hitsword
/
wx-cli
mirror of https://github.com/jackwener/wx-cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: add Linux support with cross-platform memory scanning 

- Add Linux memory scanner (`find_all_keys_linux.py`) using `/proc/<pid>/mem`,
  same approach as Windows/macOS — no GDB, no function offsets, no restart needed
- Extract Windows-specific code to `find_all_keys_windows.py`
- Make `find_all_keys.py` a platform dispatcher (Windows / Linux)
- Add `key_utils.py` for cross-platform path matching (`/` vs `\` in all_keys.json)
- Update `config.py` with Linux auto-detection of db_storage paths
- Update all consumers (decrypt_db, monitor, monitor_web, mcp_server) to use
  `get_key_info()` for platform-agnostic key lookup

Tested on remote Linux container: 15/15 DBs scanned, decrypted, and verified.
feat/daemon-cli
PeanutSplash 2026-03-06 15:52:06 +08:00 committed by ylytdeng
parent 5879b58239
commit f9c338b48d
12 changed files with 1197 additions and 762 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
README.md
View File

@ -1,6 +1,6 @@
# WeChat 4.0 Database Decryptor # WeChat 4.x Database Decryptor
微信 4.0 (Windows) 本地数据库解密工具。从运行中的微信进程内存提取加密密钥,解密所有 SQLCipher 4 加密数据库,并提供实时消息监听。 微信 4.0 (Windows、MacOS、Linux) 本地数据库解密工具。从运行中的微信进程内存提取加密密钥,解密所有 SQLCipher 4 加密数据库,并提供实时消息监听。
## 更新日志 ## 更新日志
@ -21,33 +21,46 @@
- **页面大小**: 4096 bytes, reserve = 80 (IV 16 + HMAC 64) - **页面大小**: 4096 bytes, reserve = 80 (IV 16 + HMAC 64)
- **每个数据库有独立的 salt 和 enc_key** - **每个数据库有独立的 salt 和 enc_key**
WCDB (微信的 SQLCipher 封装) 会在进程内存中缓存派生后的 raw key格式为 `x'<64hex_enc_key><32hex_salt>'`本工具通过扫描进程内存中的这种模式,匹配数据库文件的 salt并通过 HMAC 验证来提取正确的密钥 WCDB (微信的 SQLCipher 封装) 会在进程内存中缓存派生后的 raw key格式为 `x'<64hex_enc_key><32hex_salt>'`三个平台Windows / Linux / macOS均可通过扫描进程内存匹配此模式再通过 HMAC 校验 page 1 确认密钥正确性
## 使用方法 ## 使用方法
### 环境要求 ### 环境要求
- Windows 10/11
- Python 3.10+ - Python 3.10+
- 微信 4.0 (正在运行) - 微信 4.x
- 需要管理员权限 (读取进程内存) - `pip install pycryptodome`
Windows
- Windows 10/11
- 微信正在运行
- 需要管理员权限(读取进程内存)
Linux
- 64-bit Linux
- 需要 root 权限或 `CAP_SYS_PTRACE`(读取 `/proc/<pid>/mem`
- `db_dir` 默认类似 `~/Documents/xwechat_files/<wxid>/db_storage`
### 安装依赖 ### 安装依赖
```bash
pip install pycryptodome
```
### 快速开始 ### 快速开始
确保微信正在运行,以**管理员权限**执行: Windows
```bash ```bash
python main.py # 实时消息监听 (Web UI) python main.py
python main.py decrypt # 解密全部数据库到 decrypted/ python main.py decrypt
``` ```
程序会自动完成:配置检测 → 密钥提取 → 启动。首次运行会自动检测微信数据目录并生成 `config.json` Linux
```bash
python3 main.py decrypt
```
程序会自动完成:配置检测 → 内存扫描提取密钥 → 解密。首次运行会自动检测微信数据目录并生成 `config.json`。微信只要在运行中即可,无需重启或重新登录。
如果自动检测失败(例如微信安装在非默认位置),手动创建 `config.json` 如果自动检测失败(例如微信安装在非默认位置),手动创建 `config.json`
```json ```json
@ -59,7 +72,18 @@ python main.py decrypt # 解密全部数据库到 decrypted/
} }
``` ```
`db_dir` 路径可以在 微信设置 → 文件管理 中找到。 Linux 版 `config.json` 示例:
```json
{
"db_dir": "/home/yourname/Documents/xwechat_files/your_wxid/db_storage",
"keys_file": "all_keys.json",
"decrypted_dir": "decrypted",
"wechat_process": "wechat"
}
```
`db_dir` 路径Windows 可在微信设置 → 文件管理中找到Linux 默认在 `~/Documents/xwechat_files/<wxid>/db_storage`
### Web UI 说明 ### Web UI 说明
@ -130,36 +154,15 @@ python find_image_key.py
> **注意**: AES 密钥仅在微信查看图片时临时加载到内存中。如果扫描未找到密钥,请先在微信中查看几张图片,然后立即重新运行脚本。 > **注意**: AES 密钥仅在微信查看图片时临时加载到内存中。如果扫描未找到密钥,请先在微信中查看几张图片,然后立即重新运行脚本。
#### macOS 图片解密
macOS 上使用 C 版工具(通过 Mach VM API + CommonCrypto性能比 Python 高 100 倍):
**前置条件:**
- Xcode Command Line Tools: `xcode-select --install`
- 微信需要 ad-hoc 签名:`sudo codesign --force --deep --sign - /Applications/WeChat.app`
- 开发者模式:系统设置 → 隐私与安全 → 开发者模式 → 开启
```bash
# 编译
cc -O3 -o find_image_key find_image_key.c -framework Security
cc -O3 -o decrypt_images decrypt_images.c -framework Security
# 1. 持续扫描图片密钥(在微信中浏览图片,扫描器自动捕获密钥)
sudo ./find_image_key
# 2. 批量解密所有 V2 图片
./decrypt_images
```
`find_image_key` 会自动发现所有未解密的 V2 图片 pattern持续扫描微信进程内存。当用户在微信中浏览图片时捕获密钥保存到 `image_keys.json`。支持 `--deep` 模式进行逐字节深度扫描。
## 文件说明 ## 文件说明
| 文件 | 说明 | | 文件 | 说明 |
|------|------| |------|------|
| `main.py` | **一键启动入口** — 自动配置、提取密钥、启动服务 | | `main.py` | **一键启动入口** — 自动配置、提取密钥、启动服务 |
| `config.py` | 配置加载器(自动检测微信数据目录) | | `config.py` | 配置加载器(自动检测微信数据目录) |
| `find_all_keys.py` | 从微信进程内存提取所有数据库密钥 | | `find_all_keys.py` | 平台分发入口Windows / Linux |
| `find_all_keys_windows.py` | Windows 版内存扫描提 key |
| `find_all_keys_linux.py` | Linux 版内存扫描提 key |
| `decrypt_db.py` | 全量解密所有数据库 | | `decrypt_db.py` | 全量解密所有数据库 |
| `mcp_server.py` | MCP Server让 Claude AI 查询微信数据 | | `mcp_server.py` | MCP Server让 Claude AI 查询微信数据 |
| `monitor_web.py` | 实时消息监听 (Web UI + SSE + 图片预览) | | `monitor_web.py` | 实时消息监听 (Web UI + SSE + 图片预览) |
@ -169,8 +172,6 @@ sudo ./find_image_key
| `find_image_key_monitor.py` | 持续监控版密钥提取(推荐) | | `find_image_key_monitor.py` | 持续监控版密钥提取(推荐) |
| `latency_test.py` | 延迟测量诊断工具 | | `latency_test.py` | 延迟测量诊断工具 |
| `find_all_keys_macos.c` | macOS 版内存密钥扫描器 (C, Mach VM API) | | `find_all_keys_macos.c` | macOS 版内存密钥扫描器 (C, Mach VM API) |
| `find_image_key.c` | macOS 版图片密钥扫描器 (C, 持续监控模式) |
| `decrypt_images.c` | macOS 版批量图片解密器 (C, 多密钥支持) |
## 技术细节 ## 技术细节
@ -204,6 +205,7 @@ V2 文件结构: `[6B signature] [4B aes_size LE] [4B xor_size LE] [1B padding]`
## macOS 数据库密钥扫描 (WeChat 4.x) ## macOS 数据库密钥扫描 (WeChat 4.x)
macOS 版微信 4.x 使用 SQLCipher 4 加密本地数据库,密钥格式为 `x'<64hex_key><32hex_salt>'`。C 版扫描器通过 Mach VM API 扫描微信进程内存提取密钥。 macOS 版微信 4.x 使用 SQLCipher 4 加密本地数据库,密钥格式为 `x'<64hex_key><32hex_salt>'`。C 版扫描器通过 Mach VM API 扫描微信进程内存提取密钥。
### 前置条件 ### 前置条件

