前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >干货 | 电子取证之提取本地PC所有的微信信息, 包括微信ID和手机号脚本

干货 | 电子取证之提取本地PC所有的微信信息, 包括微信ID和手机号脚本

作者头像
HACK学习
发布2022-05-23 10:52:09
2.3K0
发布2022-05-23 10:52:09
举报
文章被收录于专栏:HACK学习

0X00 原理

原理就是,读取本地微信文件夹中的config目录下的AccInfo.dat文件

AccInfo.dat文件内容如下图

这个Dat文件中包含了

手机号,微信ID,微信号,昵称和城市,绑定邮箱等信息

0X01 Python脚本处理

自动化脚本

脚本代码来自:https://github.com/ecat-sec/wechat_info_collect

喜欢的可以去点个star关注

代码语言:javascript
复制
# -*- coding: utf-8 -*-
import win32api
import win32con
import getpass
import re
import os
import requests


provinces = '''
北京(BeiJing)

上海(ShangHai)

天津(TianJin)

重庆(ChongQing)

香港(XiangGang)

澳门(Aomen)

安徽(AnHui)

福建(FuJian)

广东(GuangDong)

广西(GuangXi)

贵州(GuiZhou)

甘肃(GanSu)

海南(HaiNan)

河北(HeBei)

河南(HeNan)

黑龙江(HeiLongJiang)

湖北(HuBei)

湖南(HuNan)

吉林(JiLin)

江苏(JiangSu)

江西(JiangXi)

辽宁(LiaoNing)

内蒙古(NeiMengGu)

宁夏(NingXia)

青海(QingHai)

陕西(ShanXi)

山西(ShanXi)

山东(ShanDong)

四川(SiChuan)

台湾(TaiWan)

西藏(XiZang)

新疆(XinJiang)

云南(YunNan)

浙江(ZheJiang)

'''
cities = '''
香港(XiangGang)

澳门(AoMen)

安庆(AnQing),亳州(BoZhou),蚌埠(BangBu),池州(ChiZhou),巢湖(ChaoHu),滁州(ChuZhou),阜阳(FuYang),合肥(HeFei),淮南(HuaiNan),淮北(HuaiBei),黄山(HuangShan),六安(LiuAn),马鞍山(MaAnShan),宿州(SuZhou),铜陵(TongLing),芜湖(WuHu),宣城(XuanCheng)

福州(FuZhou),龙岩(LongYan),南平(NanPing),宁德(NingDe),莆田(PuTian),泉州(QuanZhou),三明(SanXing),厦门(XiaMen),漳州(ZhangZhou)

潮州(ChaoZhou),东莞(DongGuan),佛山(FoShan),广州(GuangZhou),河源(HeYuan),惠州(HuiZhou),江门(JiangMen),揭阳(JieYang),梅州(MeiZhou),茂名(MaoMing),清远(QingYuan),深圳(ShenZhen),汕头(ShanTou),韶关(ShaoGuan),汕尾(ShanWei),云浮(YunFu),阳江(YangJiang),珠海(ZhuHai),中山(ZhongShan),肇庆(ZhaoQing),湛江(ZhanXiang)

北海(BeiHai),百色(BaiSe),崇左(ChongZuo),防城港(FangChengGang),桂林(GuiLi),贵港(GuiGang),贺州(HeZhou),河池(HeChi),柳州(LiuZhou),来宾(LaiBin),南宁(NanNing),钦州(QinZhou),梧州(WuZhou),玉林(YuLin)

安顺(AnShun),贵阳(GuiYang),六盘水(LiuPanShui),遵义(ZunYi)

白银(BaiYin),金昌(JinChang),嘉峪关(JiaYuGuan),酒泉(JiuQuan),兰州(LanZhou),庆阳(QingYang),天水(TianShui),武威(WuWei),张掖(ZhangYe)

海口(HaiKou),三亚(SanYa)

保定(BaoDing),承德(ChengDe),沧州(CangZhou),邯郸(HanDan),衡水(HengShui),廊坊(LangFang),秦皇岛(QinHuangDao),石家庄(ShiJiaZhuang),唐山(TangShan),邢台(XingTai),张家口(ZhangJiaKou)

