Xposed插件开发进阶篇

  1. Dalvik 孵化器 Zygote (Android系统中,所有的应用程序进程以及系统服务进程SystemServer都是由Zygote进程孕育/fork出来的)进程对应的程序是/system/bin/app_process. Xposed 框架中真正起作用的是对方法的 hook。

    因为 Xposed 工作原理是在/system/bin 目录下替换文件,在 install 的时候需要 root 权限,但是运行时不需要 root 权限。

  2. log 统一管理,tag 显示包名

     Log.d(MYTAG+lpparam.packageName, "hello" + lpparam.packageName);
    
  3. 植入广播接收器,动态执行指令

         findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() {
             @Override
             protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
    
                 Context context = (Context) param.thisObject;
                 IntentFilter filter = new IntentFilter(myCast.myAction);
                 filter.addAction(myCast.myCmd);
                 context.registerReceiver(new myCast(), filter);
    
             }
    
             @Override
             protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                 super.afterHookedMethod(param);
             }
         });
    
  4. context 获取(关于 context可见http://www.codefrom.com/paper/Android.Context)

     fristApplication = (Application) param.thisObject;
    
  5. 注入点选择 application oncreate 程序真正启动函数 (该类有可能被重写,所以通过反射得到 oncreate 方法)

     String appClassName = this.getAppInfo().className;
             if (appClassName == null) {
                 Method hookOncreateMethod = null;
                 try {
                     hookOncreateMethod = Application.class.getDeclaredMethod("onCreate", new Class[] {});
                 } catch (NoSuchMethodException e) {
                     e.printStackTrace();
                 }
                 hookhelper.hookMethod(hookOncreateMethod, new ApplicationOnCreateHook());
    
  6. 排除系统 app,排除自身,确定主线程

     if(lpparam.appInfo == null || 
                     (lpparam.appInfo.flags & (ApplicationInfo.FLAG_SYSTEM | ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) !=0){
                 return;
             }else if(lpparam.isFirstApplication && !ZJDROID_PACKAGENAME.equals(lpparam.packageName)){
    
  1. hook method

     Only methods and constructors can be hooked,Cannot hook interfaces,Cannot hook abstract methods
     只能 hook 方法和构造方法,不能 hook 接口和抽象方法
    
  2. 参数中有 自定义类

     public void myMethod (String a, MyClass b) 
    

    通过反射得到自定义类...

  3. 注入后反射自定义类

     Class hookMessageListenerClass = null;
    
     hookMessageListenerClass = lpparam.classLoader.loadClass("org.jivesoftware.smack.MessageListener");
    
     findAndHookMethod("org.jivesoftware.smack.ChatManager", lpparam.classLoader, "createChat", String.class , hookMessageListenerClass ,new XC_MethodHook() {
         @Override
         protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
    
             String sendTo = (String) param.args[0];
             Log.i(tag , "sendTo : + " + sendTo );
    
         }
    
         @Override
         protected void afterHookedMethod(MethodHookParam param) throws Throwable {
             super.afterHookedMethod(param);
         }
     });
    
  4. hook 一个类的方法,该类是子类并且没有重写父类的方法,此时应该 hook 父类还是子类.(hook 父类方法后,子类若没重写,一样生效.子类重写方法需要另外 hook)

    例如
    java.net.HttpURLConnection extends URLConnection ,

    方法在父类

    public OutputStream getOutputStream() throws IOException {
         throw new UnknownServiceException("protocol doesn't support output");
    }
    

    org.apache.http.impl.client.AbstractHttpClient extends CloseableHttpClient ,方法在父类(注意,android的继承的 AbstractHttpClient implements org.apache.http.client.HttpClient)

    public CloseableHttpResponse execute(
         final HttpHost target,
         final HttpRequest request,
         final HttpContext context) throws IOException, ClientProtocolException {
                 return doExecute(target, request, context);
    }
    

    android.async.http复写HttpGet导致zjdroid hook org.apache.http.impl.client.AbstractHttpClient execute 无法获取到请求 url和method

  5. hook 构造方法

    public static XC_MethodHook.Unhook findAndHookConstructor(String className, ClassLoader classLoader, Object... parameterTypesAndCallback) {
            return findAndHookConstructor(findClass(className, classLoader), parameterTypesAndCallback);
    }
    

转自:http://www.codefrom.com/p/Xposed

你可能感兴趣的:(Android,Hook,Android)