版權說明:本文檔由用戶提供并上傳,收益歸屬內容提供方,若內容存在侵權,請進行舉報或認領
文檔簡介
第Python實現向好友發送微信消息優化篇目錄前言第二次優化第三次優化
前言
之前說了怎么寫機器碼到內存,然后調用。現在說說怎么優化。
用Python發送微信消息給好友
第二次優化
再看一遍c語言的代碼
voidSendText(wchar_t*wsTextMsg){
//發送的好友,filehelper是文件傳輸助手
wchar_twsWxId[0x10]=L"filehelper";
WxBaseStructwxWxid(wsWxId);
//發送的消息內容
WxBaseStructwxTextMsg(wsTextMsg);
wchar_t**pWxmsg=wxTextMsg.buffer;
charbuffer[0x3B0]={0};
charwxNull[0x100]={0};
DWORDdllBaseAddress=(DWORD)GetModuleHandleA("WeChatWin.dll");
//發消息的函數call地址
DWORDcallAddress=dllBaseAddress+0x521D30;
__asm{
leaeax,wxNull;
push0x1;
pusheax;
movedi,pWxmsg;
pushedi;
leaedx,wxWxid;
leaecx,buffer;
callcallAddress;
addesp,0xC;
}
上面的代碼真正發消息的是asm里面的代碼,之前的c代碼都是在組裝內存數據。那我們是不是可以用Python組裝數據,只講下面的匯編轉為機器碼寫入內存調用,這樣就少了很多無用的機器碼。
改完的SendText函數如下
wchar_twsWxId[0x10]=Lfilehelper
wchar_twsTextMsg[0x100]=Ltest
WxBaseStructwxWxid(wsWxId);
WxBaseStructwxTextMsg(wsTextMsg);
wchar_t**pWxmsg=wxTextMsg.buffer;
charbuffer[0x3B0]={0};
charwxNull[0x100]={0};
DWORDdllBaseAddress=(DWORD)GetModuleHandleA(WeChatWin.dll;
DWORDcallAddress=dllBaseAddress+0x521D30;
voidSendText(){
__asm{
leaeax,wxNull;
push0x1;
pusheax;
movedi,pWxmsg;
pushedi;
leaedx,wxWxid;
leaecx,buffer;
callcallAddress;
addesp,0xC;
}
}
匯編代碼:
[]里面包含的類型和變量名其實就是地址,只需要將地址改成用Python構造的地址就可以了
完整代碼如下:
importos
importpymem
importctypes
importtime
defconvert_addr(addr):
ifisinstance(addr,int):
addr=hex(addr)
ifaddr.startswith("0x")oraddr.startswith("0X"):
addr=addr[2:]
iflen(addr)8:
addr=(8-len(addr))*'0'+addr
tmp=[]
foriinrange(0,8,2):
tmp.append(addr[i:i+2])
tmp.reverse()
return''.join(tmp)
defWxBaseStruct(process_handle,content):
struct_address=pymem.memory.allocate_memory(process_handle,20)
bcontent=content.encode('utf-16le')
content_address=pymem.memory.allocate_memory(process_handle,len(bcontent)+16)
pymem.ressources.kernel32.WriteProcessMemory(process_handle,content_address,bcontent,len(bcontent),None)
pymem.memory.write_int(process_handle,struct_address,content_address)
pymem.memory.write_int(process_handle,struct_address+0x4,len(content))
pymem.memory.write_int(process_handle,struct_address+0x8,len(content)*2)
pymem.memory.write_int(process_handle,struct_address+0xC,0)
pymem.memory.write_int(process_handle,struct_address+0x10,0)
returnstruct_address,content_address
defstart_thread(process_handle,address,params=None):
params=paramsor0
NULL_SECURITY_ATTRIBUTES=ctypes.cast(0,pymem.ressources.structure.LPSECURITY_ATTRIBUTES)
thread_h=pymem.ressources.kernel32.CreateRemoteThread(
process_handle,
NULL_SECURITY_ATTRIBUTES,
address,
params,
ctypes.byref(ctypes.c_ulong(0))
last_error=ctypes.windll.kernel32.GetLastError()
iflast_error:
pymem.logger.warning('Gotanerrorinstartthread,code:%s'%last_error)
