先看看效果
一个程序,如果想做单例,无非就是遍历进程,mutex
微信这里使用的就是mutex 互斥
微信启动的时候 会调用
CreateMutexW 来创建一个互斥句柄
具体的代码如下
CreateMutexW(0, FALSE, L"_WeChat_App_Instance_Identity_Mutex_Name"); ;
想要做破解这个也挺简单的
我这里做的是打开微信的时候,注入我自己的DLL,通过修改(_WeChat_App_Instance_Identity_Mutex_Name)来做到多开
具体操作也不难
OD打开微信
Ctrl + G 输入 CreateMutexW
然后点击OK按钮
OD会跳到
我们在这里按F2 下一个断点 然后点击运行程序
程序会执行到这里之后 断下来 我们看堆栈窗口
左键点击它一下 然后按回车键 跳到调用这个的call
到这里,我们就可以看到
_WeChat_App_Instance_Identity_Mutex_Name
是由
7A84A285 68 A8A0557B push WeChatWi.7B55A0A8 ; _WeChat_App_Instance_Identity_Mutex_Name
压入到栈堆的
我们记录下这里 然后回到模块 插件WeChatWin.dll 这个模块的基址
我们算下偏移
算法:
地址 - 模块基址 = 偏移量
0x7A84A285 - 0x79EE0000 = 0x96A285
到了这里 我们就拿到了我们要注入修改的地址的偏移值
然后,我们打开VS 新建一个DLL
然后键入代码
使用也简单
新建一个exe 调用CreateProcess
CreateProcess("微信目录", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)
创建一个挂机的微信进程
然后通过注入吧 把这个DLL 注入到微信
然后恢复挂起进程,就大功告成了,支持无限多开
打开就是这么写
如果有不懂的,也可以加我QQ: 3195774121
最后 附上代码
#include "pch.h" #include <Ntsecapi.h> typedef const UNICODE_STRING* PCUNICODE_STRING; typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { ULONG Flags; PCUNICODE_STRING FullDllName; PCUNICODE_STRING BaseDllName; PVOID DllBase; ULONG SizeOfImage; } LDR_DLL_LOADED_NOTIFICATION_DATA, * PLDR_DLL_LOADED_NOTIFICATION_DATA; typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA { ULONG Flags; PCUNICODE_STRING FullDllName; PCUNICODE_STRING BaseDllName; PVOID DllBase; ULONG SizeOfImage; } LDR_DLL_UNLOADED_NOTIFICATION_DATA, * PLDR_DLL_UNLOADED_NOTIFICATION_DATA; typedef union _LDR_DLL_NOTIFICATION_DATA { LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; } LDR_DLL_NOTIFICATION_DATA, * PLDR_DLL_NOTIFICATION_DATA; typedef const PLDR_DLL_NOTIFICATION_DATA PCLDR_DLL_NOTIFICATION_DATA; typedef VOID(NTAPI* PLDR_DLL_NOTIFICATION_FUNCTION)(ULONG NotificationReason, PCLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context); typedef NTSTATUS(NTAPI* PfnLdrRegisterDllNotification)(ULONG Flags, PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, void* Context, void** Cookie); typedef NTSTATUS(NTAPI* PfnLdrUnregisterDllNotification)(void* Cookie); #define LDR_DLL_NOTIFICATION_REASON_LOADED 1 #define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 void* PvCookie = NULL; VOID NTAPI LdrDllNotification(ULONG NotificationReason, PCLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context) { switch (NotificationReason) { case LDR_DLL_NOTIFICATION_REASON_LOADED: if (wcscmp(NotificationData->Loaded.BaseDllName->Buffer, L"WeChatWin.dll") == 0) { DWORD base = (DWORD)NotificationData->Loaded.DllBase; DWORD address = base + 0x96A285; wchar_t name[60]; memset(name, 0, 60); wsprintf(name, L"_WeChat_App_Instance_Identity_Mutex_%d", GetCurrentProcessId()); BYTE push[5] = { 0 }; push[0] = 0x68; *(DWORD*)&push[1] = (DWORD)name; WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, push, 5, 0); } break; } } BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved) { HMODULE module = GetModuleHandleW(L"ntdll.DLL"); PfnLdrRegisterDllNotification PLdrRegisterDllNotification; PfnLdrUnregisterDllNotification PLdrUnregisterDllNotification; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: //装载监听 if (module != NULL) { PLdrRegisterDllNotification = (PfnLdrRegisterDllNotification)GetProcAddress(module, "LdrRegisterDllNotification"); PLdrRegisterDllNotification(0, LdrDllNotification, NULL, &PvCookie); } break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: //卸载监听 if (module != NULL) { PLdrUnregisterDllNotification = (PfnLdrUnregisterDllNotification)GetProcAddress(module, "LdrUnregisterDllNotification"); PLdrUnregisterDllNotification(PvCookie); } break; } return TRUE; }
