安卓Hook系列教程(二):Xposed插件开发进阶篇

时间:2022-08-05 17:46:44

由于本屌意外发现了篇不错的教程,基本上是自己想写的东西,既然已经有了就转载一下,不自己写了。
有*就何需再去造*?
好吧,其实是懒癌发作了。。。。。。。。


  1. Dalvik 孵化器 Zygote
    (Android系统中,所有的应用程序进程以及系统服务进程SystemServer都是由Zygote进程孕育/fork出来的)进程对应的程序是/system/bin/app_process.
    Xposed 框架中真正起作用的是对方法的 hook。 因为 Xposed 工作原理是在/system/bin 目录下替换文件,在
    install 的时候需要 root 权限,但是运行时不需要 root 权限。
  2. log 统一管理,tag 显示包名

    Log.d(MYTAG+lpparam.packageName, "hello" + lpparam.packageName);
  3. 植入广播接收器,动态执行指令

    findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() {
    @Override
    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

    Context context = (Context) param.thisObject;
    IntentFilter filter = new IntentFilter(myCast.myAction);
    filter.addAction(myCast.myCmd);
    context.registerReceiver(new myCast(), filter);

    }

    @Override
    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
    super.afterHookedMethod(param);
    }
    });
  4. context 获取(关于
    context可见http://www.codefrom.com/paper/Android.Context)

    fristApplication = (Application) param.thisObject;
  5. 注入点选择 application oncreate 程序真正启动函数 (该类有可能被重写,所以通过反射得到 oncreate 方法)

    String appClassName = this.getAppInfo().className;
    if (appClassName == null) {
    Method hookOncreateMethod = null;
    try {
    hookOncreateMethod = Application.class.getDeclaredMethod("onCreate", new Class[] {});
    } catch (NoSuchMethodException e) {
    e.printStackTrace();
    }
    hookhelper.hookMethod(hookOncreateMethod, new ApplicationOnCreateHook());
  6. 排除系统 app,排除自身,确定主线程

     if(lpparam.appInfo == null || 
    (lpparam.appInfo.flags & (ApplicationInfo.FLAG_SYSTEM | ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) !=0){
    return;
    }else if(lpparam.isFirstApplication && !ZJDROID_PACKAGENAME.equals(lpparam.packageName)){
  7. hook method

    Only methods and constructors can be hooked,Cannot hook interfaces,Cannot hook abstract methods

    只能 hook 方法和构造方法,不能 hook 接口和抽象方法

  8. 参数中有 自定义类

    public void myMethod (String a, MyClass b) 

    通过反射得到自定义类…

  9. 注入后反射自定义类

     Class<?> hookMessageListenerClass = null;

    hookMessageListenerClass = lpparam.classLoader.loadClass("org.jivesoftware.smack.MessageListener");

    findAndHookMethod("org.jivesoftware.smack.ChatManager", lpparam.classLoader, "createChat", String.class , hookMessageListenerClass ,new XC_MethodHook() {
    @Override
    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

    String sendTo = (String) param.args[0];
    Log.i(tag , "sendTo : + " + sendTo );

    }

    @Override
    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
    super.afterHookedMethod(param);
    }
    });
  10. hook 一个类的方法,该类是子类并且没有重写父类的方法,此时应该 hook 父类还是子类.(hook 父类方法后,子类若没重写,一样生效.子类重写方法需要另外 hook)
    例如 java.net.HttpURLConnection extends URLConnection ,
    方法在父类

public OutputStream getOutputStream() throws IOException {
throw new UnknownServiceException("protocol doesn't support output");
}

org.apache.http.impl.client.AbstractHttpClient extends CloseableHttpClient ,方法在父类(注意,android的继承的 AbstractHttpClient implements org.apache.http.client.HttpClient)

public CloseableHttpResponse execute(
final HttpHost target,
final HttpRequest request,
final HttpContext context) throws IOException, ClientProtocolException {
return doExecute(target, request, context);
}

android.async.http复写HttpGet导致zjdroid hook org.apache.http.impl.client.AbstractHttpClient execute 无法获取到请求 url和method
11. hook 构造方法

 public static XC_MethodHook.Unhook findAndHookConstructor(String className, ClassLoader classLoader, Object... parameterTypesAndCallback) {
return findAndHookConstructor(findClass(className, classLoader), parameterTypesAndCallback);
}

转自:http://www.codefrom.com/p/Xposed