企业微信的消息

企业微信使用protobuf nano对数据进行封装,使用Frida进行批量hook,可以打印出所有的序列化消息。

LocationMessage

Hook “com.tencent.wework.foundation.model.pb.WwRichmessage$LocationMessage”函数
消息内容

1
2
3
4
5
address: "\345\214\227\344\272\254\345\270\202\345\214\227\344\272\254\345\270\202\346\265\267\346\267\200\345\214\272\345\275\251\345\222\214\345\235\212\350\267\257\345\214\227\345\233\233\347\216\257\350\245\277\350\267\25766\345\217\267"
latitude: 39.984293
longitude: 116.307449
title: "\345\214\227\345\233\233\347\216\257\350\245\277\350\267\25766\345\217\267"
zoom: 15.0

FileMessage

Hook “com.tencent.wework.foundation.model.pb.WwRichmessage$FileMessage”函数

filename曾经存在路径穿越漏洞,通过hook String.getBytes()修改filename为”../../../hack.zip”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
aes_key: ""
decrypt_ret: -1
encrypt_key: ""
encrypt_size: 0
extra: ""
file_id: ""
file_name: "open_screen_bg_img_1557.png"
flags: 0
height: 0
is_hd: false
iscomplex: false
md5: ""
mid_img_size: 0
mid_thumbnail_file_id: ""
mid_thumbnail_path: "/storage/emulated/0/Tencent/WeixinWork/uploadTempMidbimage/00ceba176d6be5ef68f045defd4280c0.midimage"
random_key: ""
receiver_deviceid: ""
sender_deviceid: ""
session_id: ""
size: 116907
thumb_img_size: 0
thumbnail_file_id: ""
thumbnail_path: "/storage/emulated/0/Tencent/WeixinWork/uploadTempThumbimage/00ceba176d6be5ef68f045defd4280c0.thumbimage"
url: "/storage/emulated/0/wandoujia/downloader/openscreen/open_screen_bg_img_1557.png"
voice_time: 0
wechat_auth_key: ""
wechat_cdn_ld_aeskey: ""
wechat_cdn_ld_height: 193
wechat_cdn_ld_md5: ""
wechat_cdn_ld_size: 0
wechat_cdn_ld_url: ""
wechat_cdn_ld_width: 290
width: 0

EmotionMessage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
aes_key: ""
create_time: 0
description: "\345\271\262\345\276\227\346\274\202\344\272\256"
file_id: ""
group_id: "100"
height: 240
md5: "eb1de22cdf24034f2c06edebc529e90c"
random_url: ""
size: 0
source_type: 1
src: 2
static_url: "http://p.qpic.cn/pic_wework/1802732579/04027e002a09edf9965ee6fd369f87b6390c933341504f32/0"
type: 2
url: "http://p.qpic.cn/pic_wework/1802732579/ecea96e80f0c70e81b6d5107416cec562326901d20a61bc4/0"
width: 240
wx_emotion_buffer: ""

RichMessage

  1. 普通文本
1
2
3
4
messages <
content_type: 0
data: "\012\025\345\207\217\350\202\245\346\225\210\346\236\234\351\203\275\345\207\221\345\207\221"
>
  1. emoji表情
1
2
3
4
messages <
content_type: 3
data: "\012\005[\350\211\262]"
>

VideoMessage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
aes_key: "6f899d3e4c364a2baa70cfce00617a03"
decrypt_ret: -1
encrypt_key: ""
encrypt_size: 1029481
flags: 0
md5: "4b49f7136f83d563c08a0fce5d7d61d0"
preview_img_aes_key: ""
preview_img_md5: "3648cc2101f076f4e4a1a3ad47958d64"
preview_img_size: 10318
preview_img_url: "/storage/emulated/0/Tencent/WeixinWork/tempimagecache/1688851907317093/video_thumb/6a362d3586f5bd8e07472a543ecd37d0_thumb.wwdata"
random_key: ""
session_id: ""
size: 1029481
thumbnail_file_id: ""
url: "/storage/emulated/0/DCIM/WeixinWork/mmexport1526034101689.mp4"
video_duration: 5
video_height: 1280
video_id: "3069020102046230600201000204cf40798d02030f424202042a8dcf8c02045af56eb7042430626334356235372d316161322d346363362d393831312d37643232396236373362393102010002030fb57004104b49f7136f83d563c08a0fce5d7d61d00201040201000400"
video_width: 720
wechat_auth_key: ""

