improvement(media): 优化媒体密钥提取与解密体验

- 微信进程 AES 密钥提取：支持多 PID/更多进程名，尝试启用 SeDebugPrivilege，并扩展扫描范围与可读页过滤提升成功率 - AES key 内存匹配支持 16/32 位候选，校验覆盖 JPEG/PNG/GIF/WEBP/MP4 等常见资源头 - 解密页新增 XOR/AES 密钥一键复制与反馈提示，并补充管理员运行提示 - README 更新徽章与界面预览表格，新增/更新截图资源
2026-02-02 22:10:50 +08:00 · 2025-12-22 17:05:32 +08:00
parent 6c04aee6ea
commit a4d652230f
9 changed files with 323 additions and 108 deletions
--- a/README.md
+++ b/README.md
@@ -1,44 +1,56 @@
+<p align="center">
+    <img src="frontend/public/logo.png" alt="微信数据库解密工具" width="200" />
+</p>
+
 <div align="center">
-  <img src="frontend/public/logo.png" alt="微信数据库解密工具" width="200">
+    <h1>WeChatDataAnalysis - 微信数据库解密与分析工具</h1>
+    <p>一个专门用于微信4.x版本数据库解密的工具</p>
+    <img src="https://img.shields.io/github/v/tag/LifeArchiveProject/WeChatDataAnalysis" alt="Version" />
+    <img src="https://img.shields.io/github/stars/LifeArchiveProject/WeChatDataAnalysis" alt="Stars" />
+    <img src="https://img.shields.io/github/forks/LifeArchiveProject/WeChatDataAnalysis" alt="Forks" />
+    <img src="https://img.shields.io/github/license/LifeArchiveProject/WeChatDataAnalysis" alt="License" />
+    <img src="https://img.shields.io/badge/Python-3776AB?logo=Python&logoColor=white" alt="Python" />
+    <img src="https://img.shields.io/badge/FastAPI-009688?logo=FastAPI&logoColor=white" alt="FastAPI" />
+    <img src="https://img.shields.io/badge/Vue.js-4FC08D?logo=Vue.js&logoColor=white" alt="Vue.js" />
+    <img src="https://img.shields.io/badge/SQLite-003B57?logo=SQLite&logoColor=white" alt="SQLite" />
 </div>

-# 微信数据库解密工具
-
-一个专门用于微信4.x版本数据库解密的工具
-
 ## 界面预览

-### 检测页面
+<table>
+  <tr>
+    <td align="center"><b>首页</b></td>
+    <td align="center"><b>检测页面</b></td>
+  </tr>
+  <tr>
+    <td><img src="frontend/public/home.png" alt="首页" width="400"/></td>
+    <td><img src="frontend/public/detection.png" alt="微信检测页面" width="400"/></td>
+  </tr>
+  <tr>
+    <td align="center"><b>解密页面</b></td>
+    <td align="center"><b>图片密钥页面</b></td>
+  </tr>
+  <tr>
+    <td><img src="frontend/public/decrypt.png" alt="数据库解密页面" width="400"/></td>
+    <td><img src="frontend/public/imageAES.png" alt="图片密钥页面" width="400"/></td>
+  </tr>
+  <tr>
+    <td align="center"><b>图片解密页面</b></td>
+    <td align="center"><b>解密成功页面</b></td>
+  </tr>
+  <tr>
+    <td><img src="frontend/public/imageSucces.png" alt="图片解密页面" width="400"/></td>
+    <td><img src="frontend/public/success.png" alt="解密成功页面" width="400"/></td>
+  </tr>
+  <tr>
+    <td align="center" colspan="2"><b>聊天记录页面</b></td>
+  </tr>
+  <tr>
+    <td colspan="2" align="center"><img src="frontend/public/message.png" alt="聊天记录页面" width="800"/></td>
+  </tr>
+</table>

-<div align="center">
-  <img src="frontend/public/detection.png" alt="微信检测页面" width="800">
-</div>
-
-自动检测微信安装路径和数据库文件位置，支持多账户识别。
-
-### 解密页面
-
-<div align="center">
-  <img src="frontend/public/decrypt.png" alt="数据库解密页面" width="800">
-</div>
-
-输入解密密钥，选择数据库文件进行批量解密操作。
-
-### 解密成功页面
-
-<div align="center">
-  <img src="frontend/public/success.png" alt="解密成功页面" width="800">
-</div>
-
-解密完成后显示统计信息，可直接跳转查看聊天记录。
-
-### 聊天记录页面
-
-<div align="center">
-  <img src="frontend/public/message.png" alt="聊天记录页面" width="800">
-</div>
-
-> **注意**: 聊天记录页面目前仅完成了基础展示功能，包括消息列表、文本/图片/语音等基本消息类型的显示。更多功能（如搜索、导出、高级筛选等）尚在开发中，当前界面不代表最终成品。
+> **Note**: 聊天记录页面目前仅完成了基础展示功能，更多功能（搜索、导出、高级筛选等）尚在开发中。

 ## 功能特性

@@ -164,7 +176,7 @@ uv run analyze_wechat_databases.py
 #### 1. 获取图片解密密钥

 ```bash
-# GET请求获取密钥（需要微信正在运行以提取AES密钥）
+# GET请求获取密钥（需要微信正在运行；部分版本需以管理员身份运行后端才能提取AES密钥）