115
config.py
View File

@ -5,23 +5,54 @@
import glob import glob
import json import json
import os import os
import platform
import sys import sys
CONFIG_FILE = os.path.join(os.path.dirname(os.path.abspath(__file__)), "config.json") CONFIG_FILE = os.path.join(os.path.dirname(os.path.abspath(__file__)), "config.json")
_DEFAULT_TEMPLATE_DIR = r"D:\xwechat_files\your_wxid\db_storage" _SYSTEM = platform.system().lower()
_DEFAULT_TEMPLATE_DIR = (
os.path.expanduser("~/Documents/xwechat_files/your_wxid/db_storage")
if _SYSTEM == "linux"
else r"D:\xwechat_files\your_wxid\db_storage"
)
_DEFAULT = { _DEFAULT = {
"db_dir": _DEFAULT_TEMPLATE_DIR, "db_dir": _DEFAULT_TEMPLATE_DIR,
"keys_file": "all_keys.json", "keys_file": "all_keys.json",
"decrypted_dir": "decrypted", "decrypted_dir": "decrypted",
"decoded_image_dir": "decoded_images", "decoded_image_dir": "decoded_images",
"wechat_process": "Weixin.exe", "wechat_process": "wechat" if _SYSTEM == "linux" else "Weixin.exe",
} }
def auto_detect_db_dir(): def _choose_candidate(candidates):
"""从微信本地配置自动检测 db_storage 路径。 """在多个候选目录中选择一个。"""
if len(candidates) == 1:
return candidates[0]
if len(candidates) > 1:
if not sys.stdin.isatty():
return candidates[0]
print("[!] 检测到多个微信数据目录(请选择当前正在运行的微信账号):")
for i, c in enumerate(candidates, 1):
print(f" {i}. {c}")
print(" 0. 跳过,稍后手动配置")
try:
while True:
choice = input("请选择 [0-{}]: ".format(len(candidates))).strip()
if choice == "0":
return None
if choice.isdigit() and 1 <= int(choice) <= len(candidates):
return candidates[int(choice) - 1]
print(" 无效输入,请重新选择")
except (EOFError, KeyboardInterrupt):
print()
return None
return None
def _auto_detect_db_dir_windows():
"""从微信本地配置自动检测 Windows db_storage 路径。
读取 %APPDATA%\\Tencent\\xwechat\\config\\*.ini 读取 %APPDATA%\\Tencent\\xwechat\\config\\*.ini
找到数据存储根目录然后匹配 xwechat_files\\*\\db_storage 找到数据存储根目录然后匹配 xwechat_files\\*\\db_storage
@ -62,27 +93,55 @@ def auto_detect_db_dir():
seen.add(normalized) seen.add(normalized)
candidates.append(match) candidates.append(match)
if len(candidates) == 1: return _choose_candidate(candidates)
return candidates[0]
if len(candidates) > 1:
# 非交互环境MCP、无 stdin 管道等)直接取第一个 def _auto_detect_db_dir_linux():
if not sys.stdin.isatty(): """自动检测 Linux 微信 db_storage 路径。"""
return candidates[0] seen = set()
print("[!] 检测到多个微信数据目录(请选择当前正在运行的微信账号):") candidates = []
for i, c in enumerate(candidates, 1): search_roots = {
print(f" {i}. {c}") os.path.expanduser("~/Documents/xwechat_files"),
print(" 0. 跳过,稍后手动配置") }
if os.path.isdir("/home"):
for entry in os.listdir("/home"):
search_roots.add(os.path.join("/home", entry, "Documents", "xwechat_files"))
for root in search_roots:
if not os.path.isdir(root):
continue
pattern = os.path.join(root, "*", "db_storage")
for match in glob.glob(pattern):
normalized = os.path.normcase(os.path.normpath(match))
if os.path.isdir(match) and normalized not in seen:
seen.add(normalized)
candidates.append(match)
old_path = os.path.expanduser("~/.local/share/weixin/data/db_storage")
if os.path.isdir(old_path):
normalized = os.path.normcase(os.path.normpath(old_path))
if normalized not in seen:
candidates.append(old_path)
# Linux 优先使用最近活跃账号:按 message 目录 mtime 降序
def _mtime(path):
msg_dir = os.path.join(path, "message")
target = msg_dir if os.path.isdir(msg_dir) else path
try: try:
while True: return os.path.getmtime(target)
choice = input("请选择 [0-{}]: ".format(len(candidates))).strip() except OSError:
if choice == "0": return 0
return None
if choice.isdigit() and 1 <= int(choice) <= len(candidates): candidates.sort(key=_mtime, reverse=True)
return candidates[int(choice) - 1] return _choose_candidate(candidates)
print(" 无效输入,请重新选择")
except (EOFError, KeyboardInterrupt):
print() def auto_detect_db_dir():
return None if _SYSTEM == "windows":
return _auto_detect_db_dir_windows()
if _SYSTEM == "linux":
return _auto_detect_db_dir_linux()
return None return None
@ -95,6 +154,7 @@ def load_config():
except json.JSONDecodeError: except json.JSONDecodeError:
print(f"[!] {CONFIG_FILE} 格式损坏,将使用默认配置") print(f"[!] {CONFIG_FILE} 格式损坏,将使用默认配置")
cfg = {} cfg = {}
cfg = {**_DEFAULT, **cfg}
# db_dir 缺失或仍为模板值时,尝试自动检测 # db_dir 缺失或仍为模板值时,尝试自动检测
db_dir = cfg.get("db_dir", "") db_dir = cfg.get("db_dir", "")
@ -110,10 +170,13 @@ def load_config():
else: else:
if not os.path.exists(CONFIG_FILE): if not os.path.exists(CONFIG_FILE):
with open(CONFIG_FILE, "w") as f: with open(CONFIG_FILE, "w") as f:
json.dump(_DEFAULT, f, indent=4) json.dump(_DEFAULT, f, indent=4, ensure_ascii=False)
print(f"[!] 未能自动检测微信数据目录") print(f"[!] 未能自动检测微信数据目录")
print(f" 请手动编辑 {CONFIG_FILE} 中的 db_dir 字段") print(f" 请手动编辑 {CONFIG_FILE} 中的 db_dir 字段")
print(f" 路径可在 微信设置 → 文件管理 中找到") if _SYSTEM == "linux":
print(" Linux 默认路径类似: ~/Documents/xwechat_files/<wxid>/db_storage")
else:
print(f" 路径可在 微信设置 → 文件管理 中找到")
sys.exit(1) sys.exit(1)
# 将相对路径转为绝对路径 # 将相对路径转为绝对路径

