由於本屌意外發現了篇不錯的教程,基本上是自己想寫的東西,既然已經有了就轉載一下,不自己寫了。
有輪子就何需再去造輪子?
好吧,其實是懶癌發作了。。。。。。。。
- Dalvik 孵化器 Zygote
(Android系統中,所有的應用程序進程以及系統服務進程SystemServer都是由Zygote進程孕育/fork出來的)進程對應的程序是/system/bin/app_process.
Xposed 框架中真正起作用的是對方法的 hook。 因爲 Xposed 工作原理是在/system/bin 目錄下替換文件,在
install 的時候需要 root 權限,但是運行時不需要 root 權限。 log 統一管理,tag 顯示包名
Log.d(MYTAG+lpparam.packageName, "hello" + lpparam.packageName);植入廣播接收器,動態執行指令
findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { Context context = (Context) param.thisObject; IntentFilter filter = new IntentFilter(myCast.myAction); filter.addAction(myCast.myCmd); context.registerReceiver(new myCast(), filter); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } });context 獲取(關於
context可見http://www.codefrom.com/paper/Android.Context)fristApplication = (Application) param.thisObject;注入點選擇 application oncreate 程序真正啓動函數 (該類有可能被重寫,所以通過反射得到 oncreate 方法)
String appClassName = this.getAppInfo().className; if (appClassName == null) { Method hookOncreateMethod = null; try { hookOncreateMethod = Application.class.getDeclaredMethod("onCreate", new Class[] {}); } catch (NoSuchMethodException e) { e.printStackTrace(); } hookhelper.hookMethod(hookOncreateMethod, new ApplicationOnCreateHook());排除系統 app,排除自身,確定主線程
if(lpparam.appInfo == null || (lpparam.appInfo.flags & (ApplicationInfo.FLAG_SYSTEM | ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) !=0){ return; }else if(lpparam.isFirstApplication && !ZJDROID_PACKAGENAME.equals(lpparam.packageName)){hook method
Only methods and constructors can be hooked,Cannot hook interfaces,Cannot hook abstract methods只能 hook 方法和構造方法,不能 hook 接口和抽象方法
參數中有 自定義類
public void myMethod (String a, MyClass b)通過反射得到自定義類…
注入後反射自定義類
Class<?> hookMessageListenerClass = null; hookMessageListenerClass = lpparam.classLoader.loadClass("org.jivesoftware.smack.MessageListener"); findAndHookMethod("org.jivesoftware.smack.ChatManager", lpparam.classLoader, "createChat", String.class , hookMessageListenerClass ,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { String sendTo = (String) param.args[0]; Log.i(tag , "sendTo : + " + sendTo ); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } });hook 一個類的方法,該類是子類並且沒有重寫父類的方法,此時應該 hook 父類還是子類.(hook 父類方法後,子類若沒重寫,一樣生效.子類重寫方法需要另外 hook)
例如 java.net.HttpURLConnection extends URLConnection ,
方法在父類
public OutputStream getOutputStream() throws IOException {
throw new UnknownServiceException("protocol doesn't support output");
}org.apache.http.impl.client.AbstractHttpClient extends CloseableHttpClient ,方法在父類(注意,android的繼承的 AbstractHttpClient implements org.apache.http.client.HttpClient)
public CloseableHttpResponse execute(
final HttpHost target,
final HttpRequest request,
final HttpContext context) throws IOException, ClientProtocolException {
return doExecute(target, request, context);
}android.async.http複寫HttpGet導致zjdroid hook org.apache.http.impl.client.AbstractHttpClient execute 無法獲取到請求 url和method
11. hook 構造方法
public static XC_MethodHook.Unhook findAndHookConstructor(String className, ClassLoader classLoader, Object... parameterTypesAndCallback) {
return findAndHookConstructor(findClass(className, classLoader), parameterTypesAndCallback);
}