pymem.ressources.kernel32.WaitForSingleObject(thread_h,-1)
returnthread_h
defmain(wxpid,wxid,msg):
process_handle=cess.open(wxpid)
wxNull_address=pymem.memory.allocate_memory(process_handle,0x100)
buffer_address=pymem.memory.allocate_memory(process_handle,0x3B0)
wxid_struct_address,wxid_address=WxBaseStruct(process_handle,wxid)
msg_struct_address,msg_address=WxBaseStruct(process_handle,msg)
process_WeChatWin_handle=cess.module_from_name(process_handle,"WeChatWin.dll")
call_address=process_WeChatWin_handle.lpBaseOfDll+0x521D30
call_p_address=pymem.memory.allocate_memory(process_handle,4)
pymem.memory.write_int(process_handle,call_p_address,call_address)
format_code='''
8D05{wxNull}
6A01
8D3D{wxTextMsg}
8D15{wxWxid}
8D0D{buffer}
FF15{callAddress}
83C40C
shellcode=format_code.format(wxNull=convert_addr(wxNull_address),
wxTextMsg=convert_addr(msg_struct_address),
wxWxid=convert_addr(wxid_struct_address),
buffer=convert_addr(buffer_address),
callAddress=convert_addr(call_p_address))
shellcode=bytes.fromhex(shellcode.replace('','').replace('\n',''))
shellcode_address=pymem.memory.allocate_memory(process_handle,len(shellcode)+5)
pymem.ressources.kernel32.WriteProcessMemory(process_handle,shellcode_address,shellcode,len(shellcode),None)
thread_h=start_thread(process_handle,shellcode_address)
time.sleep(0.5)
pymem.memory.free_memory(process_handle,wxNull_address)
pymem.memory.free_memory(process_handle,buffer_address)
pymem.memory.free_memory(process_handle,wxid_struct_address)
pymem.memory.free_memory(process_handle,wxid_address)
pymem.memory.free_memory(process_handle,msg_struct_address)
pymem.memory.free_memory(process_handle,msg_address)
pymem.memory.free_memory(process_handle,call_p_address)
pymem.memory.free_memory(process_handle,shellcode_address)
cess.close_handle(process_handle)
if__name__=="__main__":
wxpid=16892
wxid="filehelper"
msg="pythontest"
main(wxpid,wxid,msg)
第三次優化
直接在Python里寫匯編,然后自動轉機器碼寫入內存。使用的是Python的keystone庫
#-*-coding:utf-8-*-
importos
importpymem
importctypes
importtime
fromkeystoneimportKs,KS_ARCH_X86,KS_MODE_32
defasm2code(asm_code,syntax=0):
ks=Ks(KS_ARCH_X86,KS_MODE_32)
bytes_code,_=ks.asm(asm_code,as_bytes=True)
returnbytes_code
defWxBaseStruct(process_handle,content):
struct_address=pymem.memory.allocate_memory(process_handle,20)
bcontent=content.encode('utf-16le')
content_address=pymem.memory.allocate_memory(process_handle,len(bcontent)+16)
pymem.ressources.kernel32.WriteProcessMemory(process_handle,content_address,bcontent,len(bcontent),None)
pymem.memory.write_int(process_handle,struct_address,content_address)
pymem.memory.write_int(process_handle,struct_address+0x4,len(content))
