_lpInjectData = NULL;

	if (m_lpEjectData)
		VirtualFreeEx(m_hWxProcess, m_lpEjectData, m_dwPathLen, MEM_RELEASE);
	m_lpEjectData = NULL;

	if (m_hWxProcess)
		CloseHandle(m_hWxProcess);
	m_hWxProcess = NULL;
}

void CWxObject::setInjectionObj(DWORD dwProcId, LPCTSTR lpDynamicLibraryPath)
{
	ASSERT(dwProcId != 0);
	ASSERT(lpDynamicLibraryPath != NULL);

	m_dwWxProcId = dwProcId;
	memset(m_szDllPath, 0, sizeof(m_szDllPath));
	memset(m_wszDllPath, 0, sizeof(m_wszDllPath));
#ifdef UNICODE
	_tcscpy_s(m_szDllPath, lpDynamicLibraryPath);
#else
	_tcscpy_s(m_szDllPath, lpDynamicLibraryPath);
	ASCII2UNICODE(lpDynamicLibraryPath, m_wszDllPath, MAX_PATH);
#endif
	
	//m_hWxProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwWxProcId);
	m_hWxProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, m_dwWxProcId);
	if (m_hWxProcess == NULL)
	{
		WriteTextLog(_T("打开WeChat.exe进程失败"));
	}
}

BOOL CWxObject::InjectDynamicLibrary()
{
	ASSERT(m_hWxProcess != NULL);
	m_dwPathLen = wcslen(m_wszDllPath) * sizeof(WCHAR) + 1;
	m_lpInjectData = VirtualAllocEx(m_hWxProcess, NULL, m_dwPathLen, MEM_COMMIT, PAGE_READWRITE);
	if (NULL == m_lpInjectData)
	{
		WriteTextLog(_T("创建WeChat.exe进程虚拟内存失败"));
		return FALSE;
	}

	if (WriteProcessMemory(m_hWxProcess, m_lpInjectData, m_wszDllPath, m_dwPathLen, NULL) == 0)
	{
		// 注意：MEM_RELEASE释放时第三参数一定要为0，请查看MSDN;
		VirtualFreeEx(m_hWxProcess, m_lpInjectData, 0, MEM_RELEASE);
		return FALSE;
	}

	HMODULE hk32 = GetModuleHandle(_T("kernel32.dll"));
	// 注意：微信使用的是W版本;
	LPVOID lpAddr = GetProcAddress(hk32, "LoadLibraryW");
	m_hInjectThread = CreateRemoteThread(m_hWxProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpAddr, m_lpInjectData, 0, NULL);
	if (NULL == m_hInjectThread)
	{
		// 注意：MEM_RELEASE释放时第三参数一定要为0，请查看MSDN;
		VirtualFreeEx(m_hWxProcess, m_lpInjectData, 0, MEM_RELEASE);
		return FALSE;
	}

	WaitForSingleObject(m_hInjectThread, INFINITE);
	if (m_hInjectThread)
		CloseHandle(m_hInjectThread);
	m_hInjectThread = NULL;

	/* 注入成功后，不能释放内存否则微信会挂;
	if (m_lpInjectData != NULL)
		VirtualFreeEx(m_hWxProcess, m_lpInjectData, 0, MEM_RELEASE);
	*/

	return TRUE;
}

BOOL CWxObject::EjectDynamicLibrary()
{
	if (m_hWxProcess == NULL)
		return TRUE;

	// 获取模块句柄;
	HANDLE hModule = FindModuleEx(m_szDllPath, m_dwWxProcId);
	if (hModule == NULL)
	{
		WriteTextLog(_T("获取WeChat.exe进程模块hook.dll失败"));
		return FALSE;
	}

	LPVOID lpAddr = GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "FreeLibraryAndExitThread");//FreeLibraryAndExitThread//FreeLibrary
	if (lpAddr == NULL)
	{
		WriteTextLog(_T("获取kernel32.dll中的FreeLibraryAndExitThread失败"));
		return FALSE;
	}

	m_hEjectThread = CreateRemoteThread(m_hWxProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpAddr, hModule, 0, NULL);
	if (m_hEjectThread == NULL)
	{
		WriteTextLog(_T("创建WeChat.exe远程线程（FreeLibraryAndExitThread）失败"));
		return FALSE;
	}

