Xposed系列之Demo上手指南及源码解析(一)

先附上Demo代码地址:https://github.com/xbdcc/CXposed/tree/master/demo

Xposed简介

百度百科介绍:

Xposed框架(Xposed Framework)是一套开源的、在Android高权限模式下运行的框架服务,可以在不修改APK文件的情况下影响程序运行(修改系统)的框架服务,基于它可以制作出许多功能强大的模块,且在功能不冲突的情况下同时运作。`

Xposed相关工具

  • Xposed Installer:为安装在手机上的Xposed的主体运行框架,
    手机需要Root权限安装Xposed框架,可以管理Xposed模块
  • VirtualXposed:一个简单的应用程序,无需root用户即可使用Xposed,解锁引导程序或修改系统映像等
  • 太极:一个带有或不带有Root/BL锁的Xposed模块框架,支持Android 5.0〜10

三个工具首页分别长这样:

Xposed Installer VirtualXposed 太极
image

image
image

image
image

image

Xposed Demo

新建项目配置Xposed环境

  • 首先创建创建一个Android Studio项目,然后New一个Module,我们要使用Xposed就需要引入Xposed库,在build.gradle加入
    compileOnly 'de.robv.android.xposed:api:82'
  • 然后在AndroidManifest.xmlapplication节点下加入如下配置
       <meta-data
                android:name="xposedmodule"
                android:value="true" />
        <meta-data
                android:name="xposeddescription"
                android:value="A Xposed demo." />
        <meta-data
                android:name="xposedminversion"
                android:value="89" />

编写Hook代码

  • 新建一个类,里面写一些方法和变量后面使用,如DemoClass
class DemoClass {

    private val name = "carlos"

    fun printlnName() {
        log("name is:$name")
    }

    companion object {

        @JvmStatic
        fun printlnHelloWorld() {
            log("hello world!")
        }

    }

}
  • 接下来新建一个继承自IXposedHookLoadPackage的类,如:
class MainHook : IXposedHookLoadPackage {

    override fun handleLoadPackage(lpparam: XC_LoadPackage.LoadPackageParam?) {
    }

}

  • 使用XposedHelpers调用APP的方法,使用到的就是反射,Java反射也能实现该功能
    private fun hookDemoClass(lpparam: XC_LoadPackage.LoadPackageParam) {
        // 通过类加载器加载DemoClass类
        val hookClass = lpparam.classLoader.loadClass("com.carlos.cxposed.demo.DemoClass") ?: return
        // 通过XposedHelpers调用静态方法printlnHelloWorld
        XposedHelpers.callStaticMethod(hookClass, "printlnHelloWorld")
        // 获取DemoClass的类对象
        val demoClass = hookClass.newInstance()
        // 获取私有字段name
        val field = hookClass.getDeclaredField("name")
        // 私有字段name访问属性改为公有
        field.isAccessible = true
        // 给字段name赋值为"xbd"
        field.set(demoClass, "xbd")
        // 通过XposedHelpers调用非静态方法printlnName
        XposedHelpers.callMethod(hookClass.newInstance(), "printlnName")
    }
  • 然后在MainActivity中增加方法被Hook,如:
class MainActivity : AppCompatActivity() {

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)
        log(getLog())
    }

    private fun getLog() : String {
        return "hello world"
    }

    fun click(view: View) {
        log("click")
    }

}
  • MainHook中增加如下代码对MainActivitygetLogclick方法进行Hook:
    private fun hookMainActivity(lpparam: XC_LoadPackage.LoadPackageParam) {
        val hookClass = lpparam.classLoader.loadClass("com.carlos.cxposed.demo.MainActivity")

        XposedHelpers.findAndHookMethod(hookClass, "getLog", object : XC_MethodHook() {
            override fun beforeHookedMethod(param: MethodHookParam?) {
                xlog("hook before getLog")
                // 修改方法返回值
                param?.result = "this is a hook message."
            }

            override fun afterHookedMethod(param: MethodHookParam?) {
                xlog("hook after getLog")
            }
        })

