升级至3.9.2.23；更改docker打包根镜像，解决启动容器后微信打不开的情况

README.md

@@ -24,7 +24,7 @@
 
 ## 服务器端
 ```
-第一步 启动PC微信并登陆完成，微信的版本必须是：3.6.0.18
+第一步 启动PC微信并登陆完成，微信的版本必须是：3.9.2.23
 
 第二步 启动非注入版，funtool.exe
 

build-injector-box.sh

@@ -1,32 +1,17 @@
 #!/usr/bin/env bash
-mkdir docker_buiding || true
-# update injector-box
-if [ ! -d docker_buiding/injector-box ]; then
-    git clone https://github.com/ChisBread/injector-box docker_buiding/injector-box
-else
-    cd docker_buiding/injector-box
-    git pull
-    cd -
-fi
-if [ ! -d docker_buiding/injector-box/target ]; then
-    git clone https://github.com/ChisBread/wechat-box docker_buiding/injector-box/target
-else
-    cd docker_buiding/injector-box/target
-    git pull
-    cd -
-fi
-if [ ! -f docker_buiding/injector-box/target/root/WeChatSetup-v3.6.0.18.exe ]; then
-    wget -P docker_buiding/injector-box/target/root https://github.com/ChisBread/wechat-box/releases/download/binary-resource/WeChatSetup-v3.6.0.18.exe
+
+if [ ! -f docker_buiding/injector-box/target/root/WeChatSetup-v3.9.2.23.exe ]; then
+    wget -O docker_buiding/injector-box/target/root/WeChatSetup-v3.9.2.23.exe https://github.com/tom-snow/wechat-windows-versions/releases/download/v3.9.2.23/WeChatSetup-3.9.2.23.exe
 fi
 
-cp funtool/funtool_3.6.0.18-1.0.0015非注入版.exe docker_buiding/injector-box/root/bin/
+cp funtool/funtool_wx=3.9.2.23.exe docker_buiding/injector-box/root/bin/
 cp funtool/inject-dll docker_buiding/injector-box/root/bin/
 cp funtool/inject-monitor docker_buiding/injector-box/root/bin/
 
 cd docker_buiding/injector-box
 # docker rm -f wechat-bot
 # docker rmi -f chisbread/wechat-bot:1.0
-sudo docker build -t chisbread/wechat-bot:1.0 .
+sudo docker build -t ersut/wechat-bot:1.0 .
 # sudo docker run -itd --name wechat-bot  \
 #     -e HOOK_PROC_NAME=WeChat \
 #     -e TARGET_AUTO_RESTART="yes" \

docker-compose.yaml

@@ -0,0 +1,23 @@
+version: "3.3"
+
+services:
+    wechat-box:
+        image: "registry.cn-beijing.aliyuncs.com/ersut/wechat-bot"
+        restart: unless-stopped
+        container_name: "wechat-box"
+        environment:
+            - WC_AUTO_RESTART=yes
+            - HOOK_PROC_NAME=WeChat
+            - INJ_CONDITION=test "`ps -aux | grep funtool | grep -v grep`" != "" && exit 0
+            - TARGET_CMD=wechat-start
+        ports:
+            - "8080:8080"
+            - "5555:5555"
+            - "5900:5900"
+#        volumes:
+#              - "/home/bread/.wechat/WeChat Files/:/home/app/WeChat Files/"
+#              - "/home/bread/.wechat/Applcation Data/:/home/app/.wine/drive_c/users/user/Application Data/"
+#              - "/home/bread/external:/home/app/external"
+        tty: true
+        extra_hosts:
+            - "dldir1.qq.com:127.0.0.1"

docker_buiding/injector-box/.gitignore

@@ -0,0 +1,3 @@
+docker-compose.yaml
+*.dll
+*.exe

docker_buiding/injector-box/Dockerfile

@@ -0,0 +1,16 @@
+FROM sureer/wine-box:8.0.2
+COPY target/root/ /
+# init target with GUI
+RUN bash -c 'nohup /entrypoint.sh 2>&1 &' && sleep 5 && /payloads.sh \
+    && sudo rm /tmp/.X0-lock
+# clear payloads
