由于本屌意外发现了篇不错的教程,基本上是自己想写的东西,既然已经有了就转载一下,不自己写了。
有*就何需再去造*?
好吧,其实是懒癌发作了。。。。。。。。
- Dalvik 孵化器 Zygote
(Android系统中,所有的应用程序进程以及系统服务进程SystemServer都是由Zygote进程孕育/fork出来的)进程对应的程序是/system/bin/app_process.
Xposed 框架中真正起作用的是对方法的 hook。 因为 Xposed 工作原理是在/system/bin 目录下替换文件,在
install 的时候需要 root 权限,但是运行时不需要 root 权限。 -
log 统一管理,tag 显示包名
Log.d(MYTAG+lpparam.packageName, "hello" + lpparam.packageName);
-
植入广播接收器,动态执行指令
findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Context context = (Context) param.thisObject;
IntentFilter filter = new IntentFilter(myCast.myAction);
filter.addAction(myCast.myCmd);
context.registerReceiver(new myCast(), filter);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
}
}); -
context 获取(关于
context可见http://www.codefrom.com/paper/Android.Context)fristApplication = (Application) param.thisObject;
-
注入点选择 application oncreate 程序真正启动函数 (该类有可能被重写,所以通过反射得到 oncreate 方法)
String appClassName = this.getAppInfo().className;
if (appClassName == null) {
Method hookOncreateMethod = null;
try {
hookOncreateMethod = Application.class.getDeclaredMethod("onCreate", new Class[] {});
} catch (NoSuchMethodException e) {
e.printStackTrace();
}
hookhelper.hookMethod(hookOncreateMethod, new ApplicationOnCreateHook()); -
排除系统 app,排除自身,确定主线程
if(lpparam.appInfo == null ||
(lpparam.appInfo.flags & (ApplicationInfo.FLAG_SYSTEM | ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) !=0){
return;
}else if(lpparam.isFirstApplication && !ZJDROID_PACKAGENAME.equals(lpparam.packageName)){ -
hook method
Only methods and constructors can be hooked,Cannot hook interfaces,Cannot hook abstract methods
只能 hook 方法和构造方法,不能 hook 接口和抽象方法
-
参数中有 自定义类
public void myMethod (String a, MyClass b)
通过反射得到自定义类…
-
注入后反射自定义类
Class<?> hookMessageListenerClass = null;
hookMessageListenerClass = lpparam.classLoader.loadClass("org.jivesoftware.smack.MessageListener");
findAndHookMethod("org.jivesoftware.smack.ChatManager", lpparam.classLoader, "createChat", String.class , hookMessageListenerClass ,new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
String sendTo = (String) param.args[0];
Log.i(tag , "sendTo : + " + sendTo );
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
}
}); hook 一个类的方法,该类是子类并且没有重写父类的方法,此时应该 hook 父类还是子类.(hook 父类方法后,子类若没重写,一样生效.子类重写方法需要另外 hook)
例如 java.net.HttpURLConnection extends URLConnection ,
方法在父类
public OutputStream getOutputStream() throws IOException {
throw new UnknownServiceException("protocol doesn't support output");
}
org.apache.http.impl.client.AbstractHttpClient extends CloseableHttpClient ,方法在父类(注意,android的继承的 AbstractHttpClient implements org.apache.http.client.HttpClient)
public CloseableHttpResponse execute(
final HttpHost target,
final HttpRequest request,
final HttpContext context) throws IOException, ClientProtocolException {
return doExecute(target, request, context);
}
android.async.http复写HttpGet导致zjdroid hook org.apache.http.impl.client.AbstractHttpClient execute 无法获取到请求 url和method
11. hook 构造方法
public static XC_MethodHook.Unhook findAndHookConstructor(String className, ClassLoader classLoader, Object... parameterTypesAndCallback) {
return findAndHookConstructor(findClass(className, classLoader), parameterTypesAndCallback);
}