        XposedHelpers.findAndHookMethod(hookClass, "click", View::class.java,
            object : XC_MethodReplacement() {
                override fun replaceHookedMethod(param: MethodHookParam?): Any {
                    xlog("hook replace click")
                    val thisObject = param?.thisObject ?: return ""
                    // 修改textView的显示内容
                    val activity = thisObject as Activity
                    val textView = activity.findViewById<TextView>(R.id.textview)
                    textView.text = "carlos"
                    return ""
                }
            })

    }
  • 最后在main下新建assets目录,在里面创建xposed_init文件(文件名必须是这个,后面介绍为什么必须为这个),文件里面就可以添加我们刚刚的类了,如:
com.carlos.cxposed.demo.MainHook
  • 模拟器安装好Xposed Installer后,运行项目,可以看出来弹出框:
    image

    image

    点击重启或软重启生效,然后执行操作可以看到打印日志如下,Hook成功:

07-06 22:28:43.470 3965-3965/? I/Xposed: MainHook->MainHook->hook an app start:com.carlos.cxposed.demo
07-06 22:28:43.472 3965-3965/? D/MainHook->: hello world!
07-06 22:28:43.472 3965-3965/? D/MainHook->: name is:xbd
07-06 22:28:45.352 3965-3965/com.carlos.cxposed.demo I/Xposed: MainHook->hook before getLog
07-06 22:28:45.352 3965-3965/com.carlos.cxposed.demo I/Xposed: MainHook->hook after getLog
07-06 22:28:45.352 3965-3965/com.carlos.cxposed.demo D/MainHook->: this is a hook message.
07-06 22:28:51.193 3965-3965/com.carlos.cxposed.demo I/Xposed: MainHook->hook replace click

Xposed原理

Xposed还有C库,我们这里简单分析下我们引用的他的Java层de.robv.android.xposed:api:82,看下我们用到的两个类XposedHelpersXposedBridge的源码

XposedBridge解析

  • 首先找个入口,就从我们Hook类实现的IXposedHookLoadPackage接口开始吧,我们查看到该接口被Xposed自己的jar包调用的有如下几个地方:
    image

    image
  • 跟进去new出这个接口的地方,调用到的代码块如下:
    hookLoadPackage(new IXposedHookLoadPackage.Wrapper((IXposedHookLoadPackage) moduleInstance));
  • 跟进hookLoadPackage方法,可以看到这里将该接口添加到集合里存起来了
    public static void hookLoadPackage(XC_LoadPackage callback) {
        synchronized (sLoadedPackageCallbacks) {
            sLoadedPackageCallbacks.add(callback);
        }
    }
  • 继续回来看hookLoadPackage方法,可以看到他是被XposedBridgeloadModule方法调用:
    /**
     * Load a module from an APK by calling the init(String) method for all classes defined
     * in <code>assets/xposed_init</code>.
     */
    private static void loadModule(String apk) {
        log("Loading modules from " + apk);

        if (!new File(apk).exists()) {
            log("  File does not exist");
            return;
        }

        ClassLoader mcl = new PathClassLoader(apk, BOOTCLASSLOADER);
        InputStream is = mcl.getResourceAsStream("assets/xposed_init");
        if (is == null) {
            log("assets/xposed_init not found in the APK");
            return;
        }