12
decrypt_db.py
View File

@ -21,6 +21,7 @@ RESERVE_SZ = 80 # IV(16) + HMAC(64)
SQLITE_HDR = b'SQLite format 3\x00' SQLITE_HDR = b'SQLite format 3\x00'
from config import load_config from config import load_config
from key_utils import get_key_info, strip_key_metadata
_cfg = load_config() _cfg = load_config()
DB_DIR = _cfg["db_dir"] DB_DIR = _cfg["db_dir"]
OUT_DIR = _cfg["decrypted_dir"] OUT_DIR = _cfg["decrypted_dir"]
@ -118,7 +119,7 @@ def main():
with open(KEYS_FILE) as f: with open(KEYS_FILE) as f:
keys = json.load(f) keys = json.load(f)
keys.pop("_db_dir", None) keys = strip_key_metadata(keys)
print(f"\n加载 {len(keys)} 个数据库密钥") print(f"\n加载 {len(keys)} 个数据库密钥")
print(f"输出目录: {OUT_DIR}") print(f"输出目录: {OUT_DIR}")
os.makedirs(OUT_DIR, exist_ok=True) os.makedirs(OUT_DIR, exist_ok=True)
@ -129,7 +130,7 @@ def main():
for f in files: for f in files:
if f.endswith('.db') and not f.endswith('-wal') and not f.endswith('-shm'): if f.endswith('.db') and not f.endswith('-wal') and not f.endswith('-shm'):
path = os.path.join(root, f) path = os.path.join(root, f)
rel = os.path.relpath(path, DB_DIR).replace('\\', '/') rel = os.path.relpath(path, DB_DIR)
sz = os.path.getsize(path) sz = os.path.getsize(path)
db_files.append((rel, path, sz)) db_files.append((rel, path, sz))
@ -142,14 +143,13 @@ def main():
total_bytes = 0 total_bytes = 0
for rel, path, sz in db_files: for rel, path, sz in db_files:
# 统一用正斜杠查找key key_info = get_key_info(keys, rel)
rel_key = rel.replace('\\', '/') if not key_info:
if rel_key not in keys:
print(f"SKIP: {rel} (无密钥)") print(f"SKIP: {rel} (无密钥)")
failed += 1 failed += 1
continue continue
enc_key = bytes.fromhex(keys[rel_key]["enc_key"]) enc_key = bytes.fromhex(key_info["enc_key"])
out_path = os.path.join(OUT_DIR, rel) out_path = os.path.join(OUT_DIR, rel)
print(f"解密: {rel} ({sz/1024/1024:.1f}MB) ...", end=" ") print(f"解密: {rel} ({sz/1024/1024:.1f}MB) ...", end=" ")

278
find_all_keys.py
View File

@ -1,275 +1,29 @@
""" import platform
从微信进程内存中提取所有数据库的缓存raw key import sys
WCDB为每个DB缓存: x'<64hex_enc_key><32hex_salt>'
salt嵌在hex字符串中可以直接匹配DB文件的salt
"""
import ctypes
import ctypes.wintypes as wt
import struct, os, sys, hashlib, time, re, json
import hmac as hmac_mod
from Crypto.Cipher import AES
import functools def _load_impl():
print = functools.partial(print, flush=True) system = platform.system().lower()
if system == "windows":
import find_all_keys_windows as impl
return impl
if system == "linux":
import find_all_keys_linux as impl
return impl
raise RuntimeError(f"当前平台暂不支持通过 find_all_keys.py 提取密钥: {platform.system()}")
kernel32 = ctypes.windll.kernel32
MEM_COMMIT = 0x1000
READABLE = {0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80}
PAGE_SZ = 4096
KEY_SZ = 32
SALT_SZ = 16
from config import load_config
_cfg = load_config()
DB_DIR = _cfg["db_dir"]
OUT_FILE = _cfg["keys_file"]
class MBI(ctypes.Structure):
_fields_ = [
("BaseAddress", ctypes.c_uint64), ("AllocationBase", ctypes.c_uint64),
("AllocationProtect", wt.DWORD), ("_pad1", wt.DWORD),
("RegionSize", ctypes.c_uint64), ("State", wt.DWORD),
("Protect", wt.DWORD), ("Type", wt.DWORD), ("_pad2", wt.DWORD),
]
def get_pids(): def get_pids():
"""返回所有 Weixin.exe 进程的 (pid, mem_kb) 列表,按内存降序""" return _load_impl().get_pids()
import subprocess
r = subprocess.run(["tasklist","/FI","IMAGENAME eq Weixin.exe","/FO","CSV","/NH"],
capture_output=True, text=True)
pids = []
for line in r.stdout.strip().split('\n'):
if not line.strip(): continue
p = line.strip('"').split('","')
if len(p)>=5:
pid=int(p[1]); mem=int(p[4].replace(',','').replace(' K','').strip() or '0')
pids.append((pid, mem))
if not pids: raise RuntimeError("Weixin.exe 未运行")
pids.sort(key=lambda x: x[1], reverse=True)
for pid, mem in pids:
print(f"[+] Weixin.exe PID={pid} ({mem//1024}MB)")
return pids
def read_mem(h, addr, sz):
buf = ctypes.create_string_buffer(sz)
n = ctypes.c_size_t(0)
if kernel32.ReadProcessMemory(h, ctypes.c_uint64(addr), buf, sz, ctypes.byref(n)):
return buf.raw[:n.value]
return None
def enum_regions(h):
regs = []
addr = 0
mbi = MBI()
while addr < 0x7FFFFFFFFFFF:
if kernel32.VirtualQueryEx(h, ctypes.c_uint64(addr), ctypes.byref(mbi), ctypes.sizeof(mbi))==0: break
if mbi.State==MEM_COMMIT and mbi.Protect in READABLE and 0<mbi.RegionSize<500*1024*1024:
regs.append((mbi.BaseAddress, mbi.RegionSize))
nxt = mbi.BaseAddress + mbi.RegionSize
if nxt<=addr: break
addr = nxt
return regs
def verify_key_for_db(enc_key, db_page1):
"""验证enc_key是否能解密这个DB的page 1"""
salt = db_page1[:SALT_SZ]
iv = db_page1[PAGE_SZ - 80 : PAGE_SZ - 64]
encrypted = db_page1[SALT_SZ : PAGE_SZ - 80]
# HMAC验证 (最可靠)
mac_salt = bytes(b ^ 0x3a for b in salt)
mac_key = hashlib.pbkdf2_hmac("sha512", enc_key, mac_salt, 2, dklen=KEY_SZ)
hmac_data = db_page1[SALT_SZ : PAGE_SZ - 80 + 16]
stored_hmac = db_page1[PAGE_SZ - 64 : PAGE_SZ]
h = hmac_mod.new(mac_key, hmac_data, hashlib.sha512)
h.update(struct.pack('<I', 1))
return h.digest() == stored_hmac
def main(): def main():
print("=" * 60) return _load_impl().main()
