《安卓逆向这档事》八、Sorry,会Hook真的可以为所欲为-xposed快速上手(下)快速hook
转载自吾爱破/解精华帖正已手下的文章https://attach.52pojie.cn/forum/202302/19/204834aekwxl9ffseh9f7h.gif
一、课程目标1.了解Xposed常用API
2.借助lspatch实现免root注入
3.SimpleHook快速钩二、工具1.教程演示(更新)
2.MT 管理器/NP管理器
3.算法助手
4.jadx-gui
5.simplehook
6.安卓工作室三、课程内容虚拟机连接模拟器方法
https://www.cnblogs.com/voyage1969/p/14876449.htmlXposed常用API1.钩子变量静态变量与实例变量:
[*]静态变量(static):类被初始化,同步进行初始化
[*]非静态变量:类被实例化(产生一个对象的时候),进行初始化
静态变量 复制代码 隐藏代码
final Class clazz = XposedHelpers.findClass("类名", classLoader);XposedHelpers.setStaticIntField(clazz, "变量名", 999);实例变量 复制代码 隐藏代码
final Class clazz = XposedHelpers.findClass("类名", classLoader);XposedBridge.hookAllConstructors(clazz, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); //param.thisObject获取当前所属的对象 Object ob = param.thisObject; XposedHelpers.setIntField(ob,"变量名",9999); }});2.钩构造函数无参构造函数 复制代码 隐藏代码
XposedHelpers.findAndHookConstructor("com.zj.wuaipojie.Demo", classLoader, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); }});有参构造函数 复制代码 隐藏代码
XposedHelpers.findAndHookConstructor("com.zj.wuaipojie.Demo", classLoader, String.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); }});3.钩多晶硅 复制代码 隐藏代码
XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { ClassLoader cl= ((Context)param.args[0]).getClassLoader(); Class<?> hookclass=null; try { hookclass=cl.loadClass("类名"); }catch (Exception e){ Log.e("zj2595","未找到类",e); return; } XposedHelpers.findAndHookMethod(hookclass, "方法名", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { } }); }});4.主动调用静态方法: 复制代码 隐藏代码
Class clazz = XposedHelpers.findClass("类名",lpparam.classLoader);XposedHelpers.callStaticMethod(clazz,"方法名",参数(非必须));实例方法: 复制代码 隐藏代码
Class clazz = XposedHelpers.findClass("类名",lpparam.classLoader);XposedHelpers.callMethod(clazz.newInstance(),"方法名",参数(非必须));5.Hook内部类内部类:类里还有一个类class 复制代码 隐藏代码
XposedHelpers.findAndHookMethod("com.zj.wuaipojie.Demo$InnerClass", lpparam.classLoader, "innerFunc",String.class,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); }});6.反射大法 复制代码 隐藏代码
Class clazz = XposedHelpers.findClass("com.zj.wuaipojie.Demo", lpparam.classLoader);XposedHelpers.findAndHookMethod("com.zj.wuaipojie.Demo$InnerClass", lpparam.classLoader, "innerFunc",String.class,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); //第一步找到类 //找到方法,如果是私有方法就要setAccessible设置访问权限 //invoke主动调用或者set修改值(变量) Class democlass = Class.forName("com.zj.wuaipojie.Demo",false,lpparam.classLoader); Method demomethod = democlass.getDeclaredMethod("refl"); demomethod.setAccessible(true); demomethod.invoke(clazz.newInstance()); }});7.遍历所有类下的所有方法 复制代码 隐藏代码
XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); Class clazz = (Class) param.getResult(); String clazzName = clazz.getName(); //排除非包名的类 if(clazzName.contains("com.zj.wuaipojie")){ Method[] mds = clazz.getDeclaredMethods(); for(int i =0;i<mds.length;i++){ final Method md = mds; int mod = mds.getModifiers(); //去除抽象、native、接口方法 if(!Modifier.isAbstract(mod) && !Modifier.isNative(mod) &&!Modifier.isAbstract(mod)){ XposedBridge.hookMethod(mds, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); Log.d("zj2595",md.toString()); } }); } } } }});8.Xposed妙用字符串赋值定位: 复制代码 隐藏代码
XposedHelpers.findAndHookMethod("android.widget.TextView", lpparam.classLoader, "setText", CharSequence.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); Log.d("zj2595",param.args[0].toString()); if(param.args[0].equals("已过期")){ printStackTrace(); } }});private static void printStackTrace() { Throwable ex = new Throwable(); StackTraceElement[] stackElements = ex.getStackTrace(); for (int i = 0; i < stackElements.length; i++) { StackTraceElement element = stackElements; Log.d("zj2595","at " + element.getClassName() + "." + element.getMethodName() + "(" + element.getFileName() + ":" + element.getLineNumber() + ")"); }}点击事件监听: 复制代码 隐藏代码
Class clazz = XposedHelpers.findClass("android.view.View", lpparam.classLoader);XposedBridge.hookAllMethods(clazz, "performClick", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); Object listenerInfoObject = XposedHelpers.getObjectField(param.thisObject, "mListenerInfo"); Object mOnClickListenerObject = XposedHelpers.getObjectField(listenerInfoObject, "mOnClickListener"); String callbackType = mOnClickListenerObject.getClass().getName(); Log.d("zj2595",callbackType); }});改写布局: 复制代码 隐藏代码
XposedHelpers.findAndHookMethod("com.zj.wuaipojie.ui.ChallengeSixth", lpparam.classLoader, "onCreate", Bundle.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); View img = (View)XposedHelpers.callMethod(param.thisObject, "findViewById", 0x7f0800de); img.setVisibility(View.GONE); }});Xposed模块补丁LSPatch
https://attach.52pojie.cn/forum/202302/19/204745jum97hejm7n23ukd.png
PS:最低支持安卓9
Xposed快速钩子简单钩子
https://attach.52pojie.cn/forum/202302/19/204748eo1yog0fg030f503.png
杰舒克
Xpsoed源码XPOSED魔改一:获取特征
Lspose 技术原理探讨 && 基本安装使用
[原创]源码编译(2)——Xopsed源码编译详解四、课后小作业让我想想五、答疑提一嘴,我感觉肯定会有人问我的as怎么跟他的不一样,那是因为我用了一些插件。插件入口:左上角File->Settings->Plugins,在这里可以搜索并安装你想安装的插件,以下是我用的插件
https://attach.52pojie.cn/forum/202302/19/204743lfh7fmzxsx9073o3.pnghttps://attach.52pojie.cn/forum/202302/19/204741yanep4p66upgivgf.png
六、视/频及课件地址百度云 阿里云
哔哩哔哩
PS:解压密码都是52pj,阿里云由于不能分享压缩包,所以下载exe文件,双击自解压
页:
[1]