安阳(AnYang),焦作(JiaoZuo),开封(KaiFeng),洛阳(LuoYang),鹤壁(HeBi),漯河(LuoHe),南阳(NanYang),平顶山(PingDingShan),濮阳(PuYang),三门峡(SanMenXia),商丘(SHangQiu),新乡(XinXiang),许昌(XuChang),信阳(XinYang),郑州(ZhengZhou),周口(ZhouKou),驻马店(ZhuMaDian)

大庆(DaQing),哈尔滨(HaErBin),鹤岗(HeGang),黑河(HeiHe),鸡西(JiXi),佳木斯(JiaMuSi),牡丹江(MuDanJiang),齐齐哈尔(QiQiHaEr),七台河(QiTaiHe),绥化(SuiHua),双鸭山(ShuangYaShan),伊春(YiChun)

鄂州(E'Zhou),黄石(HuangShi),黄冈(HuangGang),荆州(JingZhou),荆门(JingMen),十堰(ShiYan),武汉(WuHan),襄阳(XiangYang),孝感(XiaoGan),咸宁(XianNing),宜昌(YiChang)

长沙(ChangSha),常德(ChangDe),郴州(ChenZhou),衡阳(HengYang),怀化(HuaiHua),娄底(LouDi),邵阳(ShaoYang),湘潭(xiangTan),岳阳(YueYang),益阳(YiYang),永州(YongZhou),株洲(ZhuZhou),张家界(ZhangJiaJie)

白山(BaiShan),白城(BaiCheng),长春(ChangChun),吉林(JiLin),辽源(LiaoYuan),四平(SiPing),松原(SongYuan),通化(TongHua)

常州(ChangZhou),淮安(HuaiAn),连云港(LianYunGang),南京(NanJing),南通(NanTong),苏州(SuZhou),宿迁(SuQian),泰州(TaiZhou),无锡(WuXi),徐州(XuZhou),盐城(YanCheng),扬州(YangZhou),镇江(ZhenJiang)

抚州(FuZhou),赣州(GanZhou),景德镇(JingDeZhen),九江(JiuJiang),吉安(JiAn),南昌(NanChang),萍乡(PingXiang),上饶(ShangRao),新余(XinYu),鹰潭(YingTan),宜春(YiChun)

鞍山(AnShan),本溪(BenXi),朝阳(ChaoYang),大连(DaLian),丹东(DanDong),抚顺(FuShun),阜新(FuXin),葫芦岛(HuLuDao),锦州(JinZhou),辽阳(LiaoYang),盘锦(PanJin),沈阳(ShenYang),铁岭(TieLing),营口(YingKou)

包头(BaoTou),赤峰(ChiFeng),鄂尔多斯(E'ErDuoSi),呼和浩特(HuHeHaoTe),通辽(TongLiao),乌海(WuHai)

固原(GuYuan),吴忠(WuZhong),银川(YingChuan)

西宁(XiNing)

安康(AnKang),宝鸡(BaoJi),汉中(HanZhong),商洛(ShangLuo),铜川(TongChuan),渭南(WeiNan),西安(Xi'An),延安(YaNan),咸阳(XianYang),榆林(YuLin)

长治(ChangZhi),大同(DaTong),晋城(JinCheng),临汾(LinFen),朔州(ShuoZhou),太原(TaiYuan),忻州(XinZhou),阳泉(YangQuan),运城(YunCheng)

滨州(BinZhou),东营(DongYing),德州(DeZhou),菏泽(HeZe),济南(JiNan),济宁(JiNing),莱芜(LaiWu),临沂(LinYi),聊城(LiaoCheng),青岛(QingDao),日照(RiZhao),泰安(TaiAn),潍坊(WeiFang),威海(WeiHai),烟台(YanTai),淄博(ZiBo),枣庄(ZaoZhuang)

