WeChat Computer-side Multi-Open Analysis + Source Code

Keywords: github Mobile shell

0x00 Preface

I don't know if you have multiple microsignals. I have one or two or three.

Nowadays, the use of micro-messaging on the computer side is relatively high. It is mainly used for large file transfer, or file transfer between mobile phones and computers, etc. Besides not receiving red envelopes and looking at friends circles, it seems that there are no other problems on the computer side.

Oh, there's another problem. You can only open one tweet, one tweet, one tweet, one tweet, one tweet, one tweet, one tweet, one tweet, one tweet, one tweet, one tweet, one tweet.

Regardless of these, today's topic is how to open multiple Wechat clients on the computer!

0x01 analysis

Students who have known the single instance should know how to realize the single instance.

Simply put, most of them decide whether Mutex, Event, File, etc. already exist, then exit the current open process (indicating that there is already a process), which is a single instance.

That's just to find out what sign Wechat is using to implement a single instance, and then remove the sign.

Then... Based on this idea, we have tools.

Use procexp to find the wechat process, and then turn the handle over.

Find a handle that's doubtful.

\Sessions\1\BaseNamedObjects\_WeChat_App_Instance_Identity_Mutex_Name
\Sessions\1\BaseNamedObjects\WeChat_GlobalConfig_Multi_Process_Mutex

It feels like both, no matter what, go to pchunter, kill the handle and try it.

After an attempt, it is found that _WeChat_App_Instance_Identity_Mutex_Name is a single instance flag (the second client can be opened after the kill handle), and WeChat_GlobalConfig_Multi_Process_Mutex is useless.

In that case, start coding.

0x02 code

Possible options:

  1. Find Wechat to determine the code location of the logo, and then directly patch out, or the entire DLL into the patch. Then roughly flip it over, it looks like the code is in wechatwin.dll, and then add a vmp shell, so you don't toss about this.
  2. kill the handle of this Mutex directly through the code (similar to Pchunter operation), and then you can open the second instance, apparently more advantageous.
  3. Well, if it doesn't matter, it's OK to close the handle once with pchunter before each opening, so I don't need to look at it below.

Here, select the second option and start the code.

Technological process:
1. Enumeration handle, find mutant of _WeChat_App_Instance_Identity_Mutex_Name
2. duplicate handle to this process, then close
3. Start Wechat

The following is the main code:

//step1and2Code
//Get all process handles for Wechat
DWORD Num = GetProcIds(L"WeChat.exe", Pids);
...

Status = ZwQuerySystemInformation(SystemHandleInformation, pbuffer, 0x1000, &dwSize);

PSYSTEM_HANDLE_INFORMATION1 pHandleInfo = (PSYSTEM_HANDLE_INFORMATION1)pbuffer;

    for(nIndex = 0; nIndex < pHandleInfo->NumberOfHandles; nIndex++)
    {
        //The handle in Pids is the handle information of the Wechat process.
        if(IsTargetPid(pHandleInfo->Handles[nIndex].UniqueProcessId, Pids, Num))
        {
            HANDLE hHandle = DuplicateHandleEx(pHandleInfo->Handles[nIndex].UniqueProcessId, 
                        (HANDLE)pHandleInfo->Handles[nIndex].HandleValue,
                        DUPLICATE_SAME_ACCESS
                        );

            //Object name
            Status = NtQueryObject(hHandle, ObjectNameInformation, szName, 512, &dwFlags);
            //Object type name
            Status = NtQueryObject(hHandle,  ObjectTypeInformation, szType, 128, &dwFlags);

            //Find the sign of Wechat
            if (0 == wcscmp(TypName, L"Mutant"))
            {
                if (wcsstr(Name, L"_WeChat_App_Instance_Identity_Mutex_Name"))
                {

                    //The DUPLICATE_CLOSE_SOURCE flag is important and unclear to check.
                    hHandle = DuplicateHandleEx(pHandleInfo->Handles[nIndex].UniqueProcessId, 
                        (HANDLE)pHandleInfo->Handles[nIndex].HandleValue,
                        DUPLICATE_CLOSE_SOURCE
                        );
                    if(hHandle)
                    {
                        printf("+ Patch wechat success!\n");
                        CloseHandle(hHandle);
                    }
                }
            }
        }

    }
}
step3Code

//Find the Wechat Installation Directory by Registry
if(ERROR_SUCCESS != RegOpenKey(HKEY_CURRENT_USER, L"Software\\Tencent\\WeChat", &hKey))
{
    return;
}

DWORD Type = REG_SZ;
WCHAR Path[MAX_PATH] = {0};
DWORD cbData = MAX_PATH*sizeof(WCHAR);
if(ERROR_SUCCESS != RegQueryValueEx(hKey, L"InstallPath", 0, &Type, (LPBYTE)Path, &cbData))
{
    goto __exit;
}

PathAppend(Path, L"WeChat.exe");

//Start the Wechat Client
ShellExecute(NULL, L"Open", Path, NULL, NULL, SW_SHOW);

Code like this, with comments, no longer verbose.

Complete code, see the address below.

Summary of 0x03

A little thing for everyone to laugh at.

Compiled executable file:

https://github.com/anhkgg/multi_wechat_pc/raw/master/WeChat%E5%A4%9A%E5%BC%80.exe

Source address:

https://github.com/anhkgg/multi_wechat_pc

The original blog:

https://anhkgg.github.io/wechat_multi_pc

For reprinting, please indicate the source: https://anhkgg.github.io/wechat_multi_pc

Posted by phpdev12 on Sun, 30 Jun 2019 15:31:08 -0700