#include "pch.h"
// 调用DLL接口时的参数
struct executeParams {
struct executeParams
DWORD ptrDb;
DWORD ptrSql;
// 接收DLL的返回数据,包括动态数组首地址和数组长度
struct executeResult {
struct executeResult
DWORD SQLResultData;
DWORD length;
// 保存ReadProcessMemory读出的结构体
struct SQLResultAddrStruct {
struct SQLResultAddrStruct
DWORD ColName;
DWORD l_ColName;
DWORD content;
......@@ -22,7 +25,8 @@ struct SQLResultAddrStruct {
// vector的数据结构
struct VectorStruct {
struct VectorStruct
#ifdef _DEBUG
DWORD v_head;
......@@ -32,31 +36,38 @@ struct VectorStruct {
// 保存SQL查询结构的基础结构
struct SQLResultStruct {
wchar_t* ColName;
wchar_t* content;
unsigned char* BlobContent;
struct SQLResultStruct
wchar_t *ColName;
wchar_t *content;
unsigned char *BlobContent;
int BlobLength;
// 查询结果是一个二维数组
vector<vector<SQLResultStruct>> SQLResult;
// 每次查询前清空前一次查询到的结果
void ClearResultArray() {
void ClearResultArray()
if (SQLResult.size() == 0)
for (unsigned int i = 0; i < SQLResult.size(); i++) {
for (unsigned j = 0; j < SQLResult[i].size(); j++) {
SQLResultStruct* sr = (SQLResultStruct*)&SQLResult[i][j];
if (sr->ColName) {
for (unsigned int i = 0; i < SQLResult.size(); i++)
for (unsigned j = 0; j < SQLResult[i].size(); j++)
SQLResultStruct *sr = (SQLResultStruct *)&SQLResult[i][j];
if (sr->ColName)
delete sr->ColName;
sr->ColName = NULL;
if (sr->content) {
if (sr->content)
delete sr->content;
sr->content = NULL;
if (sr->BlobContent) {
if (sr->BlobContent)
delete sr->BlobContent;
sr->BlobContent = NULL;
......@@ -67,33 +78,39 @@ void ClearResultArray() {
// 遍历查询结果,构造SAFEARRAY
SAFEARRAY* CreateSQLResultSafeArray() {
SAFEARRAY *CreateSQLResultSafeArray()
if (SQLResult.size() == 0 || SQLResult[0].size() == 0)
return NULL;
SAFEARRAYBOUND rgsaBound[2] = { {SQLResult.size() + 1,0},{SQLResult[0].size(),0}};
SAFEARRAY* psaValue = SafeArrayCreate(VT_VARIANT, 2, rgsaBound);
SAFEARRAYBOUND rgsaBound[2] = {{SQLResult.size() + 1, 0}, {SQLResult[0].size(), 0}};
SAFEARRAY *psaValue = SafeArrayCreate(VT_VARIANT, 2, rgsaBound);
long Index[2] = { 0,0 };
for (unsigned int i = 0; i < SQLResult.size(); i++) {
for (unsigned int j = 0; j < SQLResult[i].size(); j++) {
SQLResultStruct* ptrResult = (SQLResultStruct*)&SQLResult[i][j];
long Index[2] = {0, 0};
for (unsigned int i = 0; i < SQLResult.size(); i++)
for (unsigned int j = 0; j < SQLResult[i].size(); j++)
SQLResultStruct *ptrResult = (SQLResultStruct *)&SQLResult[i][j];
if (i == 0)
Index[0] = 0; Index[1] = j;
Index[0] = 0;
Index[1] = j;
hr = SafeArrayPutElement(psaValue, Index, &(_variant_t)ptrResult->ColName);
Index[0] = i + 1; Index[1] = j;
Index[0] = i + 1;
Index[1] = j;
if (ptrResult->content)
hr = SafeArrayPutElement(psaValue, Index, &(_variant_t)ptrResult->content);
else {
VARIANT varChunk;
BYTE* pByte = NULL;
BYTE *pByte = NULL;
SAFEARRAYBOUND rgsabound[1];
rgsabound[0].cElements = ptrResult->BlobLength;
rgsabound[0].lLbound = 0;
bsa = SafeArrayCreate(VT_UI1, 1, rgsabound);
SafeArrayAccessData(bsa, (void**)&pByte);
SafeArrayAccessData(bsa, (void **)&pByte);
memcpy(pByte, ptrResult->BlobContent, ptrResult->BlobLength);
varChunk.vt = VT_ARRAY | VT_UI1;
......@@ -106,29 +123,34 @@ SAFEARRAY* CreateSQLResultSafeArray() {
// 读出查询结果
VOID ReadSQLResultFromWeChatProcess(HANDLE hProcess,DWORD dwHandle) {
executeResult result = { 0 };
VOID ReadSQLResultFromWeChatProcess(HANDLE hProcess, DWORD dwHandle)
executeResult result = {0};
ReadProcessMemory(hProcess, (LPCVOID)dwHandle, &result, sizeof(executeResult), 0);
for (unsigned int i = 0; i < result.length; i++) {
VectorStruct v_temp = { 0 };
for (unsigned int i = 0; i < result.length; i++)
VectorStruct v_temp = {0};
vector<SQLResultStruct> s_temp;
ReadProcessMemory(hProcess, (LPCVOID)result.SQLResultData, &v_temp, sizeof(VectorStruct), 0);
while (v_temp.v_data < v_temp.v_end1) {
SQLResultAddrStruct sqlresultAddr = { 0 };