pymem.memory.write_int(process_handle,struct_address+0x8,len(content)*2)
pymem.memory.write_int(process_handle,struct_address+0xC,0)
pymem.memory.write_int(process_handle,struct_address+0x10,0)
returnstruct_address,content_address
defstart_thread(process_handle,address,params=None):
params=paramsor0
NULL_SECURITY_ATTRIBUTES=ctypes.cast(0,pymem.ressources.structure.LPSECURITY_ATTRIBUTES)
thread_h=pymem.ressources.kernel32.CreateRemoteThread(
process_handle,
NULL_SECURITY_ATTRIBUTES,
address,
params,
ctypes.byref(ctypes.c_ulong(0))
last_error=ctypes.windll.kernel32.GetLastError()
iflast_error:
pymem.logger.warning('Gotanerrorinstartthread,code:%s'%last_error)
pymem.ressources.kernel32.WaitForSingleObject(thread_h,-1)
returnthread_h
defmain(wxpid,wxid,msg):
process_handle=cess.open(wxpid)
wxNull_address=pymem.memory.allocate_memory(process_handle,0x100)
buffer_address=pymem.memory.allocate_memory(process_handle,0x3B0)
wxid_struct_address,wxid_address=WxBaseStruct(process_handle,wxid)
msg_struct_address,msg_address=WxBaseStruct(process_handle,msg)
process_WeChatWin_handle=cess.module_from_name(process_handle,"WeChatWin.dll")
call_address=process_WeChatWin_handle.lpBaseOfDll+0x521D30
call_p_address=pymem.memory.allocate_memory(process_handle,4)
pymem.memory.write_int(process_handle,call_p_address,call_address)
format_asm_code='''
pushedi;
leaeax,dwordptrds:[{wxNull:#02x}];
push0x1;
pusheax;
leaedi,dwordptrds:[{wxTextMsg:#02x}];
pushedi;
leaedx,dwordptrds:[{wxWxid:#02x}];
leaecx,dwordptrds:[{buffer:#02x}];
calldwordptrds:[{callAddress:#02x}];
addesp,0xC;
popedi;
ret;
asm_code=format_asm_code.format(wxNull=wxNull_address,
wxTextMsg=msg_struct_address,
wxWxid=wxid_struct_address,
buffer=buffer_address,
callAddress=call_p_address)
shellcode=asm2code(asm_code.encode())
shellcode_address=pymem.
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯系上傳者。文件的所有權益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網頁內容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
- 4. 未經權益所有人同意不得將文件中的內容挪作商業或盈利用途。
- 5. 人人文庫網僅提供信息存儲空間,僅對用戶上傳內容的表現方式做保護處理,對用戶上傳分享的文檔內容本身不做任何修改或編輯,并不能對任何下載內容負責。
- 6. 下載文件中如有侵權或不適當內容,請與我們聯系,我們立即糾正。
- 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 公司經營拓展活動方案
- 公司職工小活動方案
- 公司節目拍攝策劃方案
- 公司熱愛勞動活動方案
- 公司組織室內活動方案
- 公司社交酒會策劃方案
- 公司網絡年會策劃方案
- 公司爬圭峰山活動方案
- 公司普通聚餐活動方案
- 公司月動員會策劃方案
- 危險性較大工程管理制度
- 基于信息技術支持的初中物理實驗操作能力培養策略研究論文
- 2025至2030中國大健康行業市場發展現狀分析及發展趨勢與投資戰略規劃報告
- 2025潞安化工集團有限公司招聘760人筆試參考題庫附帶答案詳解
- 2025至2030中國AMOLED顯示器行業發展趨勢分析與未來投資戰略咨詢研究報告
- 2025年河北省萬唯中考定心卷地理(一)
- 公司資質印章管理制度
- 2025小升初數學熱點考點強化第19講旋轉、縮放和折疊強化訓練(原卷版+解析)
- 2024年貴州省糧食儲備集團有限公司招聘真題
- 醫療器械考試題及答案三類
- 智慧檢驗與大數據分析知到智慧樹期末考試答案題庫2025年溫州醫科大學
評論
0/150
提交評論