 curl http://localhost:8000/api/media/keys

 # 强制重新提取密钥
--- a/frontend/pages/decrypt.vue
+++ b/frontend/pages/decrypt.vue
@@ -133,15 +133,27 @@
            <div class="bg-gray-50 rounded-lg p-4">
              <div class="flex justify-between items-center mb-2">
                <span class="text-sm font-medium text-[#000000e6]">XOR 密钥</span>
-                <span class="font-mono text-sm px-3 py-1 bg-white rounded border border-[#EDEDED]">
+                <button
+                  type="button"
+                  class="font-mono text-sm px-3 py-1 bg-white rounded border border-[#EDEDED] transition-colors"
+                  :class="mediaKeys.xor_key ? 'cursor-pointer hover:bg-gray-50' : 'cursor-not-allowed opacity-60'"
+                  :title="mediaKeys.xor_key ? '点击复制' : ''"
+                  @click="copyKey('XOR 密钥', mediaKeys.xor_key)"
+                >
                  {{ mediaKeys.xor_key || '未获取' }}
-                </span>
+                </button>
              </div>
              <div class="flex justify-between items-center">
                <span class="text-sm font-medium text-[#000000e6]">AES 密钥</span>
-                <span class="font-mono text-sm px-3 py-1 bg-white rounded border border-[#EDEDED]">
-                  {{ mediaKeys.aes_key ? mediaKeys.aes_key.substring(0, 8) + '...' : '未获取' }}
-                </span>
+                <button
+                  type="button"
+                  class="font-mono text-sm px-3 py-1 bg-white rounded border border-[#EDEDED] transition-colors"
+                  :class="mediaKeys.aes_key ? 'cursor-pointer hover:bg-gray-50' : 'cursor-not-allowed opacity-60'"
+                  :title="mediaKeys.aes_key ? '点击复制' : ''"
+                  @click="copyKey('AES 密钥', mediaKeys.aes_key)"
+                >
+                  {{ mediaKeys.aes_key || '未获取' }}
+                </button>
              </div>
            </div>

@@ -151,6 +163,13 @@
              </svg>
              {{ mediaKeys.message }}
            </div>
+
+            <div v-if="copyMessage" class="text-sm text-[#07C160] flex items-start">
+              <svg class="w-4 h-4 mr-2 mt-0.5 flex-shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+              </svg>
+              {{ copyMessage }}
+            </div>
          </div>

          <!-- 操作按钮 -->
@@ -300,7 +319,7 @@
                <p class="mb-2">可能的失败原因：</p>
                <ul class="list-disc list-inside space-y-1">
                  <li><strong>解密后非有效图片</strong>：文件不是图片格式(如视频缩略图损坏)</li>
-                  <li><strong>V4-V2版本需要AES密钥</strong>：需要微信运行时才能提取AES密钥</li>
+                  <li><strong>V4-V2版本需要AES密钥</strong>：需要微信运行，且部分环境需以管理员身份运行后端才能提取</li>
                  <li><strong>未知加密版本</strong>：新版微信使用了不支持的加密方式</li>
                  <li><strong>文件为空</strong>：原始文件损坏或为空文件</li>
                </ul>
@@ -411,6 +430,8 @@ const mediaKeys = reactive({
  message: ''
 })
 const mediaLoading = ref(false)
+const copyMessage = ref('')
+let copyMessageTimer = null

 // 图片解密相关
 const mediaDecryptResult = ref(null)
@@ -527,6 +548,53 @@ const fetchMediaKeys = async (forceExtract = false) => {
  }
 }

+const _copyToClipboard = async (text) => {
+  if (!process.client || typeof window === 'undefined') return false
+  if (!text) return false
+
+  try {
+    if (navigator?.clipboard?.writeText) {
+      await navigator.clipboard.writeText(text)
+      return true
+    }
+  } catch (e) {
+    // Ignore and fallback below
+  }
+