SQLResultStruct sqlresult = { 0 };
while (v_temp.v_data < v_temp.v_end1)
SQLResultAddrStruct sqlresultAddr = {0};
SQLResultStruct sqlresult = {0};
ReadProcessMemory(hProcess, (LPCVOID)v_temp.v_data, &sqlresultAddr, sizeof(SQLResultAddrStruct), 0);
char* ColName = new char[sqlresultAddr.l_ColName + 1];
char *ColName = new char[sqlresultAddr.l_ColName + 1];
sqlresult.ColName = new wchar_t[sqlresultAddr.l_ColName + 1];
ReadProcessMemory(hProcess, (LPCVOID)sqlresultAddr.ColName, ColName, sqlresultAddr.l_ColName + 1, 0);
MultiByteToWideChar(CP_ACP,0,ColName,-1,sqlresult.ColName,strlen(ColName) + 1);
char* content = new char[sqlresultAddr.l_content + 1];
if (!sqlresultAddr.isblob) {
MultiByteToWideChar(CP_ACP, 0, ColName, -1, sqlresult.ColName, strlen(ColName) + 1);
char *content = new char[sqlresultAddr.l_content + 1];
if (!sqlresultAddr.isblob)
sqlresult.content = new wchar_t[sqlresultAddr.l_content + 1];
ReadProcessMemory(hProcess, (LPCVOID)sqlresultAddr.content, content, sqlresultAddr.l_content + 1, 0);
MultiByteToWideChar(CP_UTF8, 0, content, -1, sqlresult.content, strlen(content) + 1);
sqlresult.BlobContent = NULL;
else {
sqlresult.BlobContent = new unsigned char[sqlresultAddr.l_content];
ReadProcessMemory(hProcess, (LPCVOID)sqlresultAddr.content, sqlresult.BlobContent, sqlresultAddr.l_content, 0);
sqlresult.BlobLength = sqlresultAddr.l_content;
......@@ -146,24 +168,26 @@ VOID ReadSQLResultFromWeChatProcess(HANDLE hProcess,DWORD dwHandle) {
SAFEARRAY* ExecuteSQL(DWORD pid,DWORD DbHandle,BSTR sql) {
SAFEARRAY *ExecuteSQL(DWORD pid, DWORD DbHandle, BSTR sql)
WeChatProcess hp(pid);
if (!hp.m_init) return NULL;
if (!hp.m_init)
return NULL;
// DWORD ExecuteSQLRemoteAddr = hp.GetProcAddr(ExecuteSQLRemote);
DWORD ExecuteSQLRemoteAddr = hp.GetProcAddr(SelectDataRemote);
if (ExecuteSQLRemoteAddr == 0)
return NULL;
char* a_sql = _com_util::ConvertBSTRToString(sql);
WeChatData<char*> r_sql(hp.GetHandle(), a_sql, TEXTLENGTHA(a_sql));
executeParams params = { 0 };
string s_sql = unicode_to_utf8(sql);
WeChatData<char *> r_sql(hp.GetHandle(), (char *)s_sql.c_str(), s_sql.size());
executeParams params = {0};
params.ptrDb = DbHandle;
params.ptrSql = (DWORD)r_sql.GetAddr();
WeChatData<executeParams*> r_params(hp.GetHandle(), &params, sizeof(params));
WeChatData<executeParams *> r_params(hp.GetHandle(), &params, sizeof(params));
if (r_sql.GetAddr() == 0 || r_params.GetAddr() == 0)
return NULL;
DWORD ret = CallRemoteFunction(hp.GetHandle(), ExecuteSQLRemoteAddr, r_params.GetAddr());
SAFEARRAY* psaValue = CreateSQLResultSafeArray();
ReadSQLResultFromWeChatProcess(hp.GetHandle(), ret);
SAFEARRAY *psaValue = CreateSQLResultSafeArray();
return psaValue;
......@@ -11,6 +11,18 @@ map<DWORD, short> ServiceCount;
// 当使用预编译的头时,需要使用此源文件,编译才能成功。
string unicode_to_utf8(wchar_t *wstr)
int c_size = WideCharToMultiByte(CP_UTF8, 0, wstr, -1, NULL, 0, NULL, false);
char *buffer = new char[c_size + 1];
WideCharToMultiByte(CP_UTF8, 0, wstr, -1, buffer, c_size, NULL, false);
buffer[c_size] = '\0';
string str(buffer);
delete[] buffer;
buffer = NULL;
return str;
BOOL isFileExists_stat(string &name)
struct stat buffer;
......@@ -43,12 +43,13 @@ using namespace std;
BOOL isFileExists_stat(string& name);
BOOL isFileExists_stat(string &name);
DWORD GetWeChatRobotBase(DWORD pid);
DWORD GetWeChatWinBase(DWORD pid);
DWORD GetWeChatPid();
DWORD StartRobotService(DWORD pid);
DWORD StopRobotService(DWORD pid);
string unicode_to_utf8(wchar_t *wstr);
BOOL CreateConsole();
wstring GetComWorkPath();
......@@ -57,5 +58,5 @@ tstring GetWeChatInstallDir();
DWORD GetWeChatVerInt();
tstring GetWeChatVerStr();
DWORD StartWeChat();
BOOL CloseProcessHandle(DWORD pid, wchar_t* handlename);
BOOL CloseProcessHandle(DWORD pid, wchar_t *handlename);
DWORD GetRemoteProcAddr(DWORD pid, LPWSTR modulename, LPSTR procname);