+RUN sudo rm -r /payloads
+COPY root/ /
+# init injector with GUI
+RUN bash -c 'nohup /entrypoint.sh 2>&1 &' && sleep 5 && /payloads.sh \
+    && sudo rm /tmp/.X0-lock \
+    && (sudo cp -r /*-etc/* /etc || true) \
+    && (sudo chown -R app:app /drive_c && cp -r /drive_c/* /home/app/.wine/drive_c/ || true)
+
+#settings
+ENTRYPOINT ["/inj-entrypoint.sh"]

docker_buiding/injector-box/root/drive_c/injector/README.md

@@ -0,0 +1,5 @@
+# Injector
+- python dll injector
+
+# Credit
+- pyinjector: https://github.com/ustayready/python-pentesting/blob/master/pyinjector.py

docker_buiding/injector-box/root/drive_c/injector/injector.py

@@ -0,0 +1,204 @@
+import os
+import sys
+import ctypes
+import ctypes.wintypes as wt
+import clr # .Net
+import System
+from System.Diagnostics import *
+class Injector():
+    INFINITE = 0xFFFFFFFF
+    PROCESS_SOME_ACCESS = 0x000028
+    MEM_COMMIT = 0x1000
+    MEM_RESERVE = 0x2000
+    MEM_COMMIT_RESERVE = 0x3000
+    MEM_RELEASE = 0x8000
+
+    PAGE_READWRITE = 0x04
+    PAGE_READWRITE_EXECUTE = 0x40
+    PAGE_READ_EXECUTE = 0x20
+
+
+    def __init__(self, proc_name=""):
+        self.proc_name = proc_name
+        self.kernel32 = ctypes.windll.kernel32
+        self.kernel32_function_definitions()
+    def kernel32_function_definitions(self):
+        # Define argument types for Kernel32 functions
+
+        # CloseHandle()
+        self.CloseHandle = ctypes.windll.kernel32.CloseHandle
+        self.CloseHandle.argtypes = [wt.HANDLE]
+        self.CloseHandle.restype = wt.BOOL
+
+        # CreateThread()
+        self.CreateThread = ctypes.windll.kernel32.CreateThread
+        self.CreateThread.argtypes = [
+            wt.LPVOID, ctypes.c_size_t, wt.LPVOID,
+            wt.LPVOID, wt.DWORD, wt.LPVOID
+        ]
+        self.CreateThread.restype = wt.HANDLE
+
+        # CreateRemoteThread()
+        self.CreateRemoteThread = ctypes.windll.kernel32.CreateRemoteThread
+        self.CreateRemoteThread.argtypes = [
+            wt.HANDLE, wt.LPVOID, ctypes.c_size_t,
+            wt.LPVOID, wt.LPVOID, wt.DWORD, wt.LPVOID
+        ]
+        self.CreateRemoteThread.restype = wt.HANDLE
+
+        # HeapAlloc()
+        self.HeapAlloc = ctypes.windll.kernel32.HeapAlloc
+        self.HeapAlloc.argtypes = [wt.HANDLE, wt.DWORD, ctypes.c_size_t]
+        self.HeapAlloc.restype = wt.LPVOID
+
+        # HeapCreate()
+        self.HeapCreate = ctypes.windll.kernel32.HeapCreate
+        self.HeapCreate.argtypes = [wt.DWORD, ctypes.c_size_t, ctypes.c_size_t]
+        self.HeapCreate.restype = wt.HANDLE
+
+        # OpenProcess()
+        self.OpenProcess = ctypes.windll.kernel32.OpenProcess
+        self.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]
+        self.OpenProcess.restype = wt.HANDLE
+
+        # RtlMoveMemory()
+        self.RtlMoveMemory = ctypes.windll.kernel32.RtlMoveMemory
+        self.RtlMoveMemory.argtypes = [wt.LPVOID, wt.LPVOID, ctypes.c_size_t]
+        self.RtlMoveMemory.restype = wt.LPVOID
+
+        # VirtualAlloc()
+        self.VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
+        self.VirtualAlloc.argtypes = [
+            wt.LPVOID, ctypes.c_size_t, wt.DWORD, wt.DWORD
+        ]
+        self.VirtualAlloc.restype = wt.LPVOID
+
+        # VirtualAllocEx()
+        self.VirtualAllocEx = ctypes.windll.kernel32.VirtualAllocEx
+        self.VirtualAllocEx.argtypes = [
+            wt.HANDLE, wt.LPVOID, ctypes.c_size_t,
+            wt.DWORD, wt.DWORD
+        ]
+        self.VirtualAllocEx.restype = wt.LPVOID
+
+        # VirtualFreeEx()
+        self.VirtualFreeEx = ctypes.windll.kernel32.VirtualFreeEx
+        self.VirtualFreeEx.argtypes = [
+            wt.HANDLE, wt.LPVOID, ctypes.c_size_t, wt.DWORD
+        ]
+        self.VirtualFreeEx.restype = wt.BOOL
+
+        # VirtualFree()
+        self.VirtualFree = self.kernel32.VirtualFree
+        self.VirtualFree.argtypes = [
+            wt.HANDLE, ctypes.c_size_t, wt.DWORD
+        ]
+        self.VirtualFree.restype = wt.BOOL
+
+        # VirtualProtect()
+        self.VirtualProtect = ctypes.windll.kernel32.VirtualProtect
+        self.VirtualProtect.argtypes = [
+            wt.LPVOID, ctypes.c_size_t, wt.DWORD, wt.LPVOID
+        ]
+        self.VirtualProtect.restype = wt.BOOL
+
+        # VirtualProtectEx()
+        self.VirtualProtectEx = ctypes.windll.kernel32.VirtualProtectEx
+        self.VirtualProtectEx.argtypes = [
+            wt.HANDLE, ctypes.c_size_t,
+            wt.DWORD, wt.LPVOID
+        ]
+        self.VirtualProtectEx.restype = wt.BOOL
+
+        # WaitForSingleObject
+        self.WaitForSingleObject = self.kernel32.WaitForSingleObject
+        self.WaitForSingleObject.argtypes = [wt.HANDLE, wt.DWORD]
+        self.WaitForSingleObject.restype = wt.DWORD
+
+        # WriteProcessMemory()
+        self.WriteProcessMemory = self.kernel32.WriteProcessMemory
+        self.WriteProcessMemory.argtypes = [
+            wt.HANDLE, wt.LPVOID, wt.LPCVOID,
+            ctypes.c_size_t, wt.LPVOID
+        ]
+        self.WriteProcessMemory.restype = wt.BOOL
+        self.GetModuleHandleA = self.kernel32.GetModuleHandleA
+        self.GetProcAddress = self.kernel32.GetProcAddress
+
+    def select_proc(self):
+        procList = Process.GetProcessesByName(self.proc_name)
+        if not procList:
+            print("[*] %s is not running"%self.proc_name)
+            return None
+        return procList[0]
+
+    def inject_dll(self, dll_path):
+        if not os.path.isfile(dll_path):
+            print('DLL path %s specified does not exist'%dll_path)
+            return 1
+        with open(dll_path, 'rb') as f:
+            print('DLL size:%sMB'%(len(f.read())/(1024.0*1024.0)))
+        print("Injecting DLL: %s to %s"%(dll_path, self.proc_name))
+        proc = self.select_proc()
+        if proc is None:
+            return 1
+        for mod in proc.Modules:
+            modname = mod.FileName
+            #print("[*] Found module: %s"%modname)
+            if dll_path == modname:
+                print("[*] Module %s has Injected. Exiting."%dll_path)
+                return 2
+        # Get a handle to the process we are injecting into.