+  try {
+    const textarea = document.createElement('textarea')
+    textarea.value = text
+    textarea.setAttribute('readonly', '')
+    textarea.style.position = 'fixed'
+    textarea.style.opacity = '0'
+    textarea.style.left = '-9999px'
+    textarea.style.top = '0'
+    document.body.appendChild(textarea)
+    textarea.select()
+    textarea.setSelectionRange(0, textarea.value.length)
+    const ok = document.execCommand('copy')
+    document.body.removeChild(textarea)
+    return ok
+  } catch (e) {
+    return false
+  }
+}
+
+const _setCopyMessage = (message) => {
+  copyMessage.value = message
+  if (copyMessageTimer) clearTimeout(copyMessageTimer)
+  copyMessageTimer = setTimeout(() => {
+    copyMessage.value = ''
+    copyMessageTimer = null
+  }, 2000)
+}
+
+const copyKey = async (label, value) => {
+  if (!value) return
+  const ok = await _copyToClipboard(value)
+  _setCopyMessage(ok ? `${label}已复制` : `${label}复制失败，请手动复制`)
+}
+
 // 批量解密所有图片（使用SSE实时进度）
 const decryptAllImages = async () => {
  mediaDecrypting.value = true
--- a/frontend/public/home.png
+++ b/frontend/public/home.png
--- a/frontend/public/imageAES.png
+++ b/frontend/public/imageAES.png
--- a/frontend/public/imageSucces.png
+++ b/frontend/public/imageSucces.png
--- a/frontend/public/message.png
+++ b/frontend/public/message.png
--- a/src/wechat_decrypt_tool/media_helpers.py
+++ b/src/wechat_decrypt_tool/media_helpers.py
@@ -13,6 +13,7 @@ from concurrent.futures import ThreadPoolExecutor
 from functools import lru_cache
 from pathlib import Path
 from typing import Any, Optional
+from ctypes import wintypes

 from fastapi import HTTPException

@@ -999,6 +1000,14 @@ def _verify_wechat_aes_key(ciphertext: bytes, key16: bytes) -> bool:
            return True
        if plain.startswith(b"\x89PNG\r\n\x1a\n"):
            return True
+        if plain.startswith(b"GIF87a") or plain.startswith(b"GIF89a"):
+            return True
+        if plain.startswith(b"wxgf"):
+            return True
+        if len(plain) >= 12 and plain.startswith(b"RIFF") and plain[8:12] == b"WEBP":
+            return True
+        if len(plain) >= 8 and plain[4:8] == b"ftyp":
+            return True
        return False
    except Exception:
        return False
@@ -1016,28 +1025,112 @@ class _MEMORY_BASIC_INFORMATION(ctypes.Structure):
    ]


-def _find_weixin_pid() -> Optional[int]:
+def _find_weixin_pids() -> list[int]:
    if psutil is None:
-        return None
-    for p in psutil.process_iter(["name"]):
+        return []
+
+    preferred = ["weixin.exe", "wechat.exe", "wechatappex.exe", "wechatapp.exe"]
+    preferred_set = set(preferred)
+    pids_by_name: dict[str, list[int]] = {n: [] for n in preferred}
+    extra: list[int] = []
+
+    for p in psutil.process_iter(["pid", "name"]):
        try:
            name = (p.info.get("name") or "").lower()
-            if name in {"weixin.exe", "wechat.exe"}:
-                return int(p.pid)
+            pid = int(p.info.get("pid") or 0)
        except Exception:
            continue
-    return None
+        if pid <= 0:
+            continue
+
+        if name in preferred_set:
+            pids_by_name[name].append(pid)
+            continue
+
+        if name.startswith("wechat") or name.startswith("weixin"):
+            extra.append(pid)
+
+    ordered: list[int] = []
+    for n in preferred:
+        ordered.extend(pids_by_name.get(n, []))
+    ordered.extend(extra)
+
+    seen: set[int] = set()
