基础移步:http://www.codefrom.com/paper/Xposed%E6%8F%92%E4%BB%B6%E5%BC%80%E5%8F%...
-
Dalvik 孵化器 Zygote (Android系统中,所有的应用程序进程以及系统服务进程SystemServer都是由Zygote进程孕育/fork出来的)进程对应的程序是/system/bin/app_process. Xposed 框架中真正起作用的是对方法的 hook。
因为 Xposed 工作原理是在/system/bin 目录下替换文件,在 install 的时候需要 root 权限,但是运行时不需要 root 权限。
-
log 统一管理,tag 显示包名
Log.d(MYTAG+lpparam.packageName, "hello" + lpparam.packageName);
-
植入广播接收器,动态执行指令
findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { Context context = (Context) param.thisObject; IntentFilter filter = new IntentFilter(myCast.myAction); filter.addAction(myCast.myCmd); context.registerReceiver(new myCast(), filter); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } });
-
context 获取(关于 context可见http://www.codefrom.com/paper/Android.Context)
fristApplication = (Application) param.thisObject;
-
注入点选择 application oncreate 程序真正启动函数 (该类有可能被重写,所以通过反射得到 oncreate 方法)
String appClassName = this.getAppInfo().className; if (appClassName == null) { Method hookOncreateMethod = null; try { hookOncreateMethod = Application.class.getDeclaredMethod("onCreate", new Class[] {}); } catch (NoSuchMethodException e) { e.printStackTrace(); } hookhelper.hookMethod(hookOncreateMethod, new ApplicationOnCreateHook());
-
排除系统 app,排除自身,确定主线程
if(lpparam.appInfo == null || (lpparam.appInfo.flags & (ApplicationInfo.FLAG_SYSTEM | ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) !=0){ return; }else if(lpparam.isFirstApplication && !ZJDROID_PACKAGENAME.equals(lpparam.packageName)){
-
hook method
Only methods and constructors can be hooked,Cannot hook interfaces,Cannot hook abstract methods 只能 hook 方法和构造方法,不能 hook 接口和抽象方法
-
参数中有 自定义类
public void myMethod (String a, MyClass b)
通过反射得到自定义类...
-
注入后反射自定义类
Class<?> hookMessageListenerClass = null; hookMessageListenerClass = lpparam.classLoader.loadClass("org.jivesoftware.smack.MessageListener"); findAndHookMethod("org.jivesoftware.smack.ChatManager", lpparam.classLoader, "createChat", String.class , hookMessageListenerClass ,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { String sendTo = (String) param.args[0]; Log.i(tag , "sendTo : + " + sendTo ); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } });
-
hook 一个类的方法,该类是子类并且没有重写父类的方法,此时应该 hook 父类还是子类.(hook 父类方法后,子类若没重写,一样生效.子类重写方法需要另外 hook)
例如
java.net.HttpURLConnection extends URLConnection ,方法在父类
java
public OutputStream getOutputStream() throws IOException { throw new UnknownServiceException("protocol doesn't support output"); }
org.apache.http.impl.client.AbstractHttpClient extends CloseableHttpClient ,方法在父类(注意,android的继承的 AbstractHttpClient implements org.apache.http.client.HttpClient)
java
public CloseableHttpResponse execute( final HttpHost target, final HttpRequest request, final HttpContext context) throws IOException, ClientProtocolException { return doExecute(target, request, context); }
android.async.http复写HttpGet导致zjdroid hook org.apache.http.impl.client.AbstractHttpClient execute 无法获取到请求 url和method
-
hook 构造方法
java
public static XC_MethodHook.Unhook findAndHookConstructor(String className, ClassLoader classLoader, Object... parameterTypesAndCallback) { return findAndHookConstructor(findClass(className, classLoader), parameterTypesAndCallback); }