print(" 提取所有微信数据库密钥")
print("=" * 60)
# 1. 收集所有DB文件及其salt
db_files = []
salt_to_dbs = {} # salt_hex -> [(rel_path, db_page1), ...]
for root, dirs, files in os.walk(DB_DIR):
for f in files:
if f.endswith('.db') and not f.endswith('-wal') and not f.endswith('-shm'):
path = os.path.join(root, f)
rel = os.path.relpath(path, DB_DIR).replace('\\', '/')
sz = os.path.getsize(path)
if sz < PAGE_SZ:
continue
with open(path, 'rb') as fh:
page1 = fh.read(PAGE_SZ)
salt = page1[:SALT_SZ].hex()
db_files.append((rel, path, sz, salt, page1))
if salt not in salt_to_dbs:
salt_to_dbs[salt] = []
salt_to_dbs[salt].append(rel)
print(f"\n找到 {len(db_files)} 个数据库, {len(salt_to_dbs)} 个不同的salt")
for salt_hex, dbs in sorted(salt_to_dbs.items(), key=lambda x: len(x[1]), reverse=True):
print(f" salt {salt_hex}: {', '.join(dbs)}")
# 2. 打开所有微信进程
pids = get_pids()
hex_re = re.compile(b"x'([0-9a-fA-F]{64,192})'")
key_map = {} # salt_hex -> enc_key_hex
remaining_salts = set(salt_to_dbs.keys())
all_hex_matches = 0
t0 = time.time()
for proc_idx, (pid, mem) in enumerate(pids):
h = kernel32.OpenProcess(0x0010 | 0x0400, False, pid)
if not h:
print(f"[WARN] 无法打开进程 PID={pid},跳过")
continue
try:
regions = enum_regions(h)
total_bytes = sum(s for _,s in regions)
total_mb = total_bytes/1024/1024
print(f"\n[*] 扫描 PID={pid} ({total_mb:.0f}MB, {len(regions)} 区域)")
scanned_bytes = 0
for reg_idx, (base, size) in enumerate(regions):
data = read_mem(h, base, size)
scanned_bytes += size
if not data: continue
for m in hex_re.finditer(data):
hex_str = m.group(1).decode()
addr = base + m.start()
all_hex_matches += 1
hex_len = len(hex_str)
if hex_len == 96:
enc_key_hex = hex_str[:64]
salt_hex = hex_str[64:]
if salt_hex in remaining_salts:
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, s, page1 in db_files:
if s == salt_hex:
if verify_key_for_db(enc_key, page1):
key_map[salt_hex] = enc_key_hex
remaining_salts.discard(salt_hex)
dbs = salt_to_dbs[salt_hex]
print(f"\n [FOUND] salt={salt_hex}")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
elif hex_len == 64:
if not remaining_salts:
continue
enc_key_hex = hex_str
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, salt_hex_db, page1 in db_files:
if salt_hex_db in remaining_salts:
if verify_key_for_db(enc_key, page1):
key_map[salt_hex_db] = enc_key_hex
remaining_salts.discard(salt_hex_db)
dbs = salt_to_dbs[salt_hex_db]
print(f"\n [FOUND] salt={salt_hex_db}")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
elif hex_len > 96 and hex_len % 2 == 0:
enc_key_hex = hex_str[:64]
salt_hex = hex_str[-32:]
if salt_hex in remaining_salts:
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, s, page1 in db_files:
if s == salt_hex:
if verify_key_for_db(enc_key, page1):
key_map[salt_hex] = enc_key_hex
remaining_salts.discard(salt_hex)
dbs = salt_to_dbs[salt_hex]
print(f"\n [FOUND] salt={salt_hex} (long hex {hex_len})")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
if (reg_idx + 1) % 200 == 0:
elapsed = time.time() - t0
progress = scanned_bytes / total_bytes * 100 if total_bytes else 100
print(f" [{progress:.1f}%] {len(key_map)}/{len(salt_to_dbs)} salts matched, "
f"{all_hex_matches} hex patterns, {elapsed:.1f}s")
finally:
kernel32.CloseHandle(h)
# 所有 salt 都找到了就提前退出
if not remaining_salts:
print(f"\n[+] 所有密钥已找到,跳过剩余进程")
break
elapsed = time.time() - t0
print(f"\n扫描完成: {elapsed:.1f}s, {len(pids)} 个进程, {all_hex_matches} hex模式")
# 4. 如果有未找到的salt用已找到的key做交叉验证
# (WCDB有时对同一passphrase的不同DB用同一enc_key如果salt相同)
missing_salts = set(salt_to_dbs.keys()) - set(key_map.keys())
if missing_salts and key_map:
print(f"\n还有 {len(missing_salts)} 个salt未匹配尝试交叉验证...")
for salt_hex in list(missing_salts):
for rel, path, sz, s, page1 in db_files:
if s == salt_hex:
for known_salt, known_key_hex in key_map.items():
enc_key = bytes.fromhex(known_key_hex)
if verify_key_for_db(enc_key, page1):
key_map[salt_hex] = known_key_hex
print(f" [CROSS] salt={salt_hex} 可用 key from salt={known_salt}")
missing_salts.discard(salt_hex)
break
# 5. 输出结果
print(f"\n{'='*60}")
print(f"结果: {len(key_map)}/{len(salt_to_dbs)} salts 找到密钥")
result = {}
for rel, path, sz, salt_hex, page1 in db_files:
if salt_hex in key_map:
result[rel] = {
"enc_key": key_map[salt_hex],
"salt": salt_hex,
"size_mb": round(sz/1024/1024, 1)
}
print(f" OK: {rel} ({sz/1024/1024:.1f}MB)")
else:
print(f" MISSING: {rel} (salt={salt_hex})")
if not result:
print(f"\n[!] 未提取到任何密钥,保留已有的 {OUT_FILE}(如存在)")
raise RuntimeError("未能从任何微信进程中提取到密钥")
# 写入密钥并记录对应的 db_dir防止切换账号后误复用
result["_db_dir"] = DB_DIR
with open(OUT_FILE, 'w') as f:
json.dump(result, f, indent=2)
print(f"\n密钥保存到: {OUT_FILE}")
missing = [rel for rel, path, sz, salt_hex, page1 in db_files if salt_hex not in key_map]
if missing:
print(f"\n未找到密钥的数据库:")
for rel in missing:
print(f" {rel}")
if __name__ == '__main__': if __name__ == "__main__":
try: try:
main() main()
except RuntimeError as e: except RuntimeError as exc:
print(f"\n[ERROR] {e}") print(f"\n[ERROR] {exc}")
sys.exit(1) sys.exit(1)

