-
Dalvik 孵化器 Zygote (Android系統中,所有的應用程序進程以及系統服務進程SystemServer都是由Zygote進程孕育/fork出來的)進程對應的程序是/system/bin/app_process. Xposed 框架中真正起作用的是對方法的 hook。
因爲 Xposed 工作原理是在/system/bin 目錄下替換文件,在 install 的時候需要 root 權限,但是運行時不需要 root 權限。
-
log 統一管理,tag 顯示包名
Log.d(MYTAG+lpparam.packageName, "hello" + lpparam.packageName); -
植入廣播接收器,動態執行指令
findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { Context context = (Context) param.thisObject; IntentFilter filter = new IntentFilter(myCast.myAction); filter.addAction(myCast.myCmd); context.registerReceiver(new myCast(), filter); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } }); -
context 獲取(關於 context可見http://www.codefrom.com/paper/Android.Context)
fristApplication = (Application) param.thisObject; -
注入點選擇 application oncreate 程序真正啓動函數 (該類有可能被重寫,所以通過反射得到 oncreate 方法)
String appClassName = this.getAppInfo().className; if (appClassName == null) { Method hookOncreateMethod = null; try { hookOncreateMethod = Application.class.getDeclaredMethod("onCreate", new Class[] {}); } catch (NoSuchMethodException e) { e.printStackTrace(); } hookhelper.hookMethod(hookOncreateMethod, new ApplicationOnCreateHook()); -
排除系統 app,排除自身,確定主線程
if(lpparam.appInfo == null || (lpparam.appInfo.flags & (ApplicationInfo.FLAG_SYSTEM | ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) !=0){ return; }else if(lpparam.isFirstApplication && !ZJDROID_PACKAGENAME.equals(lpparam.packageName)){
-
hook method
Only methods and constructors can be hooked,Cannot hook interfaces,Cannot hook abstract methods 只能 hook 方法和構造方法,不能 hook 接口和抽象方法 -
參數中有 自定義類
public void myMethod (String a, MyClass b)通過反射得到自定義類...
-
注入後反射自定義類
Class<?> hookMessageListenerClass = null; hookMessageListenerClass = lpparam.classLoader.loadClass("org.jivesoftware.smack.MessageListener"); findAndHookMethod("org.jivesoftware.smack.ChatManager", lpparam.classLoader, "createChat", String.class , hookMessageListenerClass ,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { String sendTo = (String) param.args[0]; Log.i(tag , "sendTo : + " + sendTo ); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } }); -
hook 一個類的方法,該類是子類並且沒有重寫父類的方法,此時應該 hook 父類還是子類.(hook 父類方法後,子類若沒重寫,一樣生效.子類重寫方法需要另外 hook)
例如
java.net.HttpURLConnection extends URLConnection ,方法在父類
public OutputStream getOutputStream() throws IOException { throw new UnknownServiceException("protocol doesn't support output"); }org.apache.http.impl.client.AbstractHttpClient extends CloseableHttpClient ,方法在父類(注意,android的繼承的 AbstractHttpClient implements org.apache.http.client.HttpClient)
public CloseableHttpResponse execute( final HttpHost target, final HttpRequest request, final HttpContext context) throws IOException, ClientProtocolException { return doExecute(target, request, context); }android.async.http複寫HttpGet導致zjdroid hook org.apache.http.impl.client.AbstractHttpClient execute 無法獲取到請求 url和method
-
hook 構造方法
public static XC_MethodHook.Unhook findAndHookConstructor(String className, ClassLoader classLoader, Object... parameterTypesAndCallback) { return findAndHookConstructor(findClass(className, classLoader), parameterTypesAndCallback); }
轉自:http://www.codefrom.com/p/Xposed