        BufferedReader moduleClassesReader = new BufferedReader(new InputStreamReader(is));
        try {
            String moduleClassName;
            while ((moduleClassName = moduleClassesReader.readLine()) != null) {
                moduleClassName = moduleClassName.trim();
                if (moduleClassName.isEmpty() || moduleClassName.startsWith("#"))
                    continue;

                try {
                    log ("  Loading class " + moduleClassName);
                    Class<?> moduleClass = mcl.loadClass(moduleClassName);

                    if (!IXposedMod.class.isAssignableFrom(moduleClass)) {
                        log ("    This class doesn't implement any sub-interface of IXposedMod, skipping it");
                        continue;
                    } else if (disableResources && IXposedHookInitPackageResources.class.isAssignableFrom(moduleClass)) {
                        log ("    This class requires resource-related hooks (which are disabled), skipping it.");
                        continue;
                    }

                    final Object moduleInstance = moduleClass.newInstance();
                    if (isZygote) {
                        if (moduleInstance instanceof IXposedHookZygoteInit) {
                            IXposedHookZygoteInit.StartupParam param = new IXposedHookZygoteInit.StartupParam();
                            param.modulePath = apk;
                            param.startsSystemServer = startsSystemServer;
                            ((IXposedHookZygoteInit) moduleInstance).initZygote(param);
                        }

                        if (moduleInstance instanceof IXposedHookLoadPackage)
                            hookLoadPackage(new IXposedHookLoadPackage.Wrapper((IXposedHookLoadPackage) moduleInstance));

                        if (moduleInstance instanceof IXposedHookInitPackageResources)
                            hookInitPackageResources(new IXposedHookInitPackageResources.Wrapper((IXposedHookInitPackageResources) moduleInstance));
                    } else {
                        if (moduleInstance instanceof IXposedHookCmdInit) {
                            IXposedHookCmdInit.StartupParam param = new IXposedHookCmdInit.StartupParam();
                            param.modulePath = apk;
                            param.startClassName = startClassName;
                            ((IXposedHookCmdInit) moduleInstance).initCmdApp(param);
                        }
                    }
                } catch (Throwable t) {
                    log(t);
                }
            }
        } catch (IOException e) {
            log(e);
        } finally {
            try {
                is.close();
            } catch (IOException ignored) {}
        }
    }
  • 通过这里可以得知,他是会找APK下assets/xposed_init是否存在,如果不存在则会打印日志并且return返回不往下执行了,所以前面说的文件名必须为xposed_init是因为这里做了判断,如果不按规则来则Hook都会无效
        InputStream is = mcl.getResourceAsStream("assets/xposed_init");
        if (is == null) {
            log("assets/xposed_init not found in the APK");
            return;
        }
  • 继续往上跟会发现loadModule方法被loadModules调用,而loadModulesmain函数调用,也就是Java的主函数入口,代码如下:
    protected static void main(String[] args) {
        // Initialize the Xposed framework and modules
        try {
            SELinuxHelper.initOnce();
            SELinuxHelper.initForProcess(null);

            runtime = getRuntime();
            if (initNative()) {
                XPOSED_BRIDGE_VERSION = getXposedVersion();
                if (isZygote) {
                    startsSystemServer = startsSystemServer();
                    initForZygote();
                }

                loadModules();
            } else {
                log("Errors during native Xposed initialization");
            }
        } catch (Throwable t) {
            log("Errors during Xposed initialization");
            log(t);
            disableHooks = true;
        }