297
find_all_keys_linux.py 100644
View File

@ -0,0 +1,297 @@
"""
Linux 版微信数据库密钥提取
原理: Windows/macOS 相同 扫描微信进程内存查找
WCDB 缓存的 x'<64hex_enc_key><32hex_salt>' 模式
通过匹配数据库 salt + HMAC 校验确认密钥
读取方式: /proc/<pid>/maps + /proc/<pid>/mem
权限要求: root CAP_SYS_PTRACE
"""
import functools
import hashlib
import hmac as hmac_mod
import json
import os
import re
import struct
import sys
import time
print = functools.partial(print, flush=True)
PAGE_SZ = 4096
KEY_SZ = 32
SALT_SZ = 16
from config import load_config
_cfg = load_config()
DB_DIR = _cfg["db_dir"]
OUT_FILE = _cfg["keys_file"]
def _safe_readlink(path):
try:
return os.path.realpath(os.readlink(path))
except OSError:
return ""
def get_pids():
"""返回所有疑似微信主进程的 (pid, rss_kb) 列表,按内存降序。"""
pids = []
for pid_str in os.listdir("/proc"):
if not pid_str.isdigit():
continue
pid = int(pid_str)
try:
with open(f"/proc/{pid}/comm") as f:
comm = f.read().strip()
with open(f"/proc/{pid}/statm") as f:
rss_pages = int(f.read().split()[1])
rss_kb = rss_pages * 4
exe_name = os.path.basename(_safe_readlink(f"/proc/{pid}/exe")) or comm
haystack = " ".join((comm, exe_name)).lower()
if "wechat" not in haystack and "weixin" not in haystack:
continue
pids.append((pid, rss_kb))
except (PermissionError, FileNotFoundError, ProcessLookupError):
continue
if not pids:
raise RuntimeError("未检测到 Linux 微信进程")
pids.sort(key=lambda item: item[1], reverse=True)
for pid, rss_kb in pids:
exe_path = _safe_readlink(f"/proc/{pid}/exe")
print(f"[+] WeChat PID={pid} ({rss_kb // 1024}MB) {exe_path}")
return pids
def _get_readable_regions(pid):
"""解析 /proc/<pid>/maps返回可读内存区域列表。"""
regions = []
with open(f"/proc/{pid}/maps") as f:
for line in f:
parts = line.split()
if len(parts) < 2:
continue
if "r" not in parts[1]:
continue
start_s, end_s = parts[0].split("-")
start = int(start_s, 16)
size = int(end_s, 16) - start
if 0 < size < 500 * 1024 * 1024:
regions.append((start, size))
return regions
def _collect_db_files():
db_files = []
salt_to_dbs = {}
for root, dirs, files in os.walk(DB_DIR):
for name in files:
if not name.endswith(".db") or name.endswith("-wal") or name.endswith("-shm"):
continue
path = os.path.join(root, name)
size = os.path.getsize(path)
if size < PAGE_SZ:
continue
with open(path, "rb") as f:
page1 = f.read(PAGE_SZ)
rel = os.path.relpath(path, DB_DIR)
salt = page1[:SALT_SZ].hex()
db_files.append((rel, path, size, salt, page1))
salt_to_dbs.setdefault(salt, []).append(rel)
return db_files, salt_to_dbs
def _verify_enc_key(enc_key, db_page1):
salt = db_page1[:SALT_SZ]
mac_salt = bytes(b ^ 0x3A for b in salt)
mac_key = hashlib.pbkdf2_hmac("sha512", enc_key, mac_salt, 2, dklen=KEY_SZ)
hmac_data = db_page1[SALT_SZ: PAGE_SZ - 80 + 16]
stored_hmac = db_page1[PAGE_SZ - 64: PAGE_SZ]
hm = hmac_mod.new(mac_key, hmac_data, hashlib.sha512)
hm.update(struct.pack("<I", 1))
return hm.digest() == stored_hmac
def main():
print("=" * 60)
print(" 提取 Linux 微信数据库密钥(内存扫描)")
print("=" * 60)
# 1. 收集 DB 文件和 salt
db_files, salt_to_dbs = _collect_db_files()
if not db_files:
raise RuntimeError(f"{DB_DIR} 未找到可解密的 .db 文件")
print(f"\n找到 {len(db_files)} 个数据库, {len(salt_to_dbs)} 个不同的 salt")
for salt_hex, dbs in sorted(salt_to_dbs.items(), key=lambda x: len(x[1]), reverse=True):
print(f" salt {salt_hex}: {', '.join(dbs)}")
# 2. 找到微信进程
pids = get_pids()
hex_re = re.compile(rb"x'([0-9a-fA-F]{64,192})'")
key_map = {} # salt_hex -> enc_key_hex
remaining_salts = set(salt_to_dbs.keys())
all_hex_matches = 0
t0 = time.time()
for pid, rss_kb in pids:
try:
regions = _get_readable_regions(pid)
except PermissionError:
print(f"[WARN] 无法读取 /proc/{pid}/maps权限不足跳过")
continue
total_bytes = sum(s for _, s in regions)
total_mb = total_bytes / 1024 / 1024
print(f"\n[*] 扫描 PID={pid} ({total_mb:.0f}MB, {len(regions)} 区域)")
scanned_bytes = 0
try:
mem = open(f"/proc/{pid}/mem", "rb")
except PermissionError:
print(f"[WARN] 无法打开 /proc/{pid}/mem权限不足跳过")
continue
try:
for reg_idx, (base, size) in enumerate(regions):
try:
mem.seek(base)
data = mem.read(size)
except (OSError, ValueError):
continue
scanned_bytes += len(data)
for m in hex_re.finditer(data):
hex_str = m.group(1).decode()
addr = base + m.start()
all_hex_matches += 1
hex_len = len(hex_str)
if hex_len == 96:
enc_key_hex = hex_str[:64]
salt_hex = hex_str[64:]
if salt_hex in remaining_salts:
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, s, page1 in db_files:
if s == salt_hex and _verify_enc_key(enc_key, page1):
key_map[salt_hex] = enc_key_hex
remaining_salts.discard(salt_hex)
dbs = salt_to_dbs[salt_hex]
print(f"\n [FOUND] salt={salt_hex}")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
elif hex_len == 64:
if not remaining_salts:
continue
enc_key_hex = hex_str
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, salt_hex_db, page1 in db_files:
if salt_hex_db in remaining_salts and _verify_enc_key(enc_key, page1):
key_map[salt_hex_db] = enc_key_hex
remaining_salts.discard(salt_hex_db)
dbs = salt_to_dbs[salt_hex_db]
print(f"\n [FOUND] salt={salt_hex_db}")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
elif hex_len > 96 and hex_len % 2 == 0:
enc_key_hex = hex_str[:64]
salt_hex = hex_str[-32:]
if salt_hex in remaining_salts:
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, s, page1 in db_files:
if s == salt_hex and _verify_enc_key(enc_key, page1):
key_map[salt_hex] = enc_key_hex
remaining_salts.discard(salt_hex)
dbs = salt_to_dbs[salt_hex]
print(f"\n [FOUND] salt={salt_hex} (long hex {hex_len})")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
if (reg_idx + 1) % 200 == 0:
elapsed = time.time() - t0
progress = scanned_bytes / total_bytes * 100 if total_bytes else 100
print(
f" [{progress:.1f}%] {len(key_map)}/{len(salt_to_dbs)} salts matched, "
f"{all_hex_matches} hex patterns, {elapsed:.1f}s"
)
finally:
mem.close()
if not remaining_salts:
print(f"\n[+] 所有密钥已找到,跳过剩余进程")
break
elapsed = time.time() - t0
print(f"\n扫描完成: {elapsed:.1f}s, {len(pids)} 个进程, {all_hex_matches} hex 模式")
# 交叉验证:用已找到的 key 尝试未匹配的 salt
missing_salts = set(salt_to_dbs.keys()) - set(key_map.keys())
if missing_salts and key_map:
print(f"\n还有 {len(missing_salts)} 个 salt 未匹配,尝试交叉验证...")
for salt_hex in list(missing_salts):
for rel, path, sz, s, page1 in db_files:
if s == salt_hex:
for known_salt, known_key_hex in key_map.items():
enc_key = bytes.fromhex(known_key_hex)
if _verify_enc_key(enc_key, page1):
key_map[salt_hex] = known_key_hex
print(f" [CROSS] salt={salt_hex} 可用 key from salt={known_salt}")
missing_salts.discard(salt_hex)
break
# 输出结果
print(f"\n{'=' * 60}")
print(f"结果: {len(key_map)}/{len(salt_to_dbs)} salts 找到密钥")
result = {}
for rel, path, sz, salt_hex, page1 in db_files:
if salt_hex in key_map:
result[rel] = {
"enc_key": key_map[salt_hex],
"salt": salt_hex,
"size_mb": round(sz / 1024 / 1024, 1)
}
print(f" OK: {rel} ({sz / 1024 / 1024:.1f}MB)")
else:
print(f" MISSING: {rel} (salt={salt_hex})")
if not result:
print(f"\n[!] 未提取到任何密钥,保留已有的 {OUT_FILE}(如存在)")
raise RuntimeError("未能从任何微信进程中提取到密钥")
result["_db_dir"] = DB_DIR
result["_platform"] = "linux"
result["_key_source"] = "memory_scan"
with open(OUT_FILE, 'w', encoding='utf-8') as f:
json.dump(result, f, indent=2, ensure_ascii=False)
print(f"\n密钥保存到: {OUT_FILE}")
missing = [rel for rel, path, sz, salt_hex, page1 in db_files if salt_hex not in key_map]
if missing:
print(f"\n未找到密钥的数据库:")
for rel in missing:
print(f" {rel}")
if __name__ == "__main__":
try:
main()
except RuntimeError as exc:
print(f"\n[ERROR] {exc}")
sys.exit(1)

