阅读本文前,假设读者已经看过Android Studio Xposed模块编写(一)  相关环境已经搭建完成。本文演示案例与上文环境一致,不在赘述。

1、概述

Xposed是非常牛叉的一款hook框架,本人也是刚刚接触,在网上搜索一些资料,发现写的都不是太全面,于是搜集该框架的用法,总结出该文。如有纰漏,还请轻拍,主要内容包括

1、如何Hook静态变量
2、如何Hook构造方法
3、如何Hook复杂参数的方法
4、如何替换函数执行内容
5、如何Hook内部类中的函数
6、如何Hook匿名类的函数
7、如何获取调用对象去调用函数,或者新建新建示例去调用方法

学会这些方法,在结合逆向smail的一些知识,应该可以满足大多数java层的hook了。话不多说,上代码!

2、Hook目标程序源码

HookDemo.java

abstract class Animal{int anonymoutInt = 500;public abstract void eatFunc(String value);
}public class HookDemo {private String Tag = "HookDemo";private static  int staticInt = 100;public  int publicInt = 200;private int privateInt = 300;public HookDemo(){this("NOHook");Log.d(Tag, "HookDemo() was called|||");}private HookDemo(String str){Log.d(Tag, "HookDemo(String str) was called|||" + str);}public void hookDemoTest(){Log.d(Tag, "staticInt = " + staticInt);Log.d(Tag, "PublicInt = " + publicInt);Log.d(Tag, "privateInt = " + privateInt);publicFunc("NOHook");Log.d(Tag, "PublicInt = " + publicInt);Log.d(Tag, "privateInt = " + privateInt);privateFunc("NOHook");staticPrivateFunc("NOHook");String[][] str = new String[1][2];Map map = new HashMap<String, String>();map.put("key", "value");ArrayList arrayList = new ArrayList();arrayList.add("listValue");complexParameterFunc("NOHook", str, map, arrayList);repleaceFunc();anonymousInner(new Animal() {@Overridepublic void eatFunc(String value) {Log.d(Tag, "eatFunc(String value)  was called|||" + value);Log.d(Tag, "anonymoutInt =  " + anonymoutInt);}}, "NOHook");InnerClass innerClass = new InnerClass();innerClass.InnerFunc("NOHook");}public void publicFunc(String value){Log.d(Tag, "publicFunc(String value) was called|||" + value);}private void privateFunc(String value){Log.d(Tag, "privateFunc(String value) was called|||" + value);}static private void staticPrivateFunc(String value){Log.d("HookDemo", "staticPrivateFunc(Strin value) was called|||" + value);}private void complexParameterFunc(String value, String[][] str, Map<String,String> map, ArrayList arrayList){Log.d("HookDemo", "complexParameter(Strin value) was called|||" + value);}private void repleaceFunc(){Log.d(Tag, "repleaceFunc will be replace|||");}public void anonymousInner(Animal dog, String value){Log.d(Tag, "anonymousInner was called|||" + value);dog.eatFunc("NOHook");}private void hideFunc(String value){Log.d(Tag, "hideFunc was called|||" + value);}class InnerClass{public int innerPublicInt = 10;private int innerPrivateInt = 20;public InnerClass(){Log.d(Tag, "InnerClass constructed func was called");}public void InnerFunc(String value){Log.d(Tag, "InnerFunc(String value) was called|||" + value);Log.d(Tag, "innerPublicInt = " + innerPublicInt);Log.d(Tag, "innerPrivateInt = " + innerPrivateInt);}}
}

