1. 反射工具

    /**
     * 反射执行类的静态函数(public)
     * @param class_name    类名
     * @param method_name   函数名
     * @param pareTyple     函数的参数类型
     * @param pareVaules    调用函数时传入的参数
     * @return
     */
    public static  Object invokeStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){
        try {
            Class obj_class = Class.forName(class_name);
            Method method = obj_class.getMethod(method_name,pareTyple);
            if (method == null) return null;
            return method.invoke(null, pareVaules);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

    public static  Object invokeDeclaredStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){
        try {
            Class obj_class = Class.forName(class_name);
            Method method = obj_class.getDeclaredMethod(method_name,pareTyple);
            method.setAccessible(true);
            return method.invoke(null, pareVaules);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;

    }

    /**
     * 反射执行类的函数（public）
     * @param class_name
     * @param method_name
     * @param obj
     * @param pareTyple
     * @param pareVaules
     * @return
     */
    public static  Object invokeMethod(String class_name, String method_name, Object obj ,Class[] pareTyple, Object[] pareVaules){
        if (obj == null) return null;
        try {
            Class obj_class = Class.forName(class_name);
            Method method = obj_class.getMethod(method_name,pareTyple);
            return method.invoke(obj, pareVaules);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;

    }

    /**
     * 反射得到类的属性（包括私有和保护）
     * @param class_name
     * @param obj
     * @param filedName
     * @return
     */
    public static Object getFieldOjbect(String class_name,Object obj, String filedName){
        try {
            Class obj_class = Class.forName(class_name);
            Field field = obj_class.getDeclaredField(filedName);
            if (field == null) return null;
            field.setAccessible(true);
            return field.get(obj);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;

    }

    /**
     * 反射得到类的静态属性（包括私有和保护）
     * @param class_name
     * @param filedName
     * @return
     */
    public static Object getStaticFieldOjbect(String class_name, String filedName){
        try {
            Class obj_class = Class.forName(class_name);
            Field field = obj_class.getDeclaredField(filedName);
            if (field == null) return null;
            field.setAccessible(true);
            return field.get(null);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;

    }

    /**
     * 设置类的属性（包括私有和保护）
     * @param classname
     * @param filedName
     * @param obj
     * @param filedVaule
     */
    public static void setFieldOjbect(String classname, String filedName, Object obj, Object filedVaule){
        if (obj == null) return;
        try {
            Class obj_class = Class.forName(classname);
            Field field = obj_class.getDeclaredField(filedName);
            field.setAccessible(true);
            field.set(obj, filedVaule);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * 设置类的静态属性（包括私有和保护）
     * @param class_name
     * @param filedName
     * @param filedVaule
     */
    public static void setStaticOjbect(String class_name, String filedName, Object filedVaule){
        try {
            Class obj_class = Class.forName(class_name);
            Field field = obj_class.getDeclaredField(filedName);
            if (field == null) return;
            field.setAccessible(true);
            field.set(null, filedVaule);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

2. hook 实现

public class HandlerCallback implements Handler.Callback {
    private static final int RECEIVER = 113;
    private Application mApplication;
    private ClassLoader mClassLoader;

    public HandlerCallback(Application application, ClassLoader classLoader) {
        mApplication = application;
        mClassLoader = classLoader;
    }

    @Override
    public boolean handleMessage(Message message) {
        Log.i("Wooo", "handleMessage : " + message.what);

        if (message.what == RECEIVER) {
            Log.i("Wooo", "handleMessage receiver : " + message.obj);
            Object obj = message.obj;
            Intent intent = (Intent) RefInvoke.getFieldOjbect("android.app.ActivityThread$ReceiverData", obj, "intent");
            ActivityInfo activityInfo = (ActivityInfo) RefInvoke.getFieldOjbect("android.app.ActivityThread$ReceiverData", obj, "info");
//            if (activityInfo != null) {
//            }
//            BroadcastReceiver receiver;
//            try {
//                String component = intent.getComponent().getClassName();
//                intent.setExtrasClassLoader(mClassLoader);
//                receiver = (BroadcastReceiver) mClassLoader.loadClass(component).newInstance();
//            }catch (Exception e) {
//                e.printStackTrace();
//                return false;
//            }
//            try {
//                Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[] {}, new Object[] {});
//                ThreadLocal sCurrentBroadcastIntent = (ThreadLocal)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "sCurrentBroadcastIntent");
//                sCurrentBroadcastIntent.set(intent);
//                Log.i("Wooo", "handleMessage sCurrentBroadcastIntent " + sCurrentBroadcastIntent);
//                RefInvoke.setFieldOjbect("android.app.ActivityThread", "sCurrentBroadcastIntent", currentActivityThread, sCurrentBroadcastIntent);
//                receiver.onReceive(mApplication.getBaseContext(), intent);
//            } catch (Exception e) {
//                e.printStackTrace();
//                return false;
//            }
//            return true;
        }
        return false;
    }

    public void inject() {
        Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[]{}, new Object[]{});
        Object mH = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mH");
        RefInvoke.setFieldOjbect("android.os.Handler", "mCallback", mH, this);
    }

}

3. 初始化

                    HandlerCallback hc = new HandlerCallback(this, mainClassLoader);
                    hc.inject();

hook 掉 Handler.Callback 的消息回调

1. 反射工具

2. hook 实现

3. 初始化

你可能感兴趣的:(hook 掉 Handler.Callback 的消息回调)