276
find_all_keys_windows.py 100644
View File

@ -0,0 +1,276 @@
"""
从微信进程内存中提取所有数据库的缓存raw key
WCDB为每个DB缓存: x'<64hex_enc_key><32hex_salt>'
salt嵌在hex字符串中可以直接匹配DB文件的salt
"""
import ctypes
import ctypes.wintypes as wt
import struct, os, sys, hashlib, time, re, json
import hmac as hmac_mod
from Crypto.Cipher import AES
import functools
print = functools.partial(print, flush=True)
kernel32 = ctypes.windll.kernel32
MEM_COMMIT = 0x1000
READABLE = {0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80}
PAGE_SZ = 4096
KEY_SZ = 32
SALT_SZ = 16
from config import load_config
_cfg = load_config()
DB_DIR = _cfg["db_dir"]
OUT_FILE = _cfg["keys_file"]
class MBI(ctypes.Structure):
_fields_ = [
("BaseAddress", ctypes.c_uint64), ("AllocationBase", ctypes.c_uint64),
("AllocationProtect", wt.DWORD), ("_pad1", wt.DWORD),
("RegionSize", ctypes.c_uint64), ("State", wt.DWORD),
("Protect", wt.DWORD), ("Type", wt.DWORD), ("_pad2", wt.DWORD),
]
def get_pids():
"""返回所有 Weixin.exe 进程的 (pid, mem_kb) 列表,按内存降序"""
import subprocess
r = subprocess.run(["tasklist", "/FI", "IMAGENAME eq Weixin.exe", "/FO", "CSV", "/NH"],
capture_output=True, text=True)
pids = []
for line in r.stdout.strip().split('\n'):
if not line.strip():
continue
p = line.strip('"').split('","')
if len(p) >= 5:
pid = int(p[1])
mem = int(p[4].replace(',', '').replace(' K', '').strip() or '0')
pids.append((pid, mem))
if not pids:
raise RuntimeError("Weixin.exe 未运行")
pids.sort(key=lambda x: x[1], reverse=True)
for pid, mem in pids:
print(f"[+] Weixin.exe PID={pid} ({mem // 1024}MB)")
return pids
def read_mem(h, addr, sz):
buf = ctypes.create_string_buffer(sz)
n = ctypes.c_size_t(0)
if kernel32.ReadProcessMemory(h, ctypes.c_uint64(addr), buf, sz, ctypes.byref(n)):
return buf.raw[:n.value]
return None
def enum_regions(h):
regs = []
addr = 0
mbi = MBI()
while addr < 0x7FFFFFFFFFFF:
if kernel32.VirtualQueryEx(h, ctypes.c_uint64(addr), ctypes.byref(mbi), ctypes.sizeof(mbi)) == 0:
break
if mbi.State == MEM_COMMIT and mbi.Protect in READABLE and 0 < mbi.RegionSize < 500 * 1024 * 1024:
regs.append((mbi.BaseAddress, mbi.RegionSize))
nxt = mbi.BaseAddress + mbi.RegionSize
if nxt <= addr:
break
addr = nxt
return regs
def verify_key_for_db(enc_key, db_page1):
"""验证enc_key是否能解密这个DB的page 1"""
salt = db_page1[:SALT_SZ]
# HMAC验证 (最可靠)
mac_salt = bytes(b ^ 0x3a for b in salt)
mac_key = hashlib.pbkdf2_hmac("sha512", enc_key, mac_salt, 2, dklen=KEY_SZ)
hmac_data = db_page1[SALT_SZ: PAGE_SZ - 80 + 16]
stored_hmac = db_page1[PAGE_SZ - 64: PAGE_SZ]
h = hmac_mod.new(mac_key, hmac_data, hashlib.sha512)
h.update(struct.pack('<I', 1))
return h.digest() == stored_hmac
def main():
print("=" * 60)
print(" 提取所有微信数据库密钥")
print("=" * 60)
# 1. 收集所有DB文件及其salt
db_files = []
salt_to_dbs = {}
for root, dirs, files in os.walk(DB_DIR):
for f in files:
if f.endswith('.db') and not f.endswith('-wal') and not f.endswith('-shm'):
path = os.path.join(root, f)
rel = os.path.relpath(path, DB_DIR)
sz = os.path.getsize(path)
if sz < PAGE_SZ:
continue
with open(path, 'rb') as fh:
page1 = fh.read(PAGE_SZ)
salt = page1[:SALT_SZ].hex()
db_files.append((rel, path, sz, salt, page1))
salt_to_dbs.setdefault(salt, []).append(rel)
print(f"\n找到 {len(db_files)} 个数据库, {len(salt_to_dbs)} 个不同的salt")
for salt_hex, dbs in sorted(salt_to_dbs.items(), key=lambda x: len(x[1]), reverse=True):
print(f" salt {salt_hex}: {', '.join(dbs)}")
# 2. 打开所有微信进程
pids = get_pids()
hex_re = re.compile(b"x'([0-9a-fA-F]{64,192})'")
key_map = {}
remaining_salts = set(salt_to_dbs.keys())
all_hex_matches = 0
t0 = time.time()
for pid, mem in pids:
h = kernel32.OpenProcess(0x0010 | 0x0400, False, pid)
if not h:
print(f"[WARN] 无法打开进程 PID={pid},跳过")
continue
try:
regions = enum_regions(h)
total_bytes = sum(s for _, s in regions)
total_mb = total_bytes / 1024 / 1024
print(f"\n[*] 扫描 PID={pid} ({total_mb:.0f}MB, {len(regions)} 区域)")
scanned_bytes = 0
for reg_idx, (base, size) in enumerate(regions):
data = read_mem(h, base, size)
scanned_bytes += size
if not data:
continue
for m in hex_re.finditer(data):
hex_str = m.group(1).decode()
addr = base + m.start()
all_hex_matches += 1
hex_len = len(hex_str)
if hex_len == 96:
enc_key_hex = hex_str[:64]
salt_hex = hex_str[64:]
if salt_hex in remaining_salts:
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, s, page1 in db_files:
if s == salt_hex and verify_key_for_db(enc_key, page1):
key_map[salt_hex] = enc_key_hex
remaining_salts.discard(salt_hex)
dbs = salt_to_dbs[salt_hex]
print(f"\n [FOUND] salt={salt_hex}")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
elif hex_len == 64:
if not remaining_salts:
continue
enc_key_hex = hex_str
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, salt_hex_db, page1 in db_files:
if salt_hex_db in remaining_salts and verify_key_for_db(enc_key, page1):
key_map[salt_hex_db] = enc_key_hex
remaining_salts.discard(salt_hex_db)
dbs = salt_to_dbs[salt_hex_db]
print(f"\n [FOUND] salt={salt_hex_db}")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
elif hex_len > 96 and hex_len % 2 == 0:
enc_key_hex = hex_str[:64]
salt_hex = hex_str[-32:]
if salt_hex in remaining_salts:
enc_key = bytes.fromhex(enc_key_hex)
for rel, path, sz, s, page1 in db_files:
if s == salt_hex and verify_key_for_db(enc_key, page1):
key_map[salt_hex] = enc_key_hex
remaining_salts.discard(salt_hex)
dbs = salt_to_dbs[salt_hex]
print(f"\n [FOUND] salt={salt_hex} (long hex {hex_len})")
print(f" enc_key={enc_key_hex}")
print(f" PID={pid} 地址: 0x{addr:016X}")
print(f" 数据库: {', '.join(dbs)}")
break
if (reg_idx + 1) % 200 == 0:
elapsed = time.time() - t0
progress = scanned_bytes / total_bytes * 100 if total_bytes else 100
print(
f" [{progress:.1f}%] {len(key_map)}/{len(salt_to_dbs)} salts matched, "
f"{all_hex_matches} hex patterns, {elapsed:.1f}s"
)
finally:
kernel32.CloseHandle(h)
if not remaining_salts:
print(f"\n[+] 所有密钥已找到,跳过剩余进程")
break
elapsed = time.time() - t0
print(f"\n扫描完成: {elapsed:.1f}s, {len(pids)} 个进程, {all_hex_matches} hex模式")
missing_salts = set(salt_to_dbs.keys()) - set(key_map.keys())
if missing_salts and key_map:
print(f"\n还有 {len(missing_salts)} 个salt未匹配尝试交叉验证...")
for salt_hex in list(missing_salts):
for rel, path, sz, s, page1 in db_files:
if s == salt_hex:
for known_salt, known_key_hex in key_map.items():
enc_key = bytes.fromhex(known_key_hex)
if verify_key_for_db(enc_key, page1):
key_map[salt_hex] = known_key_hex
print(f" [CROSS] salt={salt_hex} 可用 key from salt={known_salt}")
missing_salts.discard(salt_hex)
break
print(f"\n{'=' * 60}")
print(f"结果: {len(key_map)}/{len(salt_to_dbs)} salts 找到密钥")
result = {}
for rel, path, sz, salt_hex, page1 in db_files:
if salt_hex in key_map:
result[rel] = {
"enc_key": key_map[salt_hex],
"salt": salt_hex,
"size_mb": round(sz / 1024 / 1024, 1)
}
print(f" OK: {rel} ({sz / 1024 / 1024:.1f}MB)")
else:
print(f" MISSING: {rel} (salt={salt_hex})")
if not result:
print(f"\n[!] 未提取到任何密钥,保留已有的 {OUT_FILE}(如存在)")
raise RuntimeError("未能从任何微信进程中提取到密钥")
result["_db_dir"] = DB_DIR
with open(OUT_FILE, 'w') as f:
json.dump(result, f, indent=2)
print(f"\n密钥保存到: {OUT_FILE}")
missing = [rel for rel, path, sz, salt_hex, page1 in db_files if salt_hex not in key_map]
if missing:
print(f"\n未找到密钥的数据库:")
for rel in missing:
print(f" {rel}")
if __name__ == '__main__':
try:
main()
except RuntimeError as e:
print(f"\n[ERROR] {e}")
sys.exit(1)

