本文主要是介绍xposed 03 - hook字段与一般方法,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
本文主要讨论一下如何hook字段与方法
hook字段有两种方式:
-
使用反射
-
使用 xposed api
由于xposed 模块也运行在 app 进程中,所以我们可以将 app 的代码当作自己的,直接反射访问。
Hook静态字段与成员字段
测试代码:
package com.example.hooktargeclass HookTarget2 {private var str: String = "hello"companion object {@JvmStaticprivate val id: Int = 10}override fun toString(): String {return "HookTarget2(str='$str')"}}
使用 java 反射来更改静态字段:
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {if (loadPackageParam.packageName.equals("com.example.hooktarge")) {Class<?> aClass = loadPackageParam.classLoader.loadClass("com.example.hooktarge.HookTarget2");Field id = aClass.getDeclaredField("id");id.setAccessible(true);XposedBridge.log("HookTarget2 id = " + id.get(null));id.set(null, 42);XposedBridge.log("HookTarget2 id = " + id.get(null) + ", change by field set");}
}
输出结果:
HookTarget2 id = 10
HookTarget2 id = 42, change by field set
使用java反射来更改成员字段:
XposedHelpers.findAndHookConstructor("com.example.hooktarge.HookTarget2", loadPackageParam.classLoader, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);}@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);Object thisObject = param.thisObject;Field str = aClass.getDeclaredField("str");str.setAccessible(true);str.set(thisObject, "ass");XposedBridge.log(param.thisObject.toString());}
});
输出结果:
HookTarget2(str='ass')
从上面的测试可以看到使用反射可以成功的更改字段。
但是反射使用起来比较麻烦,所以Xposed也提供了对应的api.
int id1 = XposedHelpers.getStaticIntField(aClass, "id");
XposedBridge.log("HookTarget2 id = " + id1 + " get by api");
XposedHelpers.setStaticIntField(aClass, "id", 100);
XposedBridge.log("HookTarget2 id = " + XposedHelpers.getStaticIntField(aClass, "id") + " set by api");
Object str1 = XposedHelpers.getObjectField(thisObject, "str");
XposedBridge.log(str1 + " get by api");
XposedHelpers.setObjectField(thisObject, "str", "hhhhh");
XposedBridge.log(param.thisObject.toString() + "change by api");
使用内置的 api 就显得简洁多了。
Hook一般方法
java中有这样4种方法:
-
普通类方法
-
内部类方法
-
匿名内部类方法
-
JNI方法
由于Android Art 虚拟机中,一个方法的表示都是 ArtMethod,只不过其执行的函数入口可以选择 jni 入口或者函数体入口,所以JNI方法与普通方法的 hook 是一样的。
内部类/匿名内部类这两个的不同之处在于类名要麻烦点,不过我们可以使用反编译工具拿到其类名。Java的中匿名内部类其实也是有名字的,在开发阶段确实看不到,但是在编译后会分配一个带数字的名字,所以其实内部类与匿名内部类的hook也是一样的。
看一个例子:
package com.example.hooktarge;import android.util.Log;public class HookTarget3 {public void test() {String s = test1();Log.e("HookTarget3", s);String s1 = test2();Log.e("HookTarget3", s1);test3();test4();}class AbsClass {private String test1() {return "test1";}public int run() {return 1;}}private String test1() {return "test1";}private static String test2() {return "test2";}private void test3() {AbsClass absClass = new AbsClass();Log.e("HookTarget3", absClass.test1());}private void test4() {AbsClass absClass = new AbsClass() {@Overridepublic int run() {return 2;}};int run = absClass.run();Log.e("HookTarget3", run + "");}}
对普通方法与静态方法的 hook 是一样的:
XposedHelpers.findAndHookMethod("com.example.hooktarge.HookTarget3",loadPackageParam.classLoader,"test1",new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);param.setResult("test11111111");}
});XposedHelpers.findAndHookMethod("com.example.hooktarge.HookTarget3",loadPackageParam.classLoader,"test2",new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);param.setResult("test222222222");}});
但是对于内部类与匿名内部类方法,需要先确定其类名,我们使用 jadx 打开apk,发现它显示的很像源码,是看不出内部类的真正名字的:
package com.example.hooktarge;import android.util.Log;/* loaded from: classes3.dex */
public class HookTarget3 {public void test() {String s = test1();Log.e("HookTarget3", s);String s1 = test2();Log.e("HookTarget3", s1);test3();test4();}/* JADX INFO: Access modifiers changed from: package-private *//* loaded from: classes3.dex */public class AbsClass {AbsClass() {}/* JADX INFO: Access modifiers changed from: private */public String test1() {return "test1";}public int run() {return 1;}}private String test1() {return "test1";}private static String test2() {return "test2";}private void test3() {AbsClass absClass = new AbsClass();Log.e("HookTarget3", absClass.test1());}private void test4() {AbsClass absClass = new AbsClass() { // from class: com.example.hooktarge.HookTarget3.1@Override // com.example.hooktarge.HookTarget3.AbsClasspublic int run() {return 2;}};int run = absClass.run();Log.e("HookTarget3", run + "");}
}
不过常做开发的也能自己拼出内部类的名字,就是使用 $ 连接符。我们切换到 smali 界面:
new-instance v0, Lcom/example/hooktarge/HookTarget3$AbsClass;new-instance v0, Lcom/example/hooktarge/HookTarget3$1;
这里就看到了,内部类的名字是 HookTarget3$AbsClass。
匿名内部类的名字是:HookTarget3$1,可以看到该匿名内部类分配的数字是 1,有兴趣的可以多写几个匿名内部类看看规律。
hook代码如下:
XposedHelpers.findAndHookMethod("com.example.hooktarge.HookTarget3$AbsClass",loadPackageParam.classLoader,"test1",new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);param.setResult("test11111111");}});XposedHelpers.findAndHookMethod("com.example.hooktarge.HookTarget3$1",loadPackageParam.classLoader,"run",new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);param.setResult(100);}});
输出log如下:
test11111111
test222222222
test11111111
100
总结:
方法hook一律使用 XposedHelpers.findAndHookMethod(xxx) api,虽然文中并没有演示 jni 的hook(比较懒),但是实际上也是一样的。对于内部类与匿名内部类需要找准其类名后再 hook。
这篇关于xposed 03 - hook字段与一般方法的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
