Android Studio Xposed模块编写(二)
阅读本文前,假设读者已经看过Android Studio Xposed模块编写(一) 相关环境已经搭建完成。本文演示案例与上文环境一致,不在赘述。
1、概述
Xposed是非常牛叉的一款hook框架,本人也是刚刚接触,在网上搜索一些资料,发现写的都不是太全面,于是搜集该框架的用法,总结出该文。如有纰漏,还请轻拍,主要内容包括
1、如何Hook静态变量
2、如何Hook构造方法
3、如何Hook复杂参数的方法
4、如何替换函数执行内容
5、如何Hook内部类中的函数
6、如何Hook匿名类的函数
7、如何获取调用对象去调用函数,或者新建新建示例去调用方法
学会这些方法,在结合逆向smail的一些知识,应该可以满足大多数java层的hook了。话不多说,上代码!
2、Hook目标程序源码
HookDemo.java
abstract class Animal{
int anonymoutInt = 500;
public abstract void eatFunc(String value);
}
public class HookDemo {
private String Tag = "HookDemo";
private static int staticInt = 100;
public int publicInt = 200;
private int privateInt = 300;
public HookDemo(){
this("NOHook");
Log.d(Tag, "HookDemo() was called|||");
}
private HookDemo(String str){
Log.d(Tag, "HookDemo(String str) was called|||" + str);
}
public void hookDemoTest(){
Log.d(Tag, "staticInt = " + staticInt);
Log.d(Tag, "PublicInt = " + publicInt);
Log.d(Tag, "privateInt = " + privateInt);
publicFunc("NOHook");
Log.d(Tag, "PublicInt = " + publicInt);
Log.d(Tag, "privateInt = " + privateInt);
privateFunc("NOHook");
staticPrivateFunc("NOHook");
String[][] str = new String[1][2];
Map map = new HashMap<String, String>();
map.put("key", "value");
ArrayList arrayList = new ArrayList();
arrayList.add("listValue");
complexParameterFunc("NOHook", str, map, arrayList);
repleaceFunc();
anonymousInner(new Animal() {
@Override
public void eatFunc(String value) {
Log.d(Tag, "eatFunc(String value) was called|||" + value);
Log.d(Tag, "anonymoutInt = " + anonymoutInt);
}
}, "NOHook");
InnerClass innerClass = new InnerClass();
innerClass.InnerFunc("NOHook");
}
public void publicFunc(String value){
Log.d(Tag, "publicFunc(String value) was called|||" + value);
}
private void privateFunc(String value){
Log.d(Tag, "privateFunc(String value) was called|||" + value);
}
static private void staticPrivateFunc(String value){
Log.d("HookDemo", "staticPrivateFunc(Strin value) was called|||" + value);
}
private void complexParameterFunc(String value, String[][] str, Map<String,String> map, ArrayList arrayList)
{
Log.d("HookDemo", "complexParameter(Strin value) was called|||" + value);
}
private void repleaceFunc(){
Log.d(Tag, "repleaceFunc will be replace|||");
}
public void anonymousInner(Animal dog, String value){
Log.d(Tag, "anonymousInner was called|||" + value);
dog.eatFunc("NOHook");
}
private void hideFunc(String value){
Log.d(Tag, "hideFunc was called|||" + value);
}
class InnerClass{
public int innerPublicInt = 10;
private int innerPrivateInt = 20;
public InnerClass(){
Log.d(Tag, "InnerClass constructed func was called");
}
public void InnerFunc(String value){
Log.d(Tag, "InnerFunc(String value) was called|||" + value);
Log.d(Tag, "innerPublicInt = " + innerPublicInt);
Log.d(Tag, "innerPrivateInt = " + innerPrivateInt);
}
}
}
3、XposedHook程序源码
public class XposedHook implements IXposedHookLoadPackage {
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if (loadPackageParam.packageName.equals("com.example.xposedhooktarget")) {
final Class<?> clazz = XposedHelpers.findClass("com.example.xposedhooktarget.HookDemo", loadPackageParam.classLoader);
//getClassInfo(clazz);
//不需要获取类对象,即可直接修改类中的私有静态变量staticInt
XposedHelpers.setStaticIntField(clazz, "staticInt", 99);
//Hook无参构造函数,啥也不干。。。。
XposedHelpers.findAndHookConstructor(clazz, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("Haha, HookDemo constructed was hooked" );