	WaitForSingleObject(m_hEjectThread, INFINITE);
	if (m_hEjectThread)
		CloseHandle(m_hEjectThread);
	m_hEjectThread = NULL;

	return TRUE;
}

BOOL CWxObject::FindWxMainWnd()
{
	WNDINFO wnd;
	wnd.hWxWnd = NULL;
	wnd.dwWxProcId = m_dwWxProcId;
	_stprintf_s(wnd.szWndName, WX_MAIN_WND_NAME);
	_stprintf_s(wnd.szClassName, WX_MAIN_WND_CLASS_NAME);
	if (::EnumWindows(&EnumWindowsProc, (LPARAM)&wnd) == FALSE)
	{
		m_hWxMainWnd = wnd.hWxWnd;
		m_rcWxWnd = wnd.rcWnd;
		return TRUE;
	}

	return FALSE;
}

BOOL CWxObject::FindWxLoginWnd()
{
	WNDINFO wnd;
	wnd.hWxWnd = NULL;
	wnd.dwWxProcId = m_dwWxProcId;
	_stprintf_s(wnd.szWndName, WX_LOGIN_WND_NAME);
	_stprintf_s(wnd.szClassName, WX_LOGIN_WND_CLASS_NAME);
	if (::EnumWindows(&EnumWindowsProc, (LPARAM)&wnd) == FALSE)
	{
		m_hWxLoginWnd = wnd.hWxWnd;
		m_rcWxWnd = wnd.rcWnd;
		return TRUE;
	}

	return FALSE;
}

BOOL CWxObject::Attach2MainWnd(CWnd *pMainWnd, BOOL bLoginWnd )
{
	HWND hWxWnd = bLoginWnd ? m_hWxLoginWnd : m_hWxMainWnd;
	if (hWxWnd != NULL)
	{
		// 获取微信窗口的样式;
		DWORD dwStyle = ::GetWindowLong(hWxWnd, GWL_STYLE);
		// WS_CLIPSIBLINGS告诉父窗口不要绘制子窗口出现的区域;
		dwStyle |= WS_CLIPSIBLINGS;
		// 如果窗口隐藏的，显示出来;
		dwStyle |= WS_VISIBLE;
		// 重新设置窗口样式 ;
		::SetWindowLong(hWxWnd, GWL_STYLE, dwStyle);

		CRect rect;
		pMainWnd->GetWindowRect(&rect);
		// 设置背景透明;
		::SetParent(hWxWnd, pMainWnd->m_hWnd);//set parent of ms paint to our dialog.
		// 擦除背景;
		//SetWindowLong(hWxWnd, GWL_STYLE, WS_VISIBLE);//eraze title of ms paint window.
		//Positioning ms paint.
		pMainWnd->ScreenToClient(&m_rcWxWnd);
		::MoveWindow(hWxWnd, m_rcWxWnd.left, m_rcWxWnd.top, m_rcWxWnd.right, m_rcWxWnd.bottom, true);
		//ClientToScreen(&rect);
		//ScreenToClient(&rect);
		//::SetWindowPos(hWxWnd, NULL, rect.left, rect.top, rect.right, rect.bottom, SWP_SHOWWINDOW | SWP_HIDEWINDOW);
		//窗口重绘，（因创建exe时，设置为SW_HIDE,导致exe窗口会被父窗口覆盖一部分)
		//Invalidate();
		::UpdateWindow(hWxWnd);
		::ShowWindow(hWxWnd, SW_SHOW);

		m_bAttached = TRUE;
	}
	return 0;
}

BOOL CWxObject::DetachWxWnd()
{
	if (m_hWxMainWnd)
		::SetParent(m_hWxMainWnd, NULL);

	if (m_hWxLoginWnd)
		::SetParent(m_hWxLoginWnd, NULL);

	m_bAttached = FALSE;
	return 0;
}

BOOL CWxObject::EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
	DWORD dwProcId = 0, dwThreadId;
	TCHAR szWndName[MAX_PATH] = { 0 };
	TCHAR szClassName[MAX_PATH] = { 0 };
	WNDINFO* pWndInfo = (WNDINFO*)lParam;	
	dwThreadId = GetWindowThreadProcessId(hwnd, &dwProcId);
    if(dwProcId == pWndInfo->dwWxProcId)
    {
		pWndInfo->hWxWnd = hwnd;
		pWndInfo->dwThreadId = dwThreadId;
		::GetWindowText(hwnd, szWndName, MAX_PATH);
		::GetClassName(hwnd, szClassName, MAX_PATH);

		if (_tcscmp(szWndName, pWndInfo->szWndName) == 0 && _tcscmp(szClassName, pWndInfo->szClassName) == 0)
		{
			::GetWindowRect(hwnd, &pWndInfo->rcWnd);
			return FALSE;
		}
    }

    return TRUE;
}