29
key_utils.py 100644
View File

@ -0,0 +1,29 @@
import os
def strip_key_metadata(keys):
"""移除 all_keys.json 中以下划线开头的元数据字段。"""
return {k: v for k, v in keys.items() if not k.startswith("_")}
def key_path_variants(rel_path):
"""生成同一路径的多种分隔符表示,兼容 Windows/Linux JSON key。"""
normalized = rel_path.replace("\\", "/")
variants = []
for candidate in (
rel_path,
normalized,
normalized.replace("/", "\\"),
normalized.replace("/", os.sep),
):
if candidate not in variants:
variants.append(candidate)
return variants
def get_key_info(keys, rel_path):
"""按相对路径查找数据库密钥,自动兼容不同平台分隔符。"""
for candidate in key_path_variants(rel_path):
if candidate in keys and not candidate.startswith("_"):
return keys[candidate]
return None

7
main.py
View File

@ -11,6 +11,8 @@ import sys
import functools import functools
print = functools.partial(print, flush=True) print = functools.partial(print, flush=True)
from key_utils import strip_key_metadata
def check_wechat_running(): def check_wechat_running():
"""检查微信是否在运行,返回 True/False""" """检查微信是否在运行,返回 True/False"""
@ -37,6 +39,7 @@ def ensure_keys(keys_file, db_dir):
print(f" 旧: {saved_dir}") print(f" 旧: {saved_dir}")
print(f" 新: {db_dir}") print(f" 新: {db_dir}")
keys = {} keys = {}
keys = strip_key_metadata(keys)
if keys: if keys:
print(f"[+] 已有 {len(keys)} 个数据库密钥") print(f"[+] 已有 {len(keys)} 个数据库密钥")
return return
@ -60,7 +63,7 @@ def ensure_keys(keys_file, db_dir):
keys = json.load(f) keys = json.load(f)
except (json.JSONDecodeError, ValueError): except (json.JSONDecodeError, ValueError):
keys = {} keys = {}
if not keys: if not strip_key_metadata(keys):
print("[!] 未能提取到任何密钥") print("[!] 未能提取到任何密钥")
print(" 可能原因:选择了错误的微信数据目录,或微信需要重启") print(" 可能原因:选择了错误的微信数据目录,或微信需要重启")
print(" 请检查 config.json 中的 db_dir 是否与当前登录的微信账号匹配") print(" 请检查 config.json 中的 db_dir 是否与当前登录的微信账号匹配")
@ -79,7 +82,7 @@ def main():
# 2. 检查微信进程 # 2. 检查微信进程
if not check_wechat_running(): if not check_wechat_running():
print("[!] 未检测到微信进程 (Weixin.exe)") print(f"[!] 未检测到微信进程 ({cfg.get('wechat_process', 'WeChat')})")
print(" 请先启动微信并登录,然后重新运行") print(" 请先启动微信并登录,然后重新运行")
sys.exit(1) sys.exit(1)
print("[+] 微信进程运行中") print("[+] 微信进程运行中")

21
mcp_server.py
View File

@ -12,6 +12,7 @@ from Crypto.Cipher import AES
from mcp.server.fastmcp import FastMCP from mcp.server.fastmcp import FastMCP
import zstandard as zstd import zstandard as zstd
from decode_image import ImageResolver from decode_image import ImageResolver
from key_utils import get_key_info, key_path_variants, strip_key_metadata
# ============ 加密常量 ============ # ============ 加密常量 ============
PAGE_SZ = 4096 PAGE_SZ = 4096
@ -50,7 +51,7 @@ elif not os.path.isabs(DECODED_IMAGE_DIR):
DECODED_IMAGE_DIR = os.path.join(SCRIPT_DIR, DECODED_IMAGE_DIR) DECODED_IMAGE_DIR = os.path.join(SCRIPT_DIR, DECODED_IMAGE_DIR)
with open(KEYS_FILE) as f: with open(KEYS_FILE) as f:
ALL_KEYS = json.load(f) ALL_KEYS = strip_key_metadata(json.load(f))
# ============ 解密函数 ============ # ============ 解密函数 ============
@ -149,7 +150,7 @@ class DBCache:
tmp_path = info["path"] tmp_path = info["path"]
if not os.path.exists(tmp_path): if not os.path.exists(tmp_path):
continue continue
rel_path = rel_key.replace('/', os.sep) rel_path = rel_key.replace('\\', os.sep)
db_path = os.path.join(DB_DIR, rel_path) db_path = os.path.join(DB_DIR, rel_path)
wal_path = db_path + "-wal" wal_path = db_path + "-wal"
try: try:
@ -175,9 +176,10 @@ class DBCache:
pass pass
def get(self, rel_key): def get(self, rel_key):
if rel_key not in ALL_KEYS: key_info = get_key_info(ALL_KEYS, rel_key)
if not key_info:
return None return None
rel_path = rel_key.replace('/', os.sep) rel_path = rel_key.replace('\\', '/').replace('/', os.sep)
db_path = os.path.join(DB_DIR, rel_path) db_path = os.path.join(DB_DIR, rel_path)
wal_path = db_path + "-wal" wal_path = db_path + "-wal"
if not os.path.exists(db_path): if not os.path.exists(db_path):
@ -195,7 +197,7 @@ class DBCache:
return c_path return c_path
tmp_path = self._cache_path(rel_key) tmp_path = self._cache_path(rel_key)
enc_key = bytes.fromhex(ALL_KEYS[rel_key]["enc_key"]) enc_key = bytes.fromhex(key_info["enc_key"])
full_decrypt(db_path, tmp_path, enc_key) full_decrypt(db_path, tmp_path, enc_key)
if os.path.exists(wal_path): if os.path.exists(wal_path):
decrypt_wal(wal_path, tmp_path, enc_key) decrypt_wal(wal_path, tmp_path, enc_key)
@ -248,7 +250,7 @@ def get_contact_names():
pass pass
# 实时解密 # 实时解密
path = _cache.get("contact/contact.db") path = _cache.get("contact\\contact.db")
if path: if path:
try: try:
_contact_names, _contact_full = _load_contacts_from(path) _contact_names, _contact_full = _load_contacts_from(path)
@ -332,7 +334,8 @@ def _parse_message_content(content, local_type, is_group):
# 消息 DB 的 rel_keys排除 fts/resource/media/biz # 消息 DB 的 rel_keys排除 fts/resource/media/biz
MSG_DB_KEYS = sorted([ MSG_DB_KEYS = sorted([
k for k in ALL_KEYS k for k in ALL_KEYS
if k.startswith("message/message_") and k.endswith(".db") if any(v.startswith("message/") for v in key_path_variants(k))
and any(v.endswith(".db") for v in key_path_variants(k))
and "fts" not in k and "resource" not in k and "fts" not in k and "resource" not in k
]) ])
@ -379,7 +382,7 @@ def get_recent_sessions(limit: int = 20) -> str:
Args: Args:
limit: 返回的会话数量默认20 limit: 返回的会话数量默认20
""" """
path = _cache.get("session/session.db") path = _cache.get("session\\session.db")
if not path: if not path:
return "错误: 无法解密 session.db" return "错误: 无法解密 session.db"
@ -635,7 +638,7 @@ def get_new_messages() -> str:
"""获取自上次调用以来的新消息。首次调用返回最近的会话状态。""" """获取自上次调用以来的新消息。首次调用返回最近的会话状态。"""
global _last_check_state global _last_check_state
path = _cache.get("session/session.db") path = _cache.get("session\\session.db")
if not path: if not path:
return "错误: 无法解密 session.db" return "错误: 无法解密 session.db"