巴中(BaZhong),成都(ChengDu),德阳(DeYang),达州(DaZhou),广元(GuangYuan),广安(GuangAn),泸州(LuZhou),乐山(LeShan),绵阳(MianYang),眉山(MeiShan),内江(NeiJiang),南充(NanChong),攀枝花(PanZhiHua),遂宁(SuiNing),雅安(YaAn),宜宾(YiBin),自贡(ZiGong),资阳(Ziyang)

高雄(GaoXiong),基隆(JiLong),嘉义(JiaYi),台北(TaiBei),台中(TaiZhong),新竹(XinZhu)

拉萨(LaSa)

克拉玛依(KeLaMaYi),乌鲁木齐(WuLuMuQi)

保山(BaoShan),昆明(KunMing),玉溪(YuXi),昭通(ZhaoTong)

杭州(HangZhou),湖州(HuZhou),嘉兴(JiaXing),金华(JinHua),丽水(LiShui),宁波(NingBo),衢州(QuZhou),绍兴(ShaoXing),台州(TaiZhou),温州(WenZhou),舟山(ZhouShan)
'''

# 获取文件存储位置
reg_root = win32con.HKEY_USERS
reg_path = ""

key = win32api.RegOpenKey(reg_root, reg_path, 0)
for item in win32api.RegEnumKeyEx(key):
if len(item[0]) > 20 and "Classes" not in item[0]:
        sub_reg_path = item[0] + "\\SOFTWARE\\Tencent\\WeChat"
try:
            key = win32api.RegOpenKeyEx(reg_root, sub_reg_path, 0)
except Exception as e:
continue
try:
    value, key_type = win32api.RegQueryValueEx(key, 'FileSavePath')
except Exception as e:
    value, key_type = win32api.RegQueryValueEx(key, 'InstallPath')
    value = value + "\\locales\\WeChat Files\\"
# print(value)
# 文件保存路径
if value == "MyDocument:":
# print("The default location of the file has not been changed")
    username = getpass.getuser()
    file_path = "C:\\Users\\" + username + "\\Documents\\WeChat Files\\"
# print(file_path)
else:
    file_path = value

# 获取用户文件
try:
    file_list = os.listdir(file_path)
    file_list.remove("All Users")
    file_list.remove("Applet")
except:
    print("\nfailed to find the path by the script")
    print("Please enter the path of your [WeChat Files]")
    print("You can find the path in your WeChat's setting")
    print("It looks like [x:\\\\xxx\\xxx\\WeChat Files]")
    file_path = input("The path : ") + "\\"
    file_list = os.listdir(file_path)
    file_list.remove("All Users")
    file_list.remove("Applet")


# info 未处理的精确结果
def get_info(user_file_name):
with open(file_path+user_file_name+"\\config\\AccInfo.dat", mode="r", encoding="ISO-8859-1") as f:
# 处理raw数据
        raw_info = f.read()
        raw_info = raw_info[raw_info.find("wxid"):]
        info = ""
for char in raw_info:
if "\\" not in ascii(char):
                info = info + str(char)
else:
                info = info + "`"
    info = set(info.split("`"))

# 获取微信id
for misc in info:
if "wxid" in misc:
            wxid = misc
    print("The wxid : " + wxid)
    info.remove(wxid)

# 获取城市
    province = ""
    city = ""
for misc in info:
if misc.lower() in provinces.lower() and len(misc) >= 2:
            province = misc
if misc.lower() in cities.lower() and len(misc) >= 2:
            city = misc
if province != "":
        info.remove(province)
if city != "":
        info.remove(city)

# 获取微信号
# 微信号长度限制为6-20位, 且只能以字母开头
for misc in info:
if 6 < len(misc) < 20 and misc[0].isalpha() == True:
            wx = misc
    print("The wechat : " + wx)
    info.remove(wx)

# 获取手机号
for misc in info:
        p_numbers = r"0?(13|14|15|17|18|19)[0-9]{9}"
        p = re.compile(p_numbers)
        numbers = re.search(p, misc)
if numbers != None:
            number = numbers.group(0)
            info.remove(number)
break
    print("The phone : " + number)

# 获取疑似邮箱, 邮箱参考性极低
for misc in info:
if "@" in misc and len(misc) > 3:
            email = misc
break
else:
            email = "--"
    print("The email maybe is : " + email)
if email != "--":
        info.remove(email)

    print("The city : " + province + "--" + city)