其他消息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
WwRichmessage.pOSTSHAREDMESSAGE = Extension.createMessageTyped(11, PostSharedMessage.class, 810);
WwRichmessage.cARDSHAREDMESSAGE = Extension.createMessageTyped(11, BusinessCardShareMessage.class, 818);
WwRichmessage.aTTENDANCESHAREDMESSAGE = Extension.createMessageTyped(11, AttendanceRecordShareMessage.class, 826);
WwRichmessage.wORKLOGSHAREDMESSAGE = Extension.createMessageTyped(11, WorkLogRecordShareMessage.class, 834);
WwRichmessage.aPPROVALSHAREDMESSAGE = Extension.createMessageTyped(11, ApprovalShareMessage.class, 842);
WwRichmessage.wORKLOGSHAREDMESSAGEV2 = Extension.createMessageTyped(11, WorkLogRecordShareMessage.class, 850);
WwRichmessage.wEAPPMESSAGE = Extension.createMessageTyped(11, WeAppMessage.class, 858);
WwRichmessage.rICHMESSAGE = Extension.createMessageTyped(11, RichMessage.class, 810);
WwRichmessage.vIDEOMESSAGE = Extension.createMessageTyped(11, VideoMessage.class, 818);
WwRichmessage.fILEMESSAGE = Extension.createMessageTyped(11, FileMessage.class, 826);
WwRichmessage.lOCATIONMESSAGE = Extension.createMessageTyped(11, LocationMessage.class, 834);
WwRichmessage.lINKMESSAGE = Extension.createMessageTyped(11, LinkMessage.class, 842);
WwRichmessage.eMOTIONMESSAGE = Extension.createMessageTyped(11, EmotionMessage.class, 850);
WwRichmessage.fORWARDMESSAGES = Extension.createMessageTyped(11, ForwardMessages.class, 858);
WwRichmessage.iNVITEMESSAGE = Extension.createMessageTyped(11, InviteMessage.class, 8010);
WwRichmessage.aPPMESSAGE = Extension.createMessageTyped(11, AppMessage.class, 8026);
WwRichmessage.iNVITEMEMBERENTERMESSAGE = Extension.createMessageTyped(11, InviteMemberEnterMessage.class, 8042);
WwRichmessage.aPPTEVENTMESSAGE = Extension.createMessageTyped(11, ApptEventMessage.class, 8106);
WwRichmessage.iTILHBINVITEMESSAGE = Extension.createMessageTyped(11, ItilHBInviteMessage.class, 8130);
WwRichmessage.aPPMARKETINFOMESSAGE = Extension.createMessageTyped(11, AppMarketInfoMessage.class, 8138);
WwRichmessage.cOMMONTIBCARDMESSAGE = Extension.createMessageTyped(11, CommonTitleImgBtnCardMessage.class, 8154);

Frida hook代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Java.perform(function () { 


function add_hook(func){

var xxx_message = Java.use(func);
var super_class = xxx_message.class.getSuperclass();
if(super_class == null) return;
if(super_class.getName().indexOf("com.google.protobuf.nano.ExtendableMessageNano") < 0) return;
console.log(xxx_message.class.getSuperclass(),func)
xxx_message.writeTo.implementation = function (arg){
console.log("============= "+func + " call writeTo =============");
console.log(this.toString());
return this.writeTo(arg);
}

xxx_message.parseFrom.overload('[B').implementation = function (arg){
console.log("============= "+func + "call parseFrom byte[] =============");
var x = this.parseFrom(arg);
console.log(x.toString());
return x;
}

xxx_message.parseFrom.overload('com.google.protobuf.nano.CodedInputByteBufferNano').implementation = function (arg){
console.log("============= "+func+" call parseFrom [inputbuffer] =============");
var x = this.parseFrom(arg);
console.log(x.toString());
return x;
}
}


Java.enumerateLoadedClasses({
onMatch: function(classname) {
if(classname.indexOf("com.tencent.wework.foundation.model.pb")>-1){
//console.log(classname);
classname = classname.replace("[L","");
classname = classname.replace(";","");
add_hook(classname);
}


},
onComplete: function() {}
});

});