首页
论坛
课程
招聘
[原创]Xposed 模块开发中用到的万能代码
2020-11-30 10:12 4608

[原创]Xposed 模块开发中用到的万能代码

2020-11-30 10:12
4608

1,问题提出,日出开发xposed 模块,遇到各种壳,hook 都是有点困难,比如乐加固,360加固等。
2,解决: 使用hook ClassLoader.class, 这样就可以找到需要的类, 但是要注意,找到之后就不要继续往下找,return 即可,不然就是递归调用。

1
插入代码

public class Main implements IXposedHookLoadPackage {

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
public static String xxx_PACKAGE = "com.xxx";
 
 
 
 
public static boolean xxx_PACKAGE_ISHOOK = false;
 
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam)
        throws Throwable {
 
    final String packageName = lpparam.packageName;
    XposedBridge.log("pkgname:" + packageName);
    final String processName = lpparam.processName;
 
    try {
 
       final Set<XC_MethodHook.Unhook> unhooks = XposedBridge.hookAllMethods(ClassLoader.class, "loadClass",  new XC_MethodHook() {
 
 
           @Override
           protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
               if(NXES_PACKAGE_ISHOOK){
                   throw  new Throwable("exp");
               }
           }
            @Override
            protected void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
                super.afterHookedMethod(param);
 
                try {
                    if (param.hasThrowable()) {
                        return;
                    }
                    if (param.args.length != 1) {
                        return;
                    }
                    if(NXES_PACKAGE_ISHOOK){
                        return;
                    }
 
 
                    Class<?> cls = (Class<?>) param.getResult();
                    String name = cls.getName();
                    XposedBridge.log("className1:" + name);
 
                    if("me.weishu.epic.art.entry.Entry".equals(name)) {
                        return;
                    }
                    if("me.weishu.epic.art.method.ArtMethod".equals(name)){
                        return;
                    }
 
                    if ("s.h.e.l.l.S".equals(name)) {
                        LogUtil.printLog("s.h.e.l.l.S-------hooked");
 
 
                        XposedHelpers.findAndHookMethod("s.h.e.l.l.S", (ClassLoader) param.thisObject, "attachBaseContext",
                                Context.class,
                                new XC_MethodHook() {
                                    @Override
                                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                                        super.afterHookedMethod(param);
                                        LogUtil.printLog("afterHookedMethod s.h.l.l.S.attachBaseContext ...");
                                        Context context = (Context) param.args[0];
                                        ClassLoader appClassLoader = context.getClassLoader();
                                        LogUtil.printLog("--->processName:" + processName + " isHooked :" + CITTC_PACKAGE_ISHOOK);
                                        if (xxx_PACKAGE.equals(processName) && !NXES_PACKAGE_ISHOOK) {
                                            NXES_PACKAGE_ISHOOK = true;
 
                                            PayHelperUtils.sendmsg(context, "xxx hook成功,当前xxx 版本:" + PayHelperUtils.getVerName(context));
                                            new NXESHook().hook(appClassLoader, context);
 
                                        }
 
 
                                    }
                                }
 
                        );
                    }
                }catch (Exception exp) {
                    LogUtil.printLog(exp.toString());
                }
            }
 
 
        });
 
 
    } catch (Throwable e) {
        XposedBridge.log(e);
    }
}

[培训] 优秀毕业生寄语:恭喜id:一颗金柚子获得阿里offer《安卓高级研修班》火热招生!!!

收藏
点赞2
打赏
分享
最新回复 (18)
雪    币: 3767
活跃值: 活跃值 (1686)
能力值: (RANK:200 )
在线值:
发帖
回帖
粉丝
roysue 活跃值 3 2020-11-30 10:36
2
1

你这根本不叫万能,还得看壳的类是不是S.H.E.L.L

给你个真正万能的 ~~

if (loadPackageParam.packageName.equals("com.cz.babySister")) {
            XposedBridge.log(" has Hooked!");
            XposedBridge.log("inner  => " + loadPackageParam.processName);
            Class ActivityThread = XposedHelpers.findClass("android.app.ActivityThread",loadPackageParam.classLoader);
            XposedBridge.hookAllMethods(ActivityThread, "performLaunchActivity", new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    super.afterHookedMethod(param);
                    Object mInitialApplication = (Application) XposedHelpers.getObjectField(param.thisObject,"mInitialApplication");
                    ClassLoader finalCL = (ClassLoader) XposedHelpers.callMethod(mInitialApplication,"getClassLoader");
                    XposedBridge.log("found classload is => "+finalCL.toString());
                    Class BabyMain = (Class)XposedHelpers.callMethod(finalCL,"findClass","com.cz.babySister.activity.MainActivity");
                    XposedBridge.log("found final class is => "+BabyMain.getName().toString());
                    fart(finalCL);
                }
            });
        }


雪    币: 1044
活跃值: 活跃值 (534)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
鸭子咯咯哒 活跃值 2020-11-30 11:58
3
0
这个要咋学习
雪    币: 105
活跃值: 活跃值 (215)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
caicaihui 活跃值 2020-11-30 13:31
4
0
roysue 你这根本不叫万能,还得看壳的类是不是S.H.E.L.L给你个真正万能的 ~~ if&nbsp;(loadPackageParam.packageName.equals(&quot;c ...
版主有点过分了,这么好的代码现在才发出来
雪    币: 1870
活跃值: 活跃值 (1733)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
virjar 活跃值 1 2020-11-30 15:40
5
1
https://gitee.com/virjar/xposed-extention/blob/master/src/main/java/com/virjar/xposed_extention/ClassLoadMonitor.java#L216