//大坑,此时对象还没有建立,即不能获取对象,也不能修改非静态变量的值
//XposedHelpers.setIntField(param.thisObject, "publicInt", 199);
//XposedHelpers.setIntField(param.thisObject, "privateInt", 299);
}
});
//Hook有参构造函数,修改参数
XposedHelpers.findAndHookConstructor(clazz, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "Haha, HookDemo(str) are hooked";
}
});
//Hook有参构造函数,修改参数------不能使用XC_MethodReplacement()替换构造函数内容,
//XposedHelpers.findAndHookConstructor(clazz, String.class, new XC_MethodReplacement() {
// @Override
// protected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {
// Log.d("HookDemo" , "HookDemo(str) was replace");
// }
//});
//Hook公有方法publicFunc,
// 1、修改参数
// 2、修改下publicInt和privateInt的值
// 3、再顺便调用一下隐藏函数hideFunc
//XposedHelpers.findAndHookMethod("com.example.xposedhooktarget.HookDemo", clazz.getClassLoader(), "publicFunc", String.class, new XC_MethodHook()
XposedHelpers.findAndHookMethod(clazz, "publicFunc", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "Haha, publicFunc are hooked";
XposedHelpers.setIntField(param.thisObject, "publicInt", 199);
XposedHelpers.setIntField(param.thisObject, "privateInt", 299);
// 让hook的对象本身去执行流程
Method md = clazz.getDeclaredMethod("hideFunc", String.class);
md.setAccessible(true);
//md.invoke(param.thisObject, "Haha, hideFunc was hooked");
XposedHelpers.callMethod(param.thisObject, "hideFunc", "Haha, hideFunc was hooked");
//实例化对象,然后再调用HideFunc方法
//Constructor constructor = clazz.getConstructor();
//XposedHelpers.callMethod(constructor.newInstance(), "hideFunc", "Haha, hideFunc was hooked");
}
});
//Hook私有方法privateFunc,修改参数
//XposedHelpers.findAndHookMethod("com.example.xposedhooktarget.HookDemo", clazz.getClassLoader(), "privateFunc", String.class, new XC_MethodHook()
XposedHelpers.findAndHookMethod(clazz, "privateFunc", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "Haha, privateFunc are hooked";
}
});
//Hook私有静态方法staticPrivateFunc, 修改参数
XposedHelpers.findAndHookMethod(clazz, "staticPrivateFunc", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "Haha, staticPrivateFunc are hooked";
}
});
//Hook复杂参数函数complexParameterFunc
Class fclass1 = XposedHelpers.findClass("java.util.Map", loadPackageParam.classLoader);
Class fclass2 = XposedHelpers.findClass("java.util.ArrayList", loadPackageParam.classLoader);
XposedHelpers.findAndHookMethod(clazz, "complexParameterFunc", String.class,
"[[Ljava.lang.String;", fclass1, fclass2, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "Haha, complexParameterFunc are hooked";
}
});
//Hook私有方法repleaceFunc, 替换打印内容
XposedHelpers.findAndHookMethod(clazz, "repleaceFunc", new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {
Log.d("HookDemo", "Haha, repleaceFunc are replaced");
return null;
}
});
//Hook方法, anonymousInner, 参数是抽象类,先加载所需要的类即可
Class animalClazz = loadPackageParam.classLoader.loadClass("com.example.xposedhooktarget.Animal");
XposedHelpers.findAndHookMethod(clazz, "anonymousInner", animalClazz, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("HookDemo This is test");
param.args[1] = "Haha, anonymousInner are hooked";
}
});
//Hook匿名类的eatFunc方法,修改参数,顺便修改类中的anonymoutInt变量
XposedHelpers.findAndHookMethod("com.example.xposedhooktarget.HookDemo$1", clazz.getClassLoader(),
"eatFunc", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "Haha, eatFunc are hooked";
XposedHelpers.setIntField(param.thisObject, "anonymoutInt", 499);
}
});
//hook内部类的构造方法失败,且会导致hook内部类的InnerFunc方法也失败,原因不明