+    out: list[int] = []
+    for pid in ordered:
+        if pid in seen:
+            continue
+        seen.add(pid)
+        out.append(pid)
+    return out
+
+
+def _try_enable_windows_debug_privilege() -> None:
+    if os.name != "nt":
+        return
+
+    try:
+        advapi32 = ctypes.windll.advapi32
+        kernel32 = ctypes.windll.kernel32
+
+        TOKEN_ADJUST_PRIVILEGES = 0x0020
+        TOKEN_QUERY = 0x0008
+        SE_PRIVILEGE_ENABLED = 0x0002
+
+        class _LUID(ctypes.Structure):
+            _fields_ = [("LowPart", wintypes.DWORD), ("HighPart", wintypes.LONG)]
+
+        class _LUID_AND_ATTRIBUTES(ctypes.Structure):
+            _fields_ = [("Luid", _LUID), ("Attributes", wintypes.DWORD)]
+
+        class _TOKEN_PRIVILEGES(ctypes.Structure):
+            _fields_ = [("PrivilegeCount", wintypes.DWORD), ("Privileges", _LUID_AND_ATTRIBUTES * 1)]
+
+        token = wintypes.HANDLE()
+        if not advapi32.OpenProcessToken(
+            kernel32.GetCurrentProcess(),
+            TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
+            ctypes.byref(token),
+        ):
+            return
+
+        try:
+            luid = _LUID()
+            if not advapi32.LookupPrivilegeValueW(None, "SeDebugPrivilege", ctypes.byref(luid)):
+                return
+
+            tp = _TOKEN_PRIVILEGES()
+            tp.PrivilegeCount = 1
+            tp.Privileges[0].Luid = luid
+            tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED
+            advapi32.AdjustTokenPrivileges(token, False, ctypes.byref(tp), 0, None, None)
+        finally:
+            kernel32.CloseHandle(token)
+    except Exception:
+        return


 def _extract_wechat_aes_key_from_process(ciphertext: bytes) -> Optional[bytes]:
-    pid = _find_weixin_pid()
-    if not pid:
+    _try_enable_windows_debug_privilege()
+    pids = _find_weixin_pids()
+    if not pids:
        return None

    PROCESS_VM_READ = 0x0010
    PROCESS_QUERY_INFORMATION = 0x0400
    MEM_COMMIT = 0x1000
    MEM_PRIVATE = 0x20000
+    MEM_MAPPED = 0x40000
+    MEM_IMAGE = 0x1000000
+
+    PAGE_NOACCESS = 0x01
+    PAGE_READONLY = 0x02
+    PAGE_READWRITE = 0x04
+    PAGE_WRITECOPY = 0x08
+    PAGE_EXECUTE_READ = 0x20
+    PAGE_EXECUTE_READWRITE = 0x40
+    PAGE_EXECUTE_WRITECOPY = 0x80
+    PAGE_GUARD = 0x100

    kernel32 = ctypes.windll.kernel32

@@ -1063,13 +1156,31 @@ def _extract_wechat_aes_key_from_process(ciphertext: bytes) -> Optional[bytes]:
    CloseHandle.argtypes = [ctypes.c_void_p]
    CloseHandle.restype = ctypes.c_bool

+    readable_mask = (
+        PAGE_READONLY
+        | PAGE_READWRITE
+        | PAGE_WRITECOPY
+        | PAGE_EXECUTE_READ
+        | PAGE_EXECUTE_READWRITE
+        | PAGE_EXECUTE_WRITECOPY
+    )
+
+    def is_readable(protect: int) -> bool:
+        if protect & PAGE_GUARD:
+            return False
+        if protect & PAGE_NOACCESS:
+            return False
+        return bool(protect & readable_mask)
+
+    pattern = re.compile(rb"(?i)(?<![0-9a-z])([0-9a-z]{16}|[0-9a-z]{32})(?![0-9a-z])")
+
+    def scan_pid(pid: int) -> Optional[bytes]:
        handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, False, pid)
        if not handle:
            return None

        stop = threading.Event()
        result: list[Optional[bytes]] = [None]
-    pattern = re.compile(rb"[^a-z0-9]([a-z0-9]{32})[^a-z0-9]", flags=re.IGNORECASE)

        def read_mem(addr: int, size: int) -> Optional[bytes]:
            buf = ctypes.create_string_buffer(size)