很多年前的所谓万能。

ps:直接hookclassloader部分手机有问题的,有些手机是隐式加载class。部分class不会进入到classloader里面
雪    币: 199
活跃值: 活跃值 (457)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
小黄鸭爱学习 活跃值 2020-12-4 10:08
6
0
roysue 你这根本不叫万能,还得看壳的类是不是S.H.E.L.L给你个真正万能的 ~~ if&nbsp;(loadPackageParam.packageName.equals(&quot;c ...
好家伙 这好东西星球都不发的
雪    币: 6131
活跃值: 活跃值 (782)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
gamehack 活跃值 2020-12-4 10:29
7
0
看上去是好东西,先收藏再说!
雪    币: 233
活跃值: 活跃值 (469)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
kakasasa 活跃值 2021-6-11 17:37
8
0

mark

if (loadPackageParam.packageName.equals("com.cz.babySister")) {

            XposedBridge.log(" has Hooked!");

            XposedBridge.log("inner  => " + loadPackageParam.processName);

            Class ActivityThread = XposedHelpers.findClass("android.app.ActivityThread",loadPackageParam.classLoader);

            XposedBridge.hookAllMethods(ActivityThread, "performLaunchActivity"new XC_MethodHook() {

                @Override

                protected void afterHookedMethod(MethodHookParam param) throws Throwable {

                    super.afterHookedMethod(param);

                    Object mInitialApplication = (Application) XposedHelpers.getObjectField(param.thisObject,"mInitialApplication");

                    ClassLoader finalCL = (ClassLoader) XposedHelpers.callMethod(mInitialApplication,"getClassLoader");

                    XposedBridge.log("found classload is => "+finalCL.toString());

                    Class BabyMain = (Class)XposedHelpers.callMethod(finalCL,"findClass","com.cz.babySister.activity.MainActivity");

                    XposedBridge.log("found final class is => "+BabyMain.getName().toString());

                    fart(finalCL);

                }

            });

        }


雪    币: 7
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
wx_快到手里来 活跃值 2021-6-11 18:06
9
0
roysue 你这根本不叫万能,还得看壳的类是不是S.H.E.L.L给你个真正万能的 ~~ if&nbsp;(loadPackageParam.packageName.equals(&quot;c ...
越底层越万能哇
雪    币: 25
活跃值: 活跃值 (1024)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
不吃早饭 活跃值 2021-6-12 18:38
10
0

楼上这些也配叫万能,遇到个手动合并dexElement的壳直接歇菜

直接hook art的class初始化函数,每个类初始化完成时自动调用回调函数传入本次初始化的类,在回调函数内直接操作,无视所有骚操作

最后于 2021-6-12 18:44 被不吃早饭编辑 ,原因:
雪    币: 1621
活跃值: 活跃值 (359)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
疯子Tear 活跃值 2021-6-13 10:38
11
0
不吃早饭 楼上这些也配叫万能,遇到个手动合并dexElement的壳直接歇菜直接hook art的class初始化函数,每个类初始化完成时自动调用回调函数传入本次初始化的类,在回调函数内直接操作,无视所有骚操作
能不能贴出来,贴个链接也行
雪    币: 25
活跃值: 活跃值 (1024)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
不吃早饭 活跃值 2021-6-13 16:57
12
0
疯子Tear 能不能贴出来,贴个链接也行

调用PendingHookHandler.addClassInitCallBack添加要等待初始化的类,以及对应的回调函数即可


https://github.com/necuil/SandHook_with_x86/blob/4a0c1aa7f7e4d5f29e1a20b5d0e2b6a505161902/sandhook/src/main/cpp/utils/hide_api.cpp#L352

最后于 2021-6-13 17:02 被不吃早饭编辑 ,原因:
雪    币: 149
活跃值: 活跃值 (179)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
你瞒我瞒 活跃值 2021-6-14 16:20
13
0
·恐怖如斯~~花式秀代码
雪    币: 11
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
万里星河 活跃值 2021-6-17 11:23
14
0
雪    币: 133
活跃值: 活跃值 (287)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
koflfy 活跃值 1 2021-6-17 11:51
15
0
mark
雪    币: 1870
活跃值: 活跃值 (1733)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
virjar 活跃值 1 2021-6-17 18:25
16
0
不吃早饭 楼上这些也配叫万能,遇到个手动合并dexElement的壳直接歇菜直接hook art的class初始化函数,每个类初始化完成时自动调用回调函数传入本次初始化的类,在回调函数内直接操作,无视所有骚操作
我看到了当年我fixsandhook一个问题的时候写的代码注释了
雪    币: 25
活跃值: 活跃值 (1024)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
不吃早饭 活跃值 2021-6-17 22:06
17
0
雪    币: 227
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
脑残龙 活跃值 2021-7-11 14:26
18
0
除了膜拜 不能说一句话了
雪    币: 227
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
脑残龙 活跃值 2021-7-11 15:04
19
0
https://github.com/asLody/SandHook 不吃早饭老大的源码在这里了 
游客
登录 | 注册 方可回帖
返回