# 获取使用过的小程序
if flag == "yes":
        applet_list = []
        applet_path = file_path + user_file_name
        sub_applet_list = os.listdir(applet_path)
if "Applet" in sub_applet_list:
            applet_path = file_path + user_file_name + "\\Applet"
            sub_applet_list = os.listdir(applet_path)
for applet_name in sub_applet_list:
if "wx" in applet_name:
                    applet_list.append(applet_name)

        applet_search_url = r"https://mp.weixin.qq.com/cgi-bin/operate_appmsg?sub=search_weapp"
        headers = {
"Host": "mp.weixin.qq.com",
"Connection": "close",
"Content-Length": "39",
"sec-ch-ua": "Not A;Brand",
"Content-Type": "application/x-www-form-urlencoded",
"charset": "UTF-8",
"X-Requested-With": "XMLHttpRequest",
"sec-ch-ua-mobile": "?0",
"sec-ch ua-platform": "Windows",
"Accept": "* / *",
"Origin": "https://mp.weixin.qq.com",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Dest": "empty",
"Referer": "https://mp.weixin.qq.com/cgi-bin/appmsg?t=media/appmsg_edit_v2&action=edit&isNew=1&type=77&token=" + token + "&lang=zh_CN",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh - CN, zh",
"Cookie": cookie
        }

        applets = []
for key in applet_list:
            data = {
"key": key,
"token": token
            }

            req_json = requests.post(applet_search_url, headers=headers, data=data).json()
            applets.append(req_json["items"][0]["weapp"]["nickname"])
#print(req["items"][0]["weapp"]["nickname"])
        print("The applets : " + str(applets))


# 获取历史头像网址
    head_url = []
for misc in info:
if "http" in misc:
            head_url.insert(-1, misc)
if head_url != []:
        print("The history_head_img : " + str(head_url))
else:
        print("The history_head_img : --")
for url in head_url:
        info.remove(url)

# 杂项数据
    other_info = []
for misc in info:
if len(misc) > 30 or (len(misc) >= 2 and (misc.isdigit() == True or misc.isalpha()) == True):
            other_info.insert(-1, misc)
    print("The other info : " + str(other_info))
    print("\n" + "--------------------------------------------")

# 运行
flag = input("Do you want to collect all applets (yes/no): ")
if flag == "yes":
    cookie = input("Please enter your cookie: ")
    token = input("Please enter your token: ")
else:
pass
print("============================================")
for user_file_name in file_list:
#try:
    get_info(user_file_name)
#except:
#print("Something wrong")

print(" 1. The email is very unreliable, you can ignore it\n",
"2. There are only cities of the mainland\n",
"3. The information in [The other info] is some ciphertext and abbreviation for region\n",
"4. There is some interference information in [The other info]"
)

0X02 运行结果

运行前记得安装pywin32依赖:

代码语言:javascript
复制
pip install pywin32 -i http://pypi.douban.com/simple --trusted-host pypi.douban.com

运行结果:

0X03 思路拓展

1.其他语言改写脚本,C#,C++,Go,Java都可以,就是读取这个dat文件,然后正则匹配即可

2.如果在目标机器上,可以直接把这个dat文件下载回来,然后在本地读取取证即可

3.也可以看了对方微信文件夹路径后,代码中写死路径,再打包编译成exe,放到目标机器上运行输出到txt,再下载回来也是可以的

脚本来源:https://github.com/ecat-sec/wechat_info_collect

由HACK学习编辑整理,如需转载请注明来源HACK学习

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2022-05-13,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 HACK学习呀 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
相关产品与服务
文件存储
文件存储(Cloud File Storage,CFS)为您提供安全可靠、可扩展的共享文件存储服务。文件存储可与腾讯云服务器、容器服务、批量计算等服务搭配使用,为多个计算节点提供容量和性能可弹性扩展的高性能共享存储。腾讯云文件存储的管理界面简单、易使用,可实现对现有应用的无缝集成;按实际用量付费,为您节约成本,简化 IT 运维工作。
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档