广州免费设计网站建设,想做网站哪个公司比较好,营销网站建设哪家好,seo概念文章目录 xpose插件开发步骤清单文件新建一个类#xff08;插件入口点#xff09;设置入口点 Hook第一个实例zhuceji.apk一些常用的HOOKHookH5PluginHookProxyPluginHookSystem 资料Xposed原理初探 xpose插件开发步骤 magisk安装与配置 Xpose Framework API LSPosed magisk … 文章目录 xpose插件开发步骤清单文件新建一个类插件入口点设置入口点 Hook第一个实例zhuceji.apk一些常用的HOOKHookH5PluginHookProxyPluginHookSystem 资料Xposed原理初探 xpose插件开发步骤 magisk安装与配置 Xpose Framework API LSPosed magisk 一键集成环境再也不用每次刷完机繁琐得配置环境了 Xposed 插件开发之一: Xposed入门 Xposed模块开发
清单文件 新建一个类插件入口点
## 引入模块
设置入口点 Hook第一个实例zhuceji.apk
package com.kika.testxposed;import android.widget.EditText;import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.security.MessageDigest;public class HookZhuCeJi implements IHook {final String packageName com.qianyu.zhuceji;Overridepublic boolean isThisPackageName(XC_LoadPackage.LoadPackageParam lpparam) {return packageName.equals(lpparam.packageName);}Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {XposedBridge.log(编写Xposed插件模板, 开启Hook之路!);XposedBridge.log(找到我们要hook的应用程序);XposedHelpers.findAndHookMethod(com.qianyu.zhuceji.MainActivity,lpparam.classLoader, // 类加载器checkSN, // 方法名String.class, String.class, // 参数列表new XC_MethodHook() {// HOOK之前,打印参数信息,修改参数Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);// 打印参数信息XposedBridge.log(username param.args[0]);XposedBridge.log(sn param.args[1]);// 打印方法调用堆栈信息StackTraceElement[] wodelogs new Throwable(wodelog).getStackTrace();for (StackTraceElement wodelog : wodelogs) {XposedBridge.log(查看堆栈: wodelog.toString());}}/*** private Button btn;* private EditText edit_sn;* private EditText edit_username;* param param param* throws Throwable Throwable*/Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);// 打印返回值信息XposedBridge.log(返回值: param.getResult());// 修改返回值// param.setResult(true);Class? clazz param.thisObject.getClass();XposedBridge.log(参数: clazz);// 获取用户名字段Field edit_username clazz.getDeclaredField(edit_username);// 设置可以访问edit_username.setAccessible(true);// 获取组件EditText et_user (EditText) edit_username.get(param.thisObject);// 获取内容String name et_user.getText().toString().trim();// 获取注册码字段Field edit_sn clazz.getDeclaredField(edit_sn);edit_sn.setAccessible(true);EditText et_sn (EditText) edit_sn.get(param.thisObject);String sn et_sn.getText().toString().trim();XposedBridge.log(用户名: name);XposedBridge.log(注册码: name);// 指定算法MD5MessageDigest digest MessageDigest.getInstance(MD5);// 初始化digest.reset();// 更新digest.update(3192850648qq.com.getBytes());// 获取方法String methodName toHexString;Class?[] parameterTypes new Class[]{byte[].class, String.class};Method method clazz.getDeclaredMethod(methodName, parameterTypes);// 设置可见method.setAccessible(true);// 主动调用方法String hexstr (String)method.invoke(param.thisObject, new Object[]{digest.digest(), sn});// 字符串拼接StringBuilder sb new StringBuilder();for (int i 0; i hexstr.length(); i) {sb.append(hexstr.charAt(i));}// 设置编辑框的值et_user.setText(3192850648qq.com);et_sn.setText(sb.toString());}});}
}
一些常用的HOOK
HookH5Plugin
package com.kika.testxposed;import android.util.Log;
