1. 反射工具
/**
* 反射执行类的静态函数(public)
* @param class_name 类名
* @param method_name 函数名
* @param pareTyple 函数的参数类型
* @param pareVaules 调用函数时传入的参数
* @return
*/
public static Object invokeStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){
try {
Class obj_class = Class.forName(class_name);
Method method = obj_class.getMethod(method_name,pareTyple);
if (method == null) return null;
return method.invoke(null, pareVaules);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public static Object invokeDeclaredStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){
try {
Class obj_class = Class.forName(class_name);
Method method = obj_class.getDeclaredMethod(method_name,pareTyple);
method.setAccessible(true);
return method.invoke(null, pareVaules);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* 反射执行类的函数(public)
* @param class_name
* @param method_name
* @param obj
* @param pareTyple
* @param pareVaules
* @return
*/
public static Object invokeMethod(String class_name, String method_name, Object obj ,Class[] pareTyple, Object[] pareVaules){
if (obj == null) return null;
try {
Class obj_class = Class.forName(class_name);
Method method = obj_class.getMethod(method_name,pareTyple);
return method.invoke(obj, pareVaules);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* 反射得到类的属性(包括私有和保护)
* @param class_name
* @param obj
* @param filedName
* @return
*/
public static Object getFieldOjbect(String class_name,Object obj, String filedName){
try {
Class obj_class = Class.forName(class_name);
Field field = obj_class.getDeclaredField(filedName);
if (field == null) return null;
field.setAccessible(true);
return field.get(obj);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* 反射得到类的静态属性(包括私有和保护)
* @param class_name
* @param filedName
* @return
*/
public static Object getStaticFieldOjbect(String class_name, String filedName){
try {
Class obj_class = Class.forName(class_name);
Field field = obj_class.getDeclaredField(filedName);
if (field == null) return null;
field.setAccessible(true);
return field.get(null);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* 设置类的属性(包括私有和保护)
* @param classname
* @param filedName
* @param obj
* @param filedVaule
*/
public static void setFieldOjbect(String classname, String filedName, Object obj, Object filedVaule){
if (obj == null) return;
try {
Class obj_class = Class.forName(classname);
Field field = obj_class.getDeclaredField(filedName);
field.setAccessible(true);
field.set(obj, filedVaule);
} catch (Exception e) {
e.printStackTrace();
}
}
/**
* 设置类的静态属性(包括私有和保护)
* @param class_name
* @param filedName
* @param filedVaule
*/
public static void setStaticOjbect(String class_name, String filedName, Object filedVaule){
try {
Class obj_class = Class.forName(class_name);
Field field = obj_class.getDeclaredField(filedName);
if (field == null) return;
field.setAccessible(true);
field.set(null, filedVaule);
} catch (Exception e) {
e.printStackTrace();
}
}
2. hook 实现
public class HandlerCallback implements Handler.Callback {
private static final int RECEIVER = 113;
private Application mApplication;
private ClassLoader mClassLoader;
public HandlerCallback(Application application, ClassLoader classLoader) {
mApplication = application;
mClassLoader = classLoader;
}
@Override
public boolean handleMessage(Message message) {
Log.i("Wooo", "handleMessage : " + message.what);
if (message.what == RECEIVER) {
Log.i("Wooo", "handleMessage receiver : " + message.obj);
Object obj = message.obj;
Intent intent = (Intent) RefInvoke.getFieldOjbect("android.app.ActivityThread$ReceiverData", obj, "intent");
ActivityInfo activityInfo = (ActivityInfo) RefInvoke.getFieldOjbect("android.app.ActivityThread$ReceiverData", obj, "info");
// if (activityInfo != null) {
// }
// BroadcastReceiver receiver;
// try {
// String component = intent.getComponent().getClassName();
// intent.setExtrasClassLoader(mClassLoader);
// receiver = (BroadcastReceiver) mClassLoader.loadClass(component).newInstance();
// }catch (Exception e) {
// e.printStackTrace();
// return false;
// }
// try {
// Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[] {}, new Object[] {});
// ThreadLocal sCurrentBroadcastIntent = (ThreadLocal)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "sCurrentBroadcastIntent");
// sCurrentBroadcastIntent.set(intent);
// Log.i("Wooo", "handleMessage sCurrentBroadcastIntent " + sCurrentBroadcastIntent);
// RefInvoke.setFieldOjbect("android.app.ActivityThread", "sCurrentBroadcastIntent", currentActivityThread, sCurrentBroadcastIntent);
// receiver.onReceive(mApplication.getBaseContext(), intent);
// } catch (Exception e) {
// e.printStackTrace();
// return false;
// }
// return true;
}
return false;
}
public void inject() {
Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[]{}, new Object[]{});
Object mH = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mH");
RefInvoke.setFieldOjbect("android.os.Handler", "mCallback", mH, this);
}
}
3. 初始化
HandlerCallback hc = new HandlerCallback(this, mainClassLoader);
hc.inject();