@@ -1090,8 +1201,12 @@ def _extract_wechat_aes_key_from_process(ciphertext: bytes) -> Optional[bytes]:
                    return None
                data = tail + b
                for m in pattern.finditer(data):
-                cand32 = m.group(1)
-                cand16 = cand32[:16]
+                    cand = m.group(1)
+                    if len(cand) == 16:
+                        candidates = [cand]
+                    else:
+                        candidates = [cand[:16], cand[16:]]
+                    for cand16 in candidates:
                        if _verify_wechat_aes_key(ciphertext, cand16):
                            return cand16
                tail = data[-64:] if len(data) > 64 else data
@@ -1104,7 +1219,9 @@ def _extract_wechat_aes_key_from_process(ciphertext: bytes) -> Optional[bytes]:
        try:
            while VirtualQueryEx(handle, ctypes.c_void_p(addr), ctypes.byref(mbi), ctypes.sizeof(mbi)):
                try:
-                if int(mbi.State) == MEM_COMMIT and int(mbi.Type) == MEM_PRIVATE:
+                    if int(mbi.State) == MEM_COMMIT and int(mbi.Type) in {MEM_PRIVATE, MEM_MAPPED, MEM_IMAGE}:
+                        protect = int(mbi.Protect)
+                        if is_readable(protect):
                            base = int(mbi.BaseAddress)
                            size = int(mbi.RegionSize)
                            if size > 0:
@@ -1126,6 +1243,12 @@ def _extract_wechat_aes_key_from_process(ciphertext: bytes) -> Optional[bytes]:

        return result[0]

+    for pid in pids:
+        found = scan_pid(pid)
+        if found:
+            return found
+    return None
+

 def _save_media_keys(account_dir: Path, xor_key: int, aes_key16: bytes) -> None:
    try:
--- a/src/wechat_decrypt_tool/media_key_finder.py
+++ b/src/wechat_decrypt_tool/media_key_finder.py
@@ -73,7 +73,19 @@ def _verify(encrypted: bytes, key: bytes) -> bool:
    aes_key = key[:16]
    cipher = AES.new(aes_key, AES.MODE_ECB)
    text = cipher.decrypt(encrypted)
-    return bool(text.startswith(b"\xff\xd8\xff"))
+    if text.startswith(b"\xff\xd8\xff"):
+        return True
+    if text.startswith(b"\x89PNG\r\n\x1a\n"):
+        return True
+    if text.startswith(b"GIF87a") or text.startswith(b"GIF89a"):
+        return True
+    if text.startswith(b"wxgf"):
+        return True
+    if len(text) >= 12 and text.startswith(b"RIFF") and text[8:12] == b"WEBP":
+        return True
+    if len(text) >= 8 and text[4:8] == b"ftyp":
+        return True
+    return False


 def _search_memory_chunk(process_handle, base_address: int, region_size: int, encrypted: bytes, rules):
@@ -101,7 +113,7 @@ def _get_aes_key(encrypted: bytes, pid: int) -> Any:
    rules_key = r"""
    rule AesKey {
        strings:
-            $pattern = /[^a-z0-9][a-z0-9]{32}[^a-z0-9]/
+            $pattern = /[^0-9a-z]([0-9a-z]{16}|[0-9a-z]{32})[^0-9a-z]/ nocase
        condition:
            $pattern
    }
--- a/src/wechat_decrypt_tool/routers/media.py
+++ b/src/wechat_decrypt_tool/routers/media.py
@@ -98,7 +98,7 @@ async def get_media_keys(account: Optional[str] = None, force_extract: bool = Fa
                # 保存密钥到缓存
                _save_media_keys(account_dir, xor_key, aes_key16)
            else:
-                aes_message = "无法从微信进程提取AES密钥（微信是否正在运行？）"
+                aes_message = "无法从微信进程提取AES密钥（请确认微信正在运行，并尝试以管理员身份运行后端；部分新版微信可能暂不兼容）"
        else:
            aes_message = "未找到V2加密模板文件"
    else: