xposed hook学习笔记

发表于 2022-11-28  431 次阅读


大多数app都设置不能调试外加签名验证或者安装包完整性验证,hook掉就完了

再偷懒点破解核心,参考https://it.cha138.com/nginx/show-280257.html

快速定位目标Activity

adb shell "dumpsys window | grep mCurrentFocus"

对于没加壳的

if (loadPackageParam.packageName.equals("com.immomo.momo")) {
    Log.e(TAG,"发现目标com.immomo.momo");

    Class clazz = loadPackageParam.classLoader.loadClass("com.immomo.momo.message.activity.ChatActivity");
    XposedHelpers.findAndHookMethod(clazz, "d",Boolean.class, new XC_MethodHook() {
        //会在调用原方法前执行,如果使用setResult则跳过原方法,并返回setResult参数中的值
        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
            Log.e(TAG,"发现目标传入值"+(String) param.args[0]);
            super.beforeHookedMethod(param);
            param.setResult("你已被劫持1");
        }
        //会在调用原方法后执行,setResult可改变返回值
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            Log.e(TAG,"发现目标返回值"+param.getResult());
            //param.setResult("你已被劫持2");
        }

        //会完全替换原方法,即原方法不执行,且返回值可以直接return,setResult不生效。
        //protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
        //   return null;
        //}
    });
}

对于加壳的先获取壳classloader再hook

if (loadPackageParam.packageName.equals("com.bfire.da.zdj")) {
    Log.e("HOOKTEST","发现目标3");
    XposedHelpers.findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader,
            "getAppContext", Context.class, new XC_MethodHook() {
        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
            super.beforeHookedMethod(param);
        }
        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            Log.e("HOOKTEST","发现目标");
            super.afterHookedMethod(param);
            //获取到360的Context对象,通过这个对象来获取classloader
            Context context = (Context) param.args[0];
            //获取360的classloader,之后hook加固后的就使用这个classloader
            ClassLoader classLoader =context.getClassLoader();
            //下面就是强classloader修改成360的classloader就可以成功的hook了
            //shuanq.cn.jni.ShuanQActivity
            XposedHelpers.findAndHookMethod("com.aimakeji.shuanq.library.ShuanQUtil", classLoader, "responseDataSignatureVerification", String.class, String.class, String.class, new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                    super.beforeHookedMethod(param);
                    param.setResult(true);
                }
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    Log.e(TAG, "responseDataSignatureVerification返回值: " + param.getResult());
                    //param.setResult(null);
                }
            });

获取Context

try {
    Class<?> ContextClass = XposedHelpers.findClass("android.content.ContextWrapper", loadPackageParam.classLoader);
    XposedHelpers.findAndHookMethod(ContextClass, "getApplicationContext", new XC_MethodHook() {
        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            //全局保存 为了方便后面使用
            if (applicationContext[0] != null) {
                return;
            }
            applicationContext[0] = (Context) param.getResult();
            Toast.makeText(applicationContext[0],"得到上下文",Toast.LENGTH_SHORT).show();
            XposedBridge.log("得到上下文");
        }
    });
} catch (Throwable t) {
    XposedBridge.log("获取上下文出错");
}

主动调用方法

//主动调用函数
Class<?> methodClass = XposedHelpers.findClass("com.aimakeji.shuanq.library.ShuanQUtil",classLoader);
Method methodBestMatch = XposedHelpers.findMethodBestMatch(methodClass,"test");
methodBestMatch.invoke(methodClass.newInstance());
//另一种
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
(Map<String, String>) XposedHelpers.callStaticMethod(clazz, "LIZ", url, _map);

hook onCreateView实现按钮主动点击

XposedHelpers.findAndHookMethod("com.find.diff.a",loadPackageParam.classLoader,"onCreateView", LayoutInflater.class,ViewGroup.class, Bundle.class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(final MethodHookParam param) throws Throwable {
                    XposedBridge.log("hook-onCreateView-------------------------------");
                    comFindDiffA = param.thisObject;
                    //hook返回值 保存起来后面用
                    inflate = (View) param.getResult();
                }
});

需要运行在UI线程的方法 runOnUiThread

//comFindDiffA为 param.thisObject 可提前全局保存下来
Object activityObj =(Object) XposedHelpers.callMethod(comFindDiffA, "getActivity");
if(activityObj!=null){
    XposedBridge.log("--------------------------------activityObj有值");
    XposedHelpers.callMethod(activityObj, "runOnUiThread",new Runnable() {
        public void run() {
            //applicationContext 也是全局保存的
            Resources res = applicationContext.getResources();
            //找到id的game_over_next的id编号
            int idNum = res.getIdentifier("game_over_next", "id", 
            applicationContext.getPackageName());
            // inflate 是hook onCreateView得来的
            ViewGroup vg = (ViewGroup) inflate.findViewById(idNum);
            XposedBridge.log("--------------------------------runOnUiThread click");
            //主动点击触发
            vg.performClick();
        }
     });
}

修改类静态属性

//设置ms.bd.o.p1$a的静态属性name值为张三
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
XposedHelpers.findField(clazz, "name").set(null, "张三");

修改实例对象上属性

Class D2Class = param.thisObject.getClass();
Field name = D2Class.getDeclaredField("name");
name.setAccessible(true);
name.set(param.thisObject, "张三");
本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

心虽在此,逐梦繁星