xposed编写hook模块

113 阅读 0 评论 75 点赞

我是靠谱客的博主外向雨，这篇文章主要介绍xposed编写hook模块，现在分享给大家，希望可以做个参考。

参考

一.首先按照网上教程，编写最简单的load包名模块。

首先添加依赖，不用下载jar包，直接在app的build.gradle的dependence中添加
compileOnly 'de.robv.android.xposed:api:82'
compileOnly 'de.robv.android.xposed:api:82:sources'
然后同步一下，没有报错就可以了，之前一直下载jar包然后添加库，结果虽然没报错但xposed日志里一直是"can not load module"。
然后修改AndroidManifest，添加meta标签，结构应如下，添加了三个标签：

复制代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
        
        <meta-data
        	android:name="xposedmodule"
        	android:value="true" />
        <meta-data
            android:name="xposeddescription"
            android:value="Easy example which makes the status bar clock red and adds a smiley" />
        <meta-data
            android:name="xposedminversion"
            android:value="53" />
    </application>

接着新建一个类aa，代码如下：

复制代码

1
2
3
4
5
6
public class aa implements IXposedHookLoadPackage {
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
        XposedBridge.log("Loaded app: " + lpparam.packageName);
    }
}

接下来告诉xposed此模块的入口点，新建assets文件夹，在assets文件夹下创建一个名叫xposed_init的text文件。在该文件中写下我们hook类的全名。它是：包名.aa。
至此完成，但运行会提示找不到入口activity，修改run/debug configuration,将launch options改为nothing，运行，然后激活并重启模块。之后可以在日志中看到load的app名。
在这里插入图片描述

二.替换源程序的方法

编写一个简单app，单击按键会toast。我们想要替换toast的字符串为“22222”。

复制代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
//将替换的app。
package example.com.jnitest;

public class MainActivity extends Activity {

    Button button;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        button=findViewById(R.id.button);
        button.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                Toast.makeText(MainActivity.this, toastMessage(), Toast.LENGTH_SHORT).show();
            }
        });
    }

    public String toastMessage() {
        return "我未被劫持";
    }

在刚才的模块工程中新建一个类bb，

复制代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public class bb implements IXposedHookLoadPackage {
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
        if (loadPackageParam.packageName.equals("example.com.jnitest")) {		//要hook的包名
        
            Class clazz = loadPackageParam.classLoader.loadClass(
                    "example.com.jnitest.MainActivity");			//要hook的函数所在的activity
                    
            XposedHelpers.findAndHookMethod(clazz, "toastMessage", new XC_MethodHook() {		//要hook的函数名
            
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                }
                
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    param.setResult("你已被劫持");			//想替换的返回值
                }
            });
        }
    }
}

在xposed_init下新添加一行：包名.bb，运行激活重启。
在这里插入图片描述
除此之外可以将一些参数打印到控制台中，不用打印到xposed日志中，这样比较方便看。其他功能还没深入了解，待解决：native方法的hook。

###################
XC_MethodHook中定义了回调方法：

1.beforeHookedMethod(MethodHookParam param)：被hook方法调用前执行，调用param.setResult可以跳过被hook的方法。

2.afterHookedMethod(MethodHookParam param) ：被hook方法调用后执行，调用param.setResult更改被hook方法的执行结果。

复制代码

public class XposedHook implements IXposedHookLoadPackage {
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {	//包加载时会调用
        XposedBridge.log("Loaded app: " + lpparam.packageName);

if (!lpparam.packageName.equals("com.bingghost.simplehelloworld"))
        {
            return;
        }

findAndHookMethod("com.bingghost.simplehelloworld.MainActivity", lpparam.classLoader, "sayhello", int.class, int.class, new XC_MethodHook() {

protected void beforeHookedMethod(MethodHookParam param) {
                param.setResult("i am new result! before");  //
                Integer  para1 =  (Integer) param.args[0];   //获取参数1
                Integer para2 = (Integer) param.args[1];     //获取参数2
                String s1 = Integer.toString(para1);
                String s2 = Integer.toString(para2);
                Log.v("hook before param1:", s1);
                Log.v("hook before param2:", s2);

param.args[0] = 100;  //设置参数1
                param.args[1] = 200;  //设置参数2

Log.v("hook", "before hook!");
            }

protected void afterHookedMethod(MethodHookParam param) {
                String str = (String) param.getResult();
                Log.v("hook after result :", str);
                Integer  para1 =  (Integer) param.args[0];   //获取参数1
                Integer para2 = (Integer) param.args[1];     //获取参数2
                String s1 = Integer.toString(para1);
                String s2 = Integer.toString(para2);
                param.setResult("i am new result! after");   //设置返回值

Log.v("hook param1:", s1);
                Log.v("hook param2:", s2);
                Log.v("hook result:", "i am new result! after");
            }
        });
    }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
public class XposedHook implements IXposedHookLoadPackage {
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {	//包加载时会调用
        XposedBridge.log("Loaded app: " + lpparam.packageName);

        if (!lpparam.packageName.equals("com.bingghost.simplehelloworld"))
        {
            return;
        }

        findAndHookMethod("com.bingghost.simplehelloworld.MainActivity", lpparam.classLoader, "sayhello", int.class, int.class, new XC_MethodHook() {

            protected void beforeHookedMethod(MethodHookParam param) {
                param.setResult("i am new result! before");  //
                Integer  para1 =  (Integer) param.args[0];   //获取参数1
                Integer para2 = (Integer) param.args[1];     //获取参数2
                String s1 = Integer.toString(para1);
                String s2 = Integer.toString(para2);
                Log.v("hook before param1:", s1);
                Log.v("hook before param2:", s2);

                param.args[0] = 100;  //设置参数1
                param.args[1] = 200;  //设置参数2

                Log.v("hook", "before hook!");
            }

			protected void afterHookedMethod(MethodHookParam param) {
                String str = (String) param.getResult();
                Log.v("hook after result :", str);
                Integer  para1 =  (Integer) param.args[0];   //获取参数1
                Integer para2 = (Integer) param.args[1];     //获取参数2
                String s1 = Integer.toString(para1);
                String s2 = Integer.toString(para2);
                param.setResult("i am new result! after");   //设置返回值

                Log.v("hook param1:", s1);
                Log.v("hook param2:", s2);
                Log.v("hook result:", "i am new result! after");
            }
        });
    }
}