        // Call the original startup code
        if (isZygote)
            ZygoteInit.main(args);
        else
            RuntimeInit.main(args);
    }
  • 接下来我们看MainHook里我们用到的XposedHelpers.callStaticMethodXposedHelpers.callMethod
    可以看到他们调用到的方法都是callMethod,而在其内部调用了findMethodBestMatch方法,
    最终通过invoke(obj, args)反射来执行Hook的方法:
    public static Object callMethod(Object obj, String methodName, Object... args) {
        try {
            return findMethodBestMatch(obj.getClass(), methodName, args).invoke(obj, args);
        } catch (IllegalAccessException e) {
            // should not happen
            XposedBridge.log(e);
            throw new IllegalAccessError(e.getMessage());
        } catch (IllegalArgumentException e) {
            throw e;
        } catch (InvocationTargetException e) {
            throw new InvocationTargetError(e.getCause());
        }
    }
  • 我们继续看XposedHelpers.findAndHookMethod,可以看到调用的是XposedHelpers的findAndHookMethod方法,将方法传入的最后一个对象转为XC_MethodHook
    接着通过findMethodExact方法传入最后一个参数前的所有参数,在findMethodExact方法内部又通过反射clazz.getDeclaredMethod找出具体的方法,
    并且设置该方法访问权限为公有,所有XposedHelpers.findAndHookMethod公有私有方法都能Hook
    public static XC_MethodHook.Unhook findAndHookMethod(Class<?> clazz, String methodName, Object... parameterTypesAndCallback) {
        if (parameterTypesAndCallback.length == 0 || !(parameterTypesAndCallback[parameterTypesAndCallback.length-1] instanceof XC_MethodHook))
            throw new IllegalArgumentException("no callback defined");

        XC_MethodHook callback = (XC_MethodHook) parameterTypesAndCallback[parameterTypesAndCallback.length-1];
        Method m = findMethodExact(clazz, methodName, getParameterClasses(clazz.getClassLoader(), parameterTypesAndCallback));

        return XposedBridge.hookMethod(m, callback);
    }
  • 接着来看看刚刚的XposedBridge.hookMethod,可以看到该方法内部最终通过hookMethodNative调用了Native层的Hook方法。
    继续跟XposedBridge.hookMethod,会发现他又是被hookResources方法调用,而hookResources是被initForZygote方法调用,
    而刚刚我们知道在main函数里调用了initForZygote方法,接下来我们就再看下initForZygote方法
  • 首先我们看到该类中有一个main方法入口,主要看其中的initForZygoteloadModules方法,我们看下其中这段代码,
    可以看到他主要是Hook了ActivityThread类的handleBindApplication这个方法,
    而我们看下ActivityThread的源码就会发现handleBindApplication里面调用了mInstrumentation.callApplicationOnCreate(app)
    其实就是ApplicationonCreate,所以在ApplicationonCreate方法前Xposed就做了Hook拦截执行自己的方法
    // normal process initialization (for new Activity, Service, BroadcastReceiver etc.)
        findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook() {
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                ActivityThread activityThread = (ActivityThread) param.thisObject;
                ApplicationInfo appInfo = (ApplicationInfo) getObjectField(param.args[0], "appInfo");
                String reportedPackageName = appInfo.packageName.equals("android") ? "system" : appInfo.packageName;
                SELinuxHelper.initForProcess(reportedPackageName);
                ComponentName instrumentationName = (ComponentName) getObjectField(param.args[0], "instrumentationName");
                if (instrumentationName != null) {
                    XposedBridge.log("Instrumentation detected, disabling framework for " + reportedPackageName);
                    disableHooks = true;
                    return;
                }
                CompatibilityInfo compatInfo = (CompatibilityInfo) getObjectField(param.args[0], "compatInfo");
                if (appInfo.sourceDir == null)
                    return;

                setObjectField(activityThread, "mBoundApplication", param.args[0]);
                loadedPackagesInProcess.add(reportedPackageName);
                LoadedApk loadedApk = activityThread.getPackageInfoNoCheck(appInfo, compatInfo);
                XResources.setPackageNameForResDir(appInfo.packageName, loadedApk.getResDir());

                LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks);
                lpparam.packageName = reportedPackageName;
                lpparam.processName = (String) getObjectField(param.args[0], "processName");
                lpparam.classLoader = loadedApk.getClassLoader();
                lpparam.appInfo = appInfo;
                lpparam.isFirstApplication = true;
                XC_LoadPackage.callAll(lpparam);

                if (reportedPackageName.equals(INSTALLER_PACKAGE_NAME))
                    hookXposedInstaller(lpparam.classLoader);
            }
        });
点赞

发表评论

电子邮件地址不会被公开。 必填项已用*标注