5
monitor.py
View File

@ -9,6 +9,7 @@ import hmac as hmac_mod
from datetime import datetime from datetime import datetime
from Crypto.Cipher import AES from Crypto.Cipher import AES
import zstandard as zstd import zstandard as zstd
from key_utils import get_key_info, strip_key_metadata
_zstd_dctx = zstd.ZstdDecompressor() _zstd_dctx = zstd.ZstdDecompressor()
@ -149,9 +150,9 @@ def main():
# 加载密钥 # 加载密钥
with open(KEYS_FILE) as f: with open(KEYS_FILE) as f:
keys = json.load(f) keys = strip_key_metadata(json.load(f))
session_key_info = keys.get("session/session.db") session_key_info = get_key_info(keys, os.path.join("session", "session.db"))
if not session_key_info: if not session_key_info:
print("[ERROR] 找不到session.db的密钥") print("[ERROR] 找不到session.db的密钥")
sys.exit(1) sys.exit(1)

41
monitor_web.py
View File

@ -17,6 +17,7 @@ import urllib.parse
import glob as glob_mod import glob as glob_mod
import zstandard as zstd import zstandard as zstd
from decode_image import extract_md5_from_packed_info, decrypt_dat_file, is_v2_format from decode_image import extract_md5_from_packed_info, decrypt_dat_file, is_v2_format
from key_utils import get_key_info, strip_key_metadata
_zstd_dctx = zstd.ZstdDecompressor() _zstd_dctx = zstd.ZstdDecompressor()
@ -62,7 +63,7 @@ def _build_emoji_lookup(keys_dict):
"""从 emoticon.db 构建 emoji md5 → URL 映射(直接解密,不走 cache""" """从 emoticon.db 构建 emoji md5 → URL 映射(直接解密,不走 cache"""
global _emoji_lookup, _emoji_keys_dict, _emoji_last_refresh global _emoji_lookup, _emoji_keys_dict, _emoji_last_refresh
_emoji_keys_dict = keys_dict _emoji_keys_dict = keys_dict
key_info = keys_dict.get("emoticon/emoticon.db") key_info = get_key_info(keys_dict, os.path.join("emoticon", "emoticon.db"))
if not key_info: if not key_info:
print("[emoji] 无 emoticon.db key跳过", flush=True) print("[emoji] 无 emoticon.db key跳过", flush=True)
return return
@ -254,13 +255,14 @@ class MonitorDBCache:
def get(self, rel_key): def get(self, rel_key):
"""返回解密后的临时文件路径mtime 变化时自动重新解密""" """返回解密后的临时文件路径mtime 变化时自动重新解密"""
if rel_key not in self.keys: key_info = get_key_info(self.keys, rel_key)
if not key_info:
return None return None
lock = self._get_lock(rel_key) lock = self._get_lock(rel_key)
with lock: with lock:
enc_key = bytes.fromhex(self.keys[rel_key]["enc_key"]) enc_key = bytes.fromhex(key_info["enc_key"])
rel_path = rel_key.replace('/', os.sep) rel_path = rel_key.replace('\\', '/').replace('/', os.sep)
db_path = os.path.join(DB_DIR, rel_path) db_path = os.path.join(DB_DIR, rel_path)
wal_path = db_path + "-wal" wal_path = db_path + "-wal"
@ -273,7 +275,7 @@ class MonitorDBCache:
except OSError: except OSError:
return None return None
out_name = rel_key.replace('/', '_') out_name = rel_key.replace('\\', '_').replace('/', '_')
out_path = os.path.join(self.tmp_dir, out_name) out_path = os.path.join(self.tmp_dir, out_name)
prev = self._state.get(rel_key) prev = self._state.get(rel_key)
@ -313,7 +315,7 @@ def build_username_db_map():
# 先获取每个 DB 的 mtime 用于排序 # 先获取每个 DB 的 mtime 用于排序
db_mtimes = {} db_mtimes = {}
for i in range(5): for i in range(5):
rel_key = f"message/message_{i}.db" rel_key = f"message\\message_{i}.db"
db_path = os.path.join(DB_DIR, "message", f"message_{i}.db") db_path = os.path.join(DB_DIR, "message", f"message_{i}.db")
try: try:
db_mtimes[rel_key] = os.path.getmtime(db_path) db_mtimes[rel_key] = os.path.getmtime(db_path)
@ -326,7 +328,7 @@ def build_username_db_map():
db_path = os.path.join(decrypted_msg_dir, f"message_{i}.db") db_path = os.path.join(decrypted_msg_dir, f"message_{i}.db")
if not os.path.exists(db_path): if not os.path.exists(db_path):
continue continue
rel_key = f"message/message_{i}.db" rel_key = f"message\\message_{i}.db"
try: try:
conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True) conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True)
for row in conn.execute("SELECT user_name FROM Name2Id").fetchall(): for row in conn.execute("SELECT user_name FROM Name2Id").fetchall():
@ -595,7 +597,7 @@ class SessionMonitor:
# local_id 不全局唯一,需要同时匹配 create_time # local_id 不全局唯一,需要同时匹配 create_time
file_md5 = None file_md5 = None
for _try in range(2): for _try in range(2):
res_path = self.db_cache.get("message/message_resource.db") res_path = self.db_cache.get("message\\message_resource.db")
if not res_path: if not res_path:
return None return None
try: try:
@ -620,7 +622,7 @@ class SessionMonitor:
except Exception as e: except Exception as e:
if 'malformed' in str(e) and _try == 0: if 'malformed' in str(e) and _try == 0:
print(f" [img] resource DB malformed, 强制刷新...", flush=True) print(f" [img] resource DB malformed, 强制刷新...", flush=True)
self.db_cache.invalidate("message/message_resource.db") self.db_cache.invalidate("message\\message_resource.db")
continue continue
print(f" [img] 查询 message_resource 失败: {e}", flush=True) print(f" [img] 查询 message_resource 失败: {e}", flush=True)
return None return None
@ -753,10 +755,11 @@ class SessionMonitor:
def _fresh_decrypt_query(self, db_key, table_name, prev_ts, curr_ts): def _fresh_decrypt_query(self, db_key, table_name, prev_ts, curr_ts):
"""独立解密 message DB 到临时文件并查询,避免共享缓存竞态""" """独立解密 message DB 到临时文件并查询,避免共享缓存竞态"""
if db_key not in self.db_cache.keys: key_info = get_key_info(self.db_cache.keys, db_key)
if not key_info:
return [] return []
enc_key = bytes.fromhex(self.db_cache.keys[db_key]["enc_key"]) enc_key = bytes.fromhex(key_info["enc_key"])
rel_path = db_key.replace('/', os.sep) rel_path = db_key.replace('\\', '/').replace('/', os.sep)
db_path = os.path.join(DB_DIR, rel_path) db_path = os.path.join(DB_DIR, rel_path)
wal_path = db_path + "-wal" wal_path = db_path + "-wal"
if not os.path.exists(db_path): if not os.path.exists(db_path):
@ -1875,9 +1878,13 @@ def main():
print("=" * 60, flush=True) print("=" * 60, flush=True)
with open(KEYS_FILE) as f: with open(KEYS_FILE) as f:
keys = json.load(f) keys = strip_key_metadata(json.load(f))
enc_key = bytes.fromhex(keys["session/session.db"]["enc_key"]) session_key_info = get_key_info(keys, os.path.join("session", "session.db"))
if not session_key_info:
print("[ERROR] 找不到 session.db 的密钥", flush=True)
sys.exit(1)
enc_key = bytes.fromhex(session_key_info["enc_key"])
session_db = os.path.join(DB_DIR, "session", "session.db") session_db = os.path.join(DB_DIR, "session", "session.db")
print("加载联系人...", flush=True) print("加载联系人...", flush=True)
@ -1910,10 +1917,10 @@ def main():
def _warmup(): def _warmup():
try: try:
t0 = time.perf_counter() t0 = time.perf_counter()
warmup_keys = ["message/message_resource.db"] warmup_keys = ["message\\message_resource.db"]
for i in range(5): for i in range(5):
k = f"message/message_{i}.db" k = f"message\\message_{i}.db"
if k in keys: if get_key_info(keys, k):
warmup_keys.append(k) warmup_keys.append(k)
for k in warmup_keys: for k in warmup_keys:
t1 = time.perf_counter() t1 = time.perf_counter()