import android.webkit.WebView;import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XC_MethodReplacement;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;public class HookH5Plugin implements IHook{Overridepublic boolean isThisPackageName(XC_LoadPackage.LoadPackageParam lpparam) {return true;}Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {// 强制H5调试插件开发XposedBridge.hookAllConstructors(WebView.class,new XC_MethodHook() {Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);// 主动调用静态方法call 第一参数传的是类final Object[] params {true};XposedHelpers.callStaticMethod(WebView.class, setWebContentsDebuggingEnabled, params);Log.d(HookH5Plugin.class.getSimpleName(), package: lpparam.packageName);}});// 方法重载XposedBridge.hookAllMethods(WebView.class,setWebContentsDebuggingEnabled,new XC_MethodHook() {Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);param.args[0] true;Log.d(HookH5Plugin.class.getSimpleName(), package: lpparam.packageName);}});// 拦截替换直接方法逻辑XposedHelpers.findAndHookMethod(io.dcloud.common.adapter.ui.WebViewImpl,lpparam.classLoader,setWebViewData,new XC_MethodReplacement() {Overrideprotected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {Log.d(HookH5Plugin.class.getSimpleName(), setWebViewData is replace);return null;}});}
}
HookProxyPlugin
package com.kika.testxposed;import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;public class HookProxyPlugin implements IHook{Overridepublic boolean isThisPackageName(XC_LoadPackage.LoadPackageParam lpparam) {return true;}Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {XposedHelpers.findAndHookMethod(System.class,getProperty,String.class,new XC_MethodHook() {Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);XposedBridge.log(绕过代理检测);String str (String) param.args[0];if (str.equals(https.proxyHost) || str.equals(http.proxyHost)|| str.equals(https.proxyPort) || str.equals(http.proxyPort)) {param.setResult(null);}}});XposedHelpers.findAndHookMethod(URL.class,openConnection,new XC_MethodHook() {Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);XposedBridge.log(强制代理);param.args[0] new Proxy(Proxy.Type.HTTP, new InetSocketAddress(192.168.99.13, 8888));}});}
}
HookSystem
package com.kika.testxposed;import android.net.wifi.WifiInfo;import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import java.net.InetAddress;/*** Hook 系统的一些方法*/
public class HookSystem implements IHook {public static long isToLong(String strIp) {long[] ip new long[4];int position1 strIp.indexOf(.);int position2 strIp.indexOf(., position1 1);int position3 strIp.indexOf(., position2 1);// 将每个.之间的字符串转换成整形ip[0] Long.parseLong(strIp.substring(0, position1));ip[1] Long.parseLong(strIp.substring(position1 1, position2));ip[2] Long.parseLong(strIp.substring(position2 1, position3));ip[3] Long.parseLong(strIp.substring(position3 1));return (ip[0] 24) (ip[1] 16) (ip[2] 8) ip[3];}Overridepublic boolean isThisPackageName(XC_LoadPackage.LoadPackageParam lpparam) {return true;}Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {// 拦截系统方法,篡改IMEI设备号XposedHelpers.findAndHookMethod(android.telephony.TelephonyManager,lpparam.classLoader,getDeviceId,new XC_MethodHook() {Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {//param.setResult(HookSystem.isToLong(param.getResult().toString()));XposedBridge.log(imei: param.getResult());}});// HOOK构造方法,拦截IP地址XposedHelpers.findAndHookConstructor(java.net.InetSocketAddress,lpparam.classLoader,String.class,int.class,new XC_MethodHook() {Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);XposedBridge.log(IP地址: param.args[0]);}Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);}});// 拦截流量上网IP地址XposedHelpers.findAndHookMethod(InetAddress.class,getHostAddress,new XC_MethodHook() {Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);}Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);XposedBridge.log(IP地址: param.getResult());}});// 拦截WIFI上网IP地址XposedHelpers.findAndHookMethod(WifiInfo.class,getIpAddress,new XC_MethodHook() {Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);}Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);XposedBridge.log(IP地址: param.getResult());// 分割字符串String[] str 192.168.1.99.split(\\.);// 定义一个字符串,用来存储反转后的IP地址String ipAddress ;// for循环控制IP地址反转for (int i 3; i 0; i--) {ipAddress ipAddress str[i] .;}// 去除最后一位的.ipAddress ipAddress.substring(0, ipAddress.length() - 1);// 返回新的整形IP地址param.setResult((int) isToLong(ipAddress));}});}
}
资料
Xposed原理初探
一、Xposed 框架实现 Hook 的原理介绍 Zygote是Android的核心每运行一个appZygote就会fork一个虚拟机实例来运行app Xposed Framework深入到了Android核心机制中通过改造Zygote来实现一些很牛逼的 功能。Zygote的启动配置在init.rc 脚本中由系统启动的时候开启此进程对应的 执行文件是/system/bin/app_process这个文件完成类库加载及一些函数调用的工作。 当系统中安装了Xposed Framework之后会对app_process进行扩展也就是说Xposed Framework 会拿自己实现的app_process覆盖掉Android原生提供的app_process文件 当系统启动的时候就会加载由 Xposed Framework 替换过的进程文件并且Xposed Framework 还定义了一个 jar 包系统启动的时候也会加载这个包 /data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar
二、Xposed框架运行的条件 1.Rooted Device / Emulator 已root的手机或者模拟器 2.Xposed Installer (Xposed安装程序下载) 3.Hooking Android App 要被Hook的目标 App
Xposed Framework就是一个apk包也就是上面下载的Xposed安装程序下载后用下面 的命令安装到手机上或者模拟器 adb install de.robv.android.xposed.installer_v32_de4f0d.apk
app framework C linux内核
linux内核 -- init -- app_process -- Zygote
Zygote进程在启动过程中除了创建一个Dalvik虚拟机实例之外还会将Java运行时库 加载到进程中来同时还会注册一些Android核心类的JNI方法到前面创建的Dalvik虚拟 机实例中去。
一个应用程序被孵化出来的时候其不仅会获得Zygote进程中的Dalvik虚拟机实例还 会与Zygote一起共享Java运行时库这也是可以将XposedBridge.jar这个jar包加载到 每一个Android应用中的原因。
Xposed_zygote进程启动后会初始化一些so文件/system/lib、/system/lib64然后 进入XposedBridge.jar中的XposedBridge.main中加载模块初始化jar包完成对一些关键 Android系统函数的hook。
Hook则是利用修改过的虚拟机将函数注册为native函数。 然后再返回zygote中完成原本zygote需要做的工作。
META-INF/ 里面有文件配置脚本 flash-script.sh 配置各个文件安装位置。 system/bin/ 替换zygote进程等文件 system/framework/XposedBridge.jar jar包位置 system/lib system/lib64 一些so文件所在位置 xposed.prop xposed版本说明文件
Android https://developer.android.google.cn/
SDK刷机包下载 x86https://dl-xda.xposed.info/framework/ x86_64https://github.com/youling257/XposedTools/files/1931996/xposed-x86_64.zip
VirtualApp https://github.com/asLody/VirtualApp
Android Hook技术防范漫谈 https://tech.meituan.com/android_anti_hooking.html
XPOSED魔改一 https://bbs.pediy.com/thread-258639.htm
企业壳反调试及hook检测分析 https://mp.weixin.qq.com/s/StnqWtZMFCu09snIEGi1RQ
破解某支付软件防Xposed等框架Hook功能检测机制 https://mp.weixin.qq.com/s/Je1kRksxHTTYb4l9x3bTmQ
阿里系产品Xposed Hook检测机制原理分析 https://bbs.pediy.com/thread-218848.htm
抖音短视频检测 Xposed 分析一 https://www.52pojie.cn/thread-684757-1-1.html
抖音短视频检测 Xposed 分析二 https://www.52pojie.cn/thread-691584-1-1.html
