Xposed插件開發進階篇

時間 2019-11-16

標籤 xposed 插件開發進階简体版

原文原文鏈接

基礎移步:http://www.codefrom.com/paper/Xposed%E6%8F%92%E4%BB%B6%E5%BC%80%E5%8F%...java

Dalvik 孵化器 Zygote (Android系統中，全部的應用程序進程以及系統服務進程SystemServer都是由Zygote進程孕育/fork出來的)進程對應的程序是/system/bin/app_process. Xposed 框架中真正起做用的是對方法的 hook。android

由於 Xposed 工做原理是在/system/bin 目錄下替換文件,在 install 的時候須要 root 權限,可是運行時不須要 root 權限。apache

log 統一管理,tag 顯示包名app

Log.d(MYTAG+lpparam.packageName, "hello" + lpparam.packageName);

植入廣播接收器,動態執行指令框架

findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() {
        @Override
        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

            Context context = (Context) param.thisObject;
            IntentFilter filter = new IntentFilter(myCast.myAction);
            filter.addAction(myCast.myCmd);
            context.registerReceiver(new myCast(), filter);

        }

        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            super.afterHookedMethod(param);
        }
    });

context 獲取(關於 context可見http://www.codefrom.com/paper/Android.Context)async
```
fristApplication = (Application) param.thisObject;
```

注入點選擇 application oncreate 程序真正啓動函數 (該類有可能被重寫,因此經過反射獲得 oncreate 方法)ide

String appClassName = this.getAppInfo().className;
        if (appClassName == null) {
            Method hookOncreateMethod = null;
            try {
                hookOncreateMethod = Application.class.getDeclaredMethod("onCreate", new Class[] {});
            } catch (NoSuchMethodException e) {
                e.printStackTrace();
            }
            hookhelper.hookMethod(hookOncreateMethod, new ApplicationOnCreateHook());

排除系統 app,排除自身,肯定主線程函數

if(lpparam.appInfo == null || 
                (lpparam.appInfo.flags & (ApplicationInfo.FLAG_SYSTEM | ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) !=0){
            return;
        }else if(lpparam.isFirstApplication && !ZJDROID_PACKAGENAME.equals(lpparam.packageName)){

hook methodthis

Only methods and constructors can be hooked,Cannot hook interfaces,Cannot hook abstract methods
只能 hook 方法和構造方法,不能 hook 接口和抽象方法

參數中有自定義類url
```
public void myMethod (String a, MyClass b)
```
經過反射獲得自定義類...

注入後反射自定義類

Class<?> hookMessageListenerClass = null;

hookMessageListenerClass = lpparam.classLoader.loadClass("org.jivesoftware.smack.MessageListener");

findAndHookMethod("org.jivesoftware.smack.ChatManager", lpparam.classLoader, "createChat", String.class , hookMessageListenerClass ,new XC_MethodHook() {
    @Override
    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

        String sendTo = (String) param.args[0];
        Log.i(tag , "sendTo : + " + sendTo );

    }

    @Override
    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        super.afterHookedMethod(param);
    }
});

hook 一個類的方法,該類是子類而且沒有重寫父類的方法,此時應該 hook 父類仍是子類.(hook 父類方法後,子類若沒重寫,同樣生效.子類重寫方法須要另外 hook)

例如
java.net.HttpURLConnection extends URLConnection ,

方法在父類
```
javapublic OutputStream getOutputStream() throws IOException {
        throw new UnknownServiceException("protocol doesn't support output");
 }
```
org.apache.http.impl.client.AbstractHttpClient extends CloseableHttpClient ,方法在父類(注意,android的繼承的 AbstractHttpClient implements org.apache.http.client.HttpClient)
```
javapublic CloseableHttpResponse execute(
        final HttpHost target,
        final HttpRequest request,
        final HttpContext context) throws IOException, ClientProtocolException {
                return doExecute(target, request, context);
}
```
android.async.http複寫HttpGet致使zjdroid hook org.apache.http.impl.client.AbstractHttpClient execute 沒法獲取到請求 url和method

hook 構造方法

javapublic static XC_MethodHook.Unhook findAndHookConstructor(String className, ClassLoader classLoader, Object... parameterTypesAndCallback) {
            return findAndHookConstructor(findClass(className, classLoader), parameterTypesAndCallback);
}

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。