3、XposedHook程序源码

public class XposedHook implements IXposedHookLoadPackage {@Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {if (loadPackageParam.packageName.equals("com.example.xposedhooktarget")) {final Class<?> clazz = XposedHelpers.findClass("com.example.xposedhooktarget.HookDemo", loadPackageParam.classLoader);//getClassInfo(clazz);//不需要获取类对象,即可直接修改类中的私有静态变量staticIntXposedHelpers.setStaticIntField(clazz, "staticInt", 99);//Hook无参构造函数,啥也不干。。。。XposedHelpers.findAndHookConstructor(clazz, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {XposedBridge.log("Haha, HookDemo constructed was hooked" );//大坑,此时对象还没有建立,即不能获取对象,也不能修改非静态变量的值//XposedHelpers.setIntField(param.thisObject, "publicInt", 199);//XposedHelpers.setIntField(param.thisObject, "privateInt", 299);
                }});//Hook有参构造函数,修改参数XposedHelpers.findAndHookConstructor(clazz, String.class,  new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = "Haha, HookDemo(str) are hooked";}});//Hook有参构造函数,修改参数------不能使用XC_MethodReplacement()替换构造函数内容,//XposedHelpers.findAndHookConstructor(clazz, String.class, new XC_MethodReplacement() {//    @Override//    protected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {//        Log.d("HookDemo" , "HookDemo(str) was replace");//    }//});//Hook公有方法publicFunc,// 1、修改参数// 2、修改下publicInt和privateInt的值// 3、再顺便调用一下隐藏函数hideFunc//XposedHelpers.findAndHookMethod("com.example.xposedhooktarget.HookDemo", clazz.getClassLoader(), "publicFunc", String.class, new XC_MethodHook()XposedHelpers.findAndHookMethod(clazz, "publicFunc", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = "Haha, publicFunc are hooked";XposedHelpers.setIntField(param.thisObject, "publicInt", 199);XposedHelpers.setIntField(param.thisObject, "privateInt", 299);// 让hook的对象本身去执行流程Method md = clazz.getDeclaredMethod("hideFunc", String.class);md.setAccessible(true);//md.invoke(param.thisObject, "Haha, hideFunc was hooked");XposedHelpers.callMethod(param.thisObject, "hideFunc", "Haha, hideFunc was hooked");//实例化对象,然后再调用HideFunc方法//Constructor constructor = clazz.getConstructor();//XposedHelpers.callMethod(constructor.newInstance(), "hideFunc", "Haha, hideFunc was hooked");
                }});//Hook私有方法privateFunc,修改参数//XposedHelpers.findAndHookMethod("com.example.xposedhooktarget.HookDemo", clazz.getClassLoader(), "privateFunc", String.class, new XC_MethodHook()XposedHelpers.findAndHookMethod(clazz, "privateFunc", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = "Haha, privateFunc are hooked";}});//Hook私有静态方法staticPrivateFunc, 修改参数XposedHelpers.findAndHookMethod(clazz, "staticPrivateFunc", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = "Haha, staticPrivateFunc are hooked";}});//Hook复杂参数函数complexParameterFuncClass fclass1 = XposedHelpers.findClass("java.util.Map", loadPackageParam.classLoader);Class fclass2 = XposedHelpers.findClass("java.util.ArrayList", loadPackageParam.classLoader);XposedHelpers.findAndHookMethod(clazz, "complexParameterFunc", String.class,"[[Ljava.lang.String;", fclass1, fclass2, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = "Haha, complexParameterFunc are hooked";}});//Hook私有方法repleaceFunc, 替换打印内容XposedHelpers.findAndHookMethod(clazz, "repleaceFunc", new XC_MethodReplacement() {@Overrideprotected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {Log.d("HookDemo", "Haha, repleaceFunc are replaced");return null;}});//Hook方法, anonymousInner, 参数是抽象类,先加载所需要的类即可Class animalClazz  = loadPackageParam.classLoader.loadClass("com.example.xposedhooktarget.Animal");XposedHelpers.findAndHookMethod(clazz, "anonymousInner", animalClazz, String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {XposedBridge.log("HookDemo This is test");param.args[1] = "Haha, anonymousInner are hooked";}});//Hook匿名类的eatFunc方法,修改参数,顺便修改类中的anonymoutInt变量XposedHelpers.findAndHookMethod("com.example.xposedhooktarget.HookDemo$1", clazz.getClassLoader(),"eatFunc", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = "Haha, eatFunc are hooked";XposedHelpers.setIntField(param.thisObject, "anonymoutInt", 499);}});//hook内部类的构造方法失败,且会导致hook内部类的InnerFunc方法也失败,原因不明
