Frida Hook微信撤回功能教学文档 (PC+Android)<\/h1>

一、准备工作<\/h2>

1. 环境准备<\/h3>
安装Frida和Python环境<\/li>
对于Android端：
需要一台具有root权限的手机或模拟器<\/li>
下载frida-server，使用adb push到手机端并运行<\/li> <\/ul> <\/li> <\/ul>
2. 工具下载<\/h3>
Frida GitHub仓库：https:\/\/github.com\/frida\/frida<\/li> <\/ul>
二、PC端微信Hook<\/h2>

1. 定位撤回功能代码<\/h3>
使用IDA打开WeChatWin.dll<\/code>(微信主要功能库)<\/li>
搜索字符串"revokeMsg"<\/li>
找到引用这些字符串的代码<\/li>
<\/ol>
2. Hook目标函数<\/h3>

对引用关键字符串的函数逐个尝试Hook<\/li>
手动触发撤回逻辑，判断是否Hook成功(控制台输出"hook success")<\/li>
经过定位，关键函数为sub_182313480<\/code><\/li>
<\/ol>
3. 分析关键函数<\/h3>

函数使用switch语句有三个分支(0x4, 0x21, 0x24)<\/li>
修改思路：将v9(对应寄存器rdi)的值改为这三个值以外的值(如0)<\/li>
<\/ul>
4. Hook实现代码<\/h3>
# 示例代码(需根据实际偏移地址调整)<\/span>
<\/span><\/span>import<\/span> frida
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>session =<\/span> frida.<\/span>attach("WeChat.exe"<\/span>)
<\/span><\/span>
<\/span><\/span>script =<\/span> session.<\/span>create_script("""
<\/span><\/span><\/span>Interceptor.attach(ptr("0x18232BAAA"), {
<\/span><\/span><\/span>    onEnter: function(args) {
<\/span><\/span><\/span>        console.log("Hook成功");
<\/span><\/span><\/span>        this.context.rdi = ptr("0x0"); \/\/ 修改rdi寄存器值
<\/span><\/span><\/span>    }
<\/span><\/span><\/span>});
<\/span><\/span><\/span>"""<\/span>)
<\/span><\/span>
<\/span><\/span>script.<\/span>load()
<\/span><\/span>sys.<\/span>stdin.<\/span>read()
<\/span><\/span><\/code><\/pre>5. 效果<\/h3>

成功拦截微信撤回功能，消息不会被撤回<\/li>
<\/ul>
三、Android端微信Hook<\/h2>
1. 定位撤回功能代码<\/h3>

使用jadx打开微信APK<\/li>
搜索关键词"revokeMsg"<\/li>
找到RevokeMsgEvent<\/code>类<\/li>
通过交叉引用(X键)找到调用该类的代码(通常只有一处)<\/li>
<\/ol>
2. Hook目标方法<\/h3>
常见问题<\/strong>：直接使用jadx生成的Frida片段可能报"找不到类"错误<\/p>
正确方法<\/strong>：<\/p>

使用枚举获取classloader<\/li>
尝试获取目标类句柄<\/li>
Hook目标函数<\/li>
<\/ol>
3. Hook实现代码<\/h3>
Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>    \/\/ 枚举所有classloader
<\/span><\/span><\/span><\/span>    Java<\/span>.enumerateClassLoaders<\/span>({
<\/span><\/span>        onMatch<\/span>:<\/span> function<\/span>(loader<\/span>) {
<\/span><\/span>            try<\/span> {
<\/span><\/span>                \/\/ 尝试加载目标类
<\/span><\/span><\/span><\/span>                var<\/span> RevokeMsgEvent<\/span> =<\/span> loader<\/span>.loadClass<\/span>("com.tencent.mm.sdk.platformtools.RevokeMsgEvent"<\/span>);
<\/span><\/span>                console<\/span>.log<\/span>("成功找到类"<\/span>);
<\/span><\/span>                
<\/span><\/span>                \/\/ Hook目标方法
<\/span><\/span><\/span><\/span>                var<\/span> method<\/span> =<\/span> RevokeMsgEvent<\/span>.getDeclaredMethod<\/span>("onEvent"<\/span>, [Java<\/span>.getClassName<\/span>('java.lang.String'<\/span>), Java<\/span>.getClassName<\/span>('long'<\/span>), Java<\/span>.getClassName<\/span>('p0'<\/span>), Java<\/span>.getClassName<\/span>('java.lang.String'<\/span>), Java<\/span>.getClassName<\/span>('java.lang.String'<\/span>), Java<\/span>.getClassName<\/span>('java.lang.String'<\/span>)]);
<\/span><\/span>                
<\/span><\/span>                method<\/span>.implementation<\/span> =<\/span> function<\/span>(str<\/span>, j16<\/span>, p0Var<\/span>, str2<\/span>, str3<\/span>, str4<\/span>) {
<\/span><\/span>                    console<\/span>.log<\/span>("拦截到撤回事件"<\/span>);
<\/span><\/span>                    \/\/ 注释掉原方法调用以阻止撤回
<\/span><\/span><\/span><\/span>                    \/\/ this.m(str, j16, p0Var, str2, str3, str4);
<\/span><\/span><\/span><\/span>                };
<\/span><\/span>            } catch<\/span>(e<\/span>) {
<\/span><\/span>                \/\/ console.log(e);
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>        },
<\/span><\/span>        onComplete<\/span>:<\/span> function<\/span>() {}
<\/span><\/span>    });
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>4. 验证方法<\/h3>

运行Hook脚本<\/li>
手动发送消息并撤回<\/li>
观察控制台输出和消息是否被撤回<\/li>
<\/ol>
5. 效果<\/h3>

成功拦截Android微信撤回功能<\/li>
虽然服务器已发送撤回指令，但本地删除操作被拦截<\/li>
<\/ul>
四、技术原理<\/h2>


PC端原理<\/strong>：<\/p>

通过修改关键寄存器值(rdi)使switch语句跳转到无效分支<\/li>
绕过撤回函数的正常执行流程<\/li>
<\/ul>
<\/li>

Android端原理<\/strong>：<\/p>

拦截RevokeMsgEvent.onEvent<\/code>方法调用<\/li>
阻止执行实际的撤回操作<\/li>
<\/ul>
<\/li>
<\/ol>
五、注意事项<\/h2>

本方法仅修改本地数据，服务器已记录撤回操作<\/li>
微信版本更新可能导致偏移地址和类名变化，需重新分析<\/li>
使用root权限有安全风险，建议在测试环境中操作<\/li>
该方法仅供学习研究，请勿用于非法用途<\/li>
<\/ol>
六、进阶技巧<\/h2>


动态定位<\/strong>：<\/p>

使用Frida的Module.findExportByName<\/code>动态获取函数地址<\/li>
使用Memory.scan<\/code>搜索特征码定位关键函数<\/li>
<\/ul>
<\/li>

更稳定的Hook<\/strong>：<\/p>

使用Frida的Stalker<\/code>功能跟踪代码执行流程<\/li>
结合Xposed框架实现更稳定的Hook<\/li>
<\/ul>
<\/li>

多版本兼容<\/strong>：<\/p>

编写版本检测逻辑<\/li>
为不同微信版本准备不同的Hook点<\/li>
<\/ul>
<\/li>
<\/ol>