// XposedHelpers.findAndHookConstructor(clazz1, new XC_MethodHook() {
// @Override
// protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// XposedBridge.log("Haha, InnerClass constructed was hooked" );
// }
// });
//Hook内部类InnerClass的InnerFunc方法,修改参数,顺便修改类中的innerPublicInt和innerPrivateInt变量
final Class<?> clazz1 = XposedHelpers.findClass("com.example.xposedhooktarget.HookDemo$InnerClass", loadPackageParam.classLoader);
XposedHelpers.findAndHookMethod(clazz1, "InnerFunc", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "Haha, InnerFunc was hooked";
XposedHelpers.setIntField(param.thisObject, "innerPublicInt", 9);
XposedHelpers.setIntField(param.thisObject, "innerPrivateInt", 19);
}
});
}
}
private void getClassInfo(Class clazz) {
//getFields()与getDeclaredFields()区别:getFields()只能访问类中声明为公有的字段,私有的字段它无法访问,
//能访问从其它类继承来的公有方法.getDeclaredFields()能访问类中所有的字段,与public,private,protect无关,
//不能访问从其它类继承来的方法
//getMethods()与getDeclaredMethods()区别:getMethods()只能访问类中声明为公有的方法,私有的方法它无法访问,
//能访问从其它类继承来的公有方法.getDeclaredFields()能访问类中所有的字段,与public,private,protect无关,
//不能访问从其它类继承来的方法
//getConstructors()与getDeclaredConstructors()区别:getConstructors()只能访问类中声明为public的构造函数
//getDeclaredConstructors()能访问类中所有的构造函数,与public,private,protect无关
//XposedHelpers.setStaticObjectField(clazz,"sMoney",110);
//Field sMoney = clazz.getDeclaredField("sMoney");
//sMoney.setAccessible(true);
Field[] fs;
Method[] md;
Constructor[] cl;
fs = clazz.getFields();
for (int i = 0; i < fs.length; i++) {
XposedBridge.log("HookDemo getFiled: " + Modifier.toString(fs[i].getModifiers()) + " " +
fs[i].getType().getName() + " " + fs[i].getName());
}
fs = clazz.getDeclaredFields();
for (int i = 0; i < fs.length; i++) {
XposedBridge.log("HookDemo getDeclaredFields: " + Modifier.toString(fs[i].getModifiers()) + " " +
fs[i].getType().getName() + " " + fs[i].getName());
}
md = clazz.getMethods();
for (int i = 0; i < md.length; i++) {
Class<?> returnType = md[i].getReturnType();
XposedBridge.log("HookDemo getMethods: " + Modifier.toString(md[i].getModifiers()) + " " +
returnType.getName() + " " + md[i].getName());
//获取参数
//Class<?> para[] = md[i].getParameterTypes();
//for (int j = 0; j < para.length; ++j) {
//System.out.print(para[j].getName() + " " + "arg" + j);
//if (j < para.length - 1) {
// System.out.print(",");
//}
//}
}
md = clazz.getDeclaredMethods();
for (int i = 0; i < md.length; i++) {
Class<?> returnType = md[i].getReturnType();
XposedBridge.log("HookDemo getDeclaredMethods: " + Modifier.toString(md[i].getModifiers()) + " " +
returnType.getName() + " " + md[i].getName());
}
cl = clazz.getConstructors();
for (int i = 0; i < cl.length; i++) {
XposedBridge.log("HookDemo getConstructors: " + Modifier.toString(cl[i].getModifiers()) + " " +
md[i].getName());
}
cl = clazz.getDeclaredConstructors();
for (int i = 0; i < cl.length; i++) {
XposedBridge.log("HookDemo getDeclaredConstructors: " + Modifier.toString(cl[i].getModifiers()) + " " +
md[i].getName());
}
}
}
4、Hook运行结果
5、源码地址
Hook目标程序源码https://github.com/Gordon0918/XposedHookTarget
Hook程序源码https://github.com/Gordon0918/XposedHook
Android Studio Xposed模块编写(二)的更多相关文章
- Android Studio Xposed模块编写(一)
1.环境说明 本文主要参考https://my.oschina.net/wisedream/blog/471292?fromerr=rNPFQidG的内容,自己实现了一遍,侵权请告知 已经安装xpos ...
- Android Studio 入门级教程(二):新建一个属于自己的工程并安装Genymotion模拟器
声明 生命壹号:http://www.cnblogs.com/smyhvae/ 文章来源:http://www.cnblogs.com/smyhvae/p/4392611.html [系列] Andr ...