//            XposedHelpers.findAndHookConstructor(clazz1, new XC_MethodHook() {
//                        @Override
//                        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
//                            XposedBridge.log("Haha, InnerClass constructed was hooked" );
//                        }
//                    });//Hook内部类InnerClass的InnerFunc方法,修改参数,顺便修改类中的innerPublicInt和innerPrivateInt变量final Class<?> clazz1 = XposedHelpers.findClass("com.example.xposedhooktarget.HookDemo$InnerClass", loadPackageParam.classLoader);XposedHelpers.findAndHookMethod(clazz1, "InnerFunc", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = "Haha, InnerFunc was hooked";XposedHelpers.setIntField(param.thisObject, "innerPublicInt", 9);XposedHelpers.setIntField(param.thisObject, "innerPrivateInt", 19);}});}}private void getClassInfo(Class clazz) {//getFields()与getDeclaredFields()区别:getFields()只能访问类中声明为公有的字段,私有的字段它无法访问,//能访问从其它类继承来的公有方法.getDeclaredFields()能访问类中所有的字段,与public,private,protect无关,//不能访问从其它类继承来的方法//getMethods()与getDeclaredMethods()区别:getMethods()只能访问类中声明为公有的方法,私有的方法它无法访问,//能访问从其它类继承来的公有方法.getDeclaredFields()能访问类中所有的字段,与public,private,protect无关,//不能访问从其它类继承来的方法//getConstructors()与getDeclaredConstructors()区别:getConstructors()只能访问类中声明为public的构造函数//getDeclaredConstructors()能访问类中所有的构造函数,与public,private,protect无关//XposedHelpers.setStaticObjectField(clazz,"sMoney",110);//Field sMoney = clazz.getDeclaredField("sMoney");//sMoney.setAccessible(true);
        Field[] fs;Method[] md;Constructor[] cl;fs = clazz.getFields();for (int i = 0; i < fs.length; i++) {XposedBridge.log("HookDemo getFiled: " + Modifier.toString(fs[i].getModifiers()) + " " +fs[i].getType().getName() + " " + fs[i].getName());}fs = clazz.getDeclaredFields();for (int i = 0; i < fs.length; i++) {XposedBridge.log("HookDemo getDeclaredFields: " + Modifier.toString(fs[i].getModifiers()) + " " +fs[i].getType().getName() + " " + fs[i].getName());}md = clazz.getMethods();for (int i = 0; i < md.length; i++) {Class<?> returnType = md[i].getReturnType();XposedBridge.log("HookDemo getMethods: " + Modifier.toString(md[i].getModifiers()) + " " +returnType.getName() + " " + md[i].getName());//获取参数//Class<?> para[] = md[i].getParameterTypes();//for (int j = 0; j < para.length; ++j) {//System.out.print(para[j].getName() + " " + "arg" + j);//if (j < para.length - 1) {//    System.out.print(",");//}//}
        }md = clazz.getDeclaredMethods();for (int i = 0; i < md.length; i++) {Class<?> returnType = md[i].getReturnType();XposedBridge.log("HookDemo getDeclaredMethods: " + Modifier.toString(md[i].getModifiers()) + " " +returnType.getName() + " " + md[i].getName());}cl = clazz.getConstructors();for (int i = 0; i < cl.length; i++) {XposedBridge.log("HookDemo getConstructors: " + Modifier.toString(cl[i].getModifiers()) + " " +md[i].getName());}cl = clazz.getDeclaredConstructors();for (int i = 0; i < cl.length; i++) {XposedBridge.log("HookDemo getDeclaredConstructors: " + Modifier.toString(cl[i].getModifiers()) + " " +md[i].getName());}}
}