+        h_process = int(proc.Handle.ToInt32())
+        if not h_process:
+            print("[*] Couldn't acquire a handle to PID: %s" % pid)
+            return 1
+        # Allocate some space for the DLL path
+        dllcstr = bytes(dll_path, encoding='ascii')+b'\x00'
+        dllcstr_len = len(dllcstr)
+        arg_address = self.VirtualAllocEx(
+            h_process, 0, dllcstr_len,
+            self.MEM_COMMIT_RESERVE,
+            self.PAGE_READWRITE_EXECUTE
+        )
+        print('[*] VirtualAllocEx() memory at: 0x{:08X}'.format(arg_address))
+        # Write the DLL path into the allocated space
+        written = ctypes.c_int(0)
+        result = self.WriteProcessMemory(
+            h_process, arg_address, dllcstr,
+            dllcstr_len, ctypes.byref(written)
+        )
+        print('[+] Bytes written = {}'.format(written.value))
+        if result == 0:
+            print("[-] WriteProcessMemory() Failed - Error Code: {}".format(
+                self.kernel32.GetLastError()
+            ))
+            return 1
+        # We need to resolve the address for LoadLibraryA 
+        h_kernel32 = self.GetModuleHandleA(bytes("kernel32.dll", encoding='ascii'))
+        print("[*] kernel32 handle 0x%08x." % h_kernel32)
+        h_loadlib = self.GetProcAddress(h_kernel32, bytes("LoadLibraryA", encoding='ascii'))
+        print("[*] Address LoadLibraryA 0x%08x." % h_loadlib)
+        # Now we try to create the remote thread, with the entry point set
+        # to LoadLibraryA and a pointer to the DLL path as its single parameter thread_id = c_ulong(0)
+        thread_id = ctypes.c_ulong(0)
+        h_thread = self.CreateRemoteThread(h_process, 0, 0, h_loadlib, arg_address, 0, ctypes.byref(thread_id))
+        if h_thread == 0:
+            print("[-] CreateRemoteThread() Failed - Error Code: {}".format(
+                self.kernel32.GetLastError()
+            ))
+            return 1
+        print("[*] Remote thread with ID 0x%08x created." % thread_id.value)
+        self.WaitForSingleObject(h_thread, self.INFINITE)
+        self.VirtualFree(h_process, 0, self.MEM_RELEASE)
+        self.CloseHandle(h_process)
+        return 0
+
+if __name__ == "__main__":
+    injector = None
+    if len(sys.argv) == 3:
+        injector = Injector(sys.argv[2])
+    else:
+        print("Usage: %s <path of dll> <optional: process name>" % __file__)
+        sys.exit(1)
+    sys.exit(injector.inject_dll(sys.argv[1]))

docker_buiding/injector-box/root/drive_c/injector/requirements.txt

@@ -0,0 +1 @@
+pythonnet

docker_buiding/injector-box/root/inj-entrypoint.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+sudo rm /tmp/.X0-lock
+
+TARGET_AUTO_RESTART=${TARGET_AUTO_RESTART:-no}
+TARGET_LOG_FILE=${TARGET_LOG_FILE:-/dev/null}
+function run-target() {
+    while :
+    do
+        $TARGET_CMD >${TARGET_LOG_FILE} 2>&1
+        case ${TARGET_AUTO_RESTART} in
+        false|no|n|0)
+            exit 0
+            ;;
+        esac
+    done
+}
+/entrypoint.sh &
+sleep 5
+inject-monitor &
+run-target &
+wait

docker_buiding/injector-box/root/payloads.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -ex
+for i in `ls /payloads/*|sort`
+do
+[ -x "$i" ] && {
+    "$i"
+}
+done

docker_buiding/injector-box/root/payloads/002-install-wine-py-deps.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+cd /drive_c/injector
+wine pip install -r requirements.txt

docker_buiding/injector-box/target/.gitignore

@@ -0,0 +1 @@
+*.exe

docker_buiding/injector-box/target/Dockerfile

@@ -0,0 +1,11 @@
+FROM sureer/wine-box:8.0.2
+
+COPY root/ /
+
+# init with GUI
+RUN bash -c 'nohup /entrypoint.sh 2>&1 &' && sleep 5 && /payloads.sh \
+    && sudo cp -r /wechat-etc/* /etc/ \
+    && sudo rm /tmp/.X0-lock
+#settings
+
+ENTRYPOINT ["/wx-entrypoint.sh"]

docker_buiding/injector-box/target/root/bin/wechat-monitor

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+function errmonitor() {
+    while :
+    do
+        for i in `xdotool search --onlyvisible --class WeChat.exe`
+        do
+            NAME=`xdotool getwindowname $i`
+            echo "window name: $NAME"
+            if [ "$NAME" == "" ] || [ "$NAME" == "微信电脑版更新" ]; then
+                xdotool windowunmap $i
+            fi
+        done
+        for i in `xdotool search --onlyvisible --class wine`
+        do
+            NAME=`xdotool getwindowname $i`
+            echo "window name: $NAME"
+            if [ "$NAME" == "程序错误" ]; then
+                xdotool windowkill $i
+            fi
+        done
+        sleep 1
+    done
+}
+errmonitor 

docker_buiding/injector-box/target/root/bin/wechat-start

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+wine 'C:\Program Files (x86)\Tencent\WeChat\WeChat.exe'