Xposed是一个适用于Android的框架。基于这个框架开发的模块可以改变系统和app应用的行为,而不需要修改APK。
Android基于Linux,第一个启动的进程自然是init进程,该进程会
启动所有Android进程的父进程——Zygote(孵化)进程,该进程的启动配置在
/init.rc脚本中,而Zygote进程对应的执行文件是/system/bin/app_process,
该文件完成类库的加载以及一些函数的调用工作。在Zygote进程创建后,
再fork出SystemServer进程和其他进程。
而Xposed Framework呢,就是用自己实现的app_process替换掉了系统原本
提供的app_process,加载一个额外的jar包,然后入口从原来的:
com.android.internal.osZygoteInit.main()被替换成了:
de.robv.android.xposed.XposedBridge.main(),
然后创建的Zygote进程就变成Hook的Zygote进程了,而后面Fork出来的进程
也是被Hook过的。这个Jar包在:
/data/data/de.rbov.android.xposed.installer/bin/XposedBridge.jar
compileOnly 'de.robv.android.xposed:api:82'
<meta-data
android:name="xposedmodule"
android:value="true" />
<meta-data
android:name="xposeddescription"
android:value="xposeddemo" />
<meta-data
android:name="xposedminversion"
android:value="82" />
package com.hym.myhookdemo;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class XposedInit implements IXposedHookLoadPackage {
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
XposedBridge.log("=========Loaded app: " + lpparam.packageName);
}
}
另外创建一个app,MainActivity里声明并bind TextView tv。这段代码可以更改tv的text。
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) {
XposedBridge.log("===========Loaded app:" + lpparam.packageName);
if (lpparam.packageName.equals("com.hym.myhookapp")) {
XposedHelpers.findAndHookMethod("com.hym.myhookapp.MainActivity",
lpparam.classLoader, "onCreate", Bundle.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// super.afterHookedMethod(param);
Class c = lpparam.classLoader.loadClass("com.hym.myhookapp.MainActivity");
Field field = c.getDeclaredField("tv");
field.setAccessible(true);
TextView tv = (TextView) field.get(param.thisObject);
tv.setText("123");
}
});
}
}
XposedHelpers.findAndHookMethod 第四个参数methodName后,若function有参数需传参数类型,例如上述的onCreate(Bundle savedInstanceState),则要传(…, “onCreate”, Bundle.class, …)。若参数类型为自定义类型,仍可使用反射传递如"xxx.xxx.xx.msg"。
现在大一点的app都有多个dex文件,如果用xposed去hook非默认dex文件的类就会发生ClassNotFoundError,要解决这个问题,我们需要拿到对应dex文件的上下文环境。
Android在加载dex文件后会创建一个application类,然后会调用attach方法,attach方法的参数就是上下文context,而且attach方法是final方法,不会因为被覆盖而hook不到,拿到这个context就可以获取对应的classload,然后可以顺利hook到multidex的类
XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
ClassLoader cl = ((Context)param.args[0]).getClassLoader();
Class<?> hookclass = null;
try {
hookclass = cl.loadClass("xxx.xxx.xxx");
} catch (Exception e) {
Log.e("jyy", "寻找xxx.xxx.xxx报错", e);
return;
}
Log.i("jyy", "寻找xxx.xxx.xxx成功");
XposedHelpers.findAndHookMethod(hookclass, "xxx", new XC_MethodHook(){
//进行hook操作
});
}
});
findAndHookMethod("android.app.Application", lpparam.classLoader, "onCreate", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Context context = (Context) param.thisObject;
//find class ...
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
}
});
https://www.jianshu.com/p/275a45b8095b
https://blog.csdn.net/coder_pig/article/details/80031285
http://bestmk.cn/thread-511.htm
https://segmentfault.com/a/1190000002883122