using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.Drawing;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
namespace L014ReadWeChatMemory
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void Button1_Click(object sender, EventArgs e)
{
this.textBox1.Clear();
//微信進程
Process WxProcess = null;
//WeChatWin.dll基址
IntPtr WeChatWinBaseAddress = IntPtr.Zero;
//微信版本
String WeChatVersion = "";
Process[] processes = Process.GetProcesses();
foreach (Process process in processes)
{
if (process.ProcessName == "WeChat")
{
WxProcess = process;
this.textBox1.AppendText("微信已找到!" + Environment.NewLine);
this.textBox1.AppendText("微信句柄:\t" + "0x" + ((int)(process.Handle)).ToString("X8") + Environment.NewLine);
foreach (ProcessModule processModule in process.Modules)
{
if (processModule.ModuleName == "WeChatWin.dll")
{
WeChatWinBaseAddress = processModule.BaseAddress;
this.textBox1.AppendText("微信基址:\t" + "0x" + ((int)(processModule.BaseAddress)).ToString("X8") + Environment.NewLine);
WeChatVersion = processModule.FileVersionInfo.FileVersion;
this.textBox1.AppendText("微信版本:\t" + processModule.FileVersionInfo.FileVersion + Environment.NewLine);
break;
}
}
break;
}
}
if (WxProcess == null)
{
this.textBox1.AppendText("微信沒有找到!");
return;
}
//微信號
int WxNameAddress = (int)WeChatWinBaseAddress + 0x1131B90;
this.textBox1.AppendText("微信號地址:\t" + "0x" + ((int)(WxNameAddress)).ToString("X8") + Environment.NewLine);
this.textBox1.AppendText("微信號:\t" + GetString(WxProcess.Handle, (IntPtr)WxNameAddress) + Environment.NewLine);
//微信暱稱
int WxNickNameAddress = (int)WeChatWinBaseAddress + 0x1131C64;
this.textBox1.AppendText("微信暱稱地址:\t" + "0x" + ((int)(WxNickNameAddress)).ToString("X8") + Environment.NewLine);
this.textBox1.AppendText("微信暱稱:\t" + GetString(WxProcess.Handle, (IntPtr)WxNickNameAddress) + Environment.NewLine);
}
String GetString(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
{
byte[] data = new byte[nSize];
if (ReadProcessMemory(hProcess, lpBaseAddress, data, nSize, 0) == 0)
{
//讀取內存失敗!
return "";
}
String result = "";
String TempString = Encoding.ASCII.GetString(data);
// \0
foreach (char item in TempString)
{
if (item == '\0')
{
break;
}
result += item.ToString();
}
return result;
}
[DllImport("Kernel32.dll")]
//BOOL ReadProcessMemory(
// HANDLE hProcess,
// LPCVOID lpBaseAddress,
// LPVOID lpBuffer,
// SIZE_T nSize,
// SIZE_T* lpNumberOfBytesRead
//);
public static extern int ReadProcessMemory(
IntPtr hProcess, //正在讀取內存的進程句柄。句柄必須具有PROCESS_VM_READ訪問權限。
IntPtr lpBaseAddress, //指向要從中讀取的指定進程中的基址的指針。在發生任何數據傳輸之前,系統會驗證基本地址和指定大小的內存中的所有數據是否都可以進行讀訪問,如果無法訪問,則該函數將失敗。
byte[] lpBuffer, //指向緩衝區的指針,該緩衝區從指定進程的地址空間接收內容。
int nSize, //要從指定進程讀取的字節數。
int lpNumberOfBytesRead //指向變量的指針,該變量接收傳輸到指定緩衝區的字節數。如果lpNumberOfBytesRead爲NULL,則忽略該參數。
);
}
}
示例來源:
網易雲課堂《2019 PC 微信探祕》
交流QQ羣:
456197310 