- Android Studio使用教程(二)
以下是本次Google I/O大会发布的IDE Android Studio使用教程第二篇: 在Android Studio使用教程(一)中简要介绍了Android Studio的基本使用,包括安装. ...
- 5.1、Android Studio用Logcat编写和查看日志
Android Studio在Android Monitor中包含了一个logcat的tab,可以打印系统事件,比如垃圾回收发生时,实时打印应用消息. 为了显示需要的信息,你可以创建过滤器,更改需要显 ...
- Android的硬件抽象层模块编写规范
硬件抽象层模块编写规范 Android系统的硬件抽象层以模块的形式来管理各个硬件訪问接口.每个硬件模块都相应有一个动态链接库文件.这些动态链接库文件的命令须要符合一定的规范.同一时候,在系统内部. ...
- [Android Studio] Android Studio使用教程(二)
以下是本次Google I/O大会发布的IDE Android Studio使用教程第二篇: 在Android Studio使用教程(一)中简要介绍了Android Studio的基本使用,包括安装. ...
- Android Studio安卓学习笔记(二)Android项目结构
上一篇代码,我们学习了Android的功能以及如何用Android Studio开发第一个安卓程序.下面就要介绍Android项目结构.为日后学习打基础. 一:Android项目结构 打开MyFris ...
- Android Studio的使用(二)--Debug调试
使用Android Studio进行Debug调试,这里有一篇比较详细的介绍 http://www.2cto.com/kf/201506/408358.html 故不再重复介绍.
- Android Studio 插件开发详解二:工具类
转载请标明出处:http://blog.csdn.net/zhaoyanjun6/article/details/78112856 本文出自[赵彦军的博客] 在插件开发过程中,我们按照开发一个正式的项 ...
随机推荐
- Oracle EBS 银行账户API
创建银行 -- Create Bank DECLARE p_init_msg_list VARCHAR2(200); p_country_code VARCHAR2(200); p_bank_nam ...
- cookie 组成结构
1.用抓包工具 fidller 只能看到 cookie 的 name 和 value 两个参数,实际上 cookie 还有其 它参数 2.以下是一个完整的 cookie 组成结构 cookie ={u ...
- IIS日志导致磁盘被占满
某服务器只部署了个IIS,应用目录都在D盘,可C盘97.5GB空间却被占满了. 将系统文件,隐藏文件全部显示,再选中所有的C盘文件及文件夹查看容量只有19GB. 既然只部署了IIS,那自然就怀疑到了I ...
- MySQL查询计划 key_len计算方法
本文首先介绍了MySQL的查询计划中ken_len的含义:然后介绍了key_len的计算方法:最后通过一个伪造的例子,来说明如何通过key_len来查看联合索引有多少列被使用. key_len的含义 ...
- python基础学习14----正则表达式
正则表达式是对字符串操作的一种逻辑公式,就是用事先定义好的一些特定字符.及这些特定字符的组合,组成一个“规则字符串”,这个“规则字符串”用来表达对字符串的一种过滤逻辑. 在python中正则表达式被封 ...
- 记录一次优化mysql查询语句的方法
今天在数据库中导入大量的数据,大概有25万条,结果在查询的时候优化没有做好,因此导致查询意外停止或者是直接查询程序中止,很是苦恼.所以才有了优化查询的方法总结 1.首先是查看一下数据量 2.接下来按照 ...
- T-SQL应用实例
实验一:实验案例一(附加“练习用的可以附加的数据库--class”) 1.在products表中查询出厂日期晚于2014年4月的水果信息. select * from products where ...
- COM动态添加删除成员,类似JavaScript中调用的对象
在JavaScript中调用对象时,可动态添加删除成员如: var obj=new Object; obj.member1='aaaaa'; obj.fun1=function() { alert(' ...
- IE 8 下sharepoint 2013 难看的字体的解决方案
将 corev15.css 中的有关"Segoe UI","Segoe",Tahoma,移除即可. 一共二处 C:\Program Files\Common F ...
- VS 代码整理插件推荐:CodeMaid
一直在用,觉得很不错,其他插件基本上不用了,所以拿来记录并分享一下.CodeMaid 说明文档CodeMaid 下载安装不用说明了,使用看说明文档就好. CodeMaid和ReSharp类似,开源且免 ...