一、hook方法
在方法调用前HOOK (beforeHookedMethod)
//下方参数依次是 (包名, classLoader,方法名,参数1的class,参数2的class等等)
XposedHelpers.findAndHookMethod("com.app.da.ff",loadPackageParam.classLoader,"LIZ",String.class,new XC_MethodHook() {
@Override
protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
XposedBridge.log("before hook-------");
//当前实例对象
param.thisObject
//参数1
String arg1 = (String) param.args[0];
//参数2
String arg2 = (String) param.args[1];
//修改参数1
param.args[0] = 1;
//设置方法返回值
param.setResult("修改后的返回值");
}
});
在方法调用后HOOK (afterHookedMethod)
//下方参数依次是 (包名, classLoader,方法名,参数1的class,参数2的class等等)
XposedHelpers.findAndHookMethod("com.app.da.ff",loadPackageParam.classLoader,"LIZ",String.class,new XC_MethodHook() {
@Override
protected void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
XposedBridge.log("before hook-------");
//当前实例对象
param.thisObject
//参数1
String arg1 = (String) param.args[0];
//参数2
String arg2 = (String) param.args[1];
//修改参数1
param.args[0] = 1;
//因为在方法调用后hook的所以此时可以拿到返回值
param.getResult();
//获取实力对象上面的属性V0的值(int类型)
Field fd = param.thisObject.getClass().getDeclaredField("V0");
fd.setAccessible(true);
//强转int类型
int V0 = (int) fd.get(param.thisObject);
//多层对象属性获取
//获取实力对象上的对象类型的属性, 也就是this.c.c的情况
Field fd = param.thisObject.getClass().getDeclaredField("c");
fd.setAccessible(true);
Object ccObject = (Object) fd.get(param.thisObject);
Field ccfd = ccObject.getClass().getDeclaredField("c");
ccfd.setAccessible(true);
int successNum = (int) ccfd.get(ccObject);
}
});
查找应用内class
//hook方法或者调用方法的时候会用到
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
实力对象方法主动调用
//调用实例对象上面的方法,可以和param.thisObject结合使用,
Map __map = (Map) XposedHelpers.callMethod(param.thisObject, "LIZ", url, _map);
类静态方法主动调用
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
(Map) XposedHelpers.callStaticMethod(clazz, "LIZ", url, _map);
获取一个类已经实例化的对象
这个我没测试过
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
#获取到了一个数组 随便取一个用
Object[] enumConstants = clazz.getEnumConstants();
主动实例化一个对象
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
Object classObj = XposedHelpers.newInstance(clazz,arg1,arg2);
修改类静态属性
//设置ms.bd.o.p1$a的静态属性name值为张三
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
XposedHelpers.findField(clazz, "name").set(null, "张三");
修改实例对象上属性
Class D2Class = param.thisObject.getClass();
Field name = D2Class.getDeclaredField("name");
name.setAccessible(true);
name.set(param.thisObject, "张三");
获取 applicationContext
try {
Class ContextClass = XposedHelpers.findClass("android.content.ContextWrapper", loadPackageParam.classLoader);
XposedHelpers.findAndHookMethod(ContextClass, "getApplicationContext", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
if (applicationContext != null) {
return;
}
//全局保存 为了方便后面使用
applicationContext = (Context) param.getResult();
XposedBridge.log("得到上下文");
}
});
} catch (Throwable t) {
XposedBridge.log("获取上下文出错");
}
hook onCreateView实现按钮主动点击
XposedHelpers.findAndHookMethod("com.find.diff.a",loadPackageParam.classLoader,"onCreateView", LayoutInflater.class,ViewGroup.class, Bundle.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(final MethodHookParam param) throws Throwable {
XposedBridge.log("hook-onCreateView-------------------------------");
comFindDiffA = param.thisObject;
//hook返回值 保存起来后面用
inflate = (View) param.getResult();
}
});
需要运行在UI线程的方法 runOnUiThread
//comFindDiffA为 param.thisObject 可提前全局保存下来
Object activityObj =(Object) XposedHelpers.callMethod(comFindDiffA, "getActivity");
if(activityObj!=null){
XposedBridge.log("--------------------------------activityObj有值");
XposedHelpers.callMethod(activityObj, "runOnUiThread",new Runnable() {
public void run() {
//applicationContext 也是全局保存的
Resources res = applicationContext.getResources();
//找到id的game_over_next的id编号
int idNum = res.getIdentifier("game_over_next", "id",
applicationContext.getPackageName());
// inflate 是hook onCreateView得来的
ViewGroup vg = (ViewGroup) inflate.findViewById(idNum);
XposedBridge.log("--------------------------------runOnUiThread click");
//主动点击触发
vg.performClick();
}
});
}