4、Hook运行结果

5、源码地址

Hook目标程序源码https://github.com/Gordon0918/XposedHookTarget

Hook程序源码https://github.com/Gordon0918/XposedHook

转载于:https://www.cnblogs.com/gordon0918/p/6732100.html

Android Studio Xposed模块编写(二)相关推荐

  1. Android Studio Xposed模块编写(一)

    1.环境说明 本文主要参考https://my.oschina.net/wisedream/blog/471292?fromerr=rNPFQidG的内容,自己实现了一遍,侵权请告知 已经安装xpos ...

  2. 安卓逆向_22( 一 ) --- Xposed【 Android Studio + Xposed 实现简单的 hook 】

    From:使用渗透测试框架 Xposed 框架 hook 调试 Android APP:https://www.freebuf.com/articles/terminal/56453.html Xpo ...

  3. 《移动安全》(8)为挂钩而战-Xposed模块编写

    1.Xposed框架 Xposed是Android平台上的一个常用的HOOK框架,可以在不改变程序源代码的前提下,影响程序的运行.一个支持Xposed的Android应用程序被称为一个Xposed模块 ...

  4. xposed模块编写教程_新手不要再被误导!这是一篇最新的Xposed模块编写教程

    在互联网上,关于Xposed模块编写的教程可谓是一抓一大把.但由于时间的推移,很多工具和方法都发生了变化(如Eclipse退出安卓编程舞台,AndroidStudio 不断升级导致其一些设置也随之变化 ...

  5. Android Studio开发蓝牙应用(二)

    Android Studio开发蓝牙应用(二) 实现的功能 与蓝牙模块HC-06交换信息 过程 新建Empty Activity 创建布局 activity_btread_and_write.xml ...

  6. android studio 导入模块SDK 以及该模块中继承application的类与原工程继承application的类存在冲突 解决方法

    android studio 导入模块SDK 以及该模块中继承application的类与原工程继承application的类存在冲突 解决方法 导入某修改后的海康视频SDK(老师给的),并修改相关文 ...

  7. 最新的Xposed模块编写教程

    原标题:新手不要再被误导!这是一篇最新的Xposed模块编写教程 查看全文 http://www.taodudu.cc/news/show-5139296.html 相关文章: smartbi问题_S ...

  8. SuperMap iMobile+Android studio开发入门(二)——超图示例代码运行

    背景:这里运行的是"产品入门"的"基于Android studio开发移动GIS程序"的"开发三维移动GIS程序",本篇对超图帮助文档进行了 ...

  9. xposed模块编写教程_最新的Xposed模块编写教程

    前言:最近看了很多的Xposed的入门教程,根据的我的实践,写此教程,希望对新手有所帮助. 1.编写一个被Hook的App.代码 1 packagecom.example.hookdemo;2 3 i ...

最新文章

  1. 做个游戏 writeup base64解码网址
  2. 名词解释_名词解释的答题技巧
  3. 计算机与网络应用基础知识下上机考试,计算机应用基础知识考试
  4. 避坑:一次离奇性能故障的排查与反思
  5. gprof 输出内容解释
  6. linux 脚本 等待,shell tel脚本中执行等待实现
  7. 远程连接mysql速度慢的解决方法:skip-name-resolve取消DNS的反向解析
  8. Numpy,Pandas,Matplotlib
  9. 导出函数__declspec(dllexport)
  10. 价格穿越,跟 普通的大于 小于是有差别的
  11. windows 打印机管理机制(任务后台等待机制)
  12. void 和 void *区别(c++)
  13. matlab 画多个箱线图
  14. Camera ISO、快门、光圈、曝光这几个概念
  15. 测试环境Hosts设置
  16. 一个屌丝程序猿的人生(一百一十八)
  17. circular包绘图笔记
  18. 洛伦兹力的matlab求解,问:由安培力推导洛伦兹力的过程?
  19. cocos creator 3D学习(六)光照+阴影
  20. 阿里云课堂:云安全的架构设计与实践之旅

热门文章

  1. videojs 动态加载视频
  2. 如何打印出lua里table的内容
  3. 部署 shell Linux
  4. 页面导入样式时,使用link和@import有什么区别?
  5. ios-deploy out of date (1.9.4 is required). To upgrade with Brew: brew upgrade ios-deploy
  6. 计算机网络---UDP协议与TCP协议
  7. erp管理系统都有哪些
  8. 手机电量剩一半就充比较好,还是快没电了再充比较好?为什么?
  9. 都是打工的,为啥职场中存在着那么多勾引斗角?
  10. 我是个初二学生,想考一中,现在该怎么努力?