Xposed framework initial experience

Most people have heard of the wechat red envelope grab plugin, but few have thought about how it works. I used to think it could be by listening to a message broadcast or something. But a few days ago in testerhome to see an article about the Xposed framework with hacker thinking test – Xposed framework introduction, I think this should be the realization of the red envelope plug-in. Just a colleague and I said there is a micro channel meter step cheating device (sweat, how this thing net use in this respect) hand to teach you when micro channel movement first, so the famous Xposed study, think it has a lot of potential!

Reference article with hacker thinking test – Xposed framework introduced Android Hook: Xposed entry and login hijacking demo Xposed Home

About Xposed

Xposed framework is a can not modify the APK under the condition of affecting the program to run (modify the system) framework services, based on it can make many powerful modules, and in the case of functional conflict at the same time.

The basic principle of

Zygote process is the core of Android, all application processes and system service processes are fork out by Zygote process. Xposed Framework into the Android core mechanism, through the transformation of Zygote to achieve some very cool features. The Zygote startup configuration is in the /init.rc script, which starts the process at system startup. The corresponding execution file is /system/bin/app_process, which does the library loading and some initialization function calls. When the Xposed Framework is installed in the system, will take their own implementation of the App_process to cover the Android native provided file, so that the app_process in the startup process will load XposedBridge. Jar jar package, In this way, the Zygote process and the Dalvik VIRTUAL machine created are hijacked.

The installation

Different packages are used on android5.0 and above, please refer to the detailsRepo. Xposed. Info/module/DE. R…

In order to facilitate my use of a mobile phone android4.4, as long as the installation of an apk, mobile phone to have root, because the installation of Xposed need root, but once the installation is successful no longer need root, after the installation of the boot

Click install according to the above instructions, if it goes well, you can restart the normal use

Write hook module use

Xposed website has a lot of other people to write module, can be directly downloaded and installed to use, also can write module, module is actually an APK, in accordance with certain rules generated, when the installation of the module, Xposed will be identified. Start to write a small demo, using the testerhome in the hook take time example.

Write the APK of the test first

package com.example.showtimer; import java.util.Calendar; import android.app.Activity; import android.os.Bundle; import android.view.View; import android.view.View.OnClickListener; import android.view.Window; import android.widget.Button; import android.widget.EditText; import android.widget.TextView; import android.widget.Toast; public class MainActivity extends Activity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); requestWindowFeature(Window.FEATURE_NO_TITLE); setContentView(R.layout.activity_main); final TextView tv = (TextView) findViewById(R.id.tv); Button show = (Button) findViewById(R.id.showTimer); show.setOnClickListener(new OnClickListener() { public void onClick(View v) { Calendar c = Calendar.getInstance(); int year = c.get(Calendar.YEAR); int month = c.get(Calendar.MONTH); int day = c.get(Calendar.DAY_OF_MONTH); int hour = c.get(Calendar.HOUR); int min = c.get(Calendar.MINUTE); String time = ""+year+"-"+month+"-"+day+" "+hour+":"+min; tv.setText(time); }}); }Copy the code

This APK is very simple, when the button is clicked, the current time is displayed

Hook module

Hook can be achieved by modifying the get function in the java.util.Calendar class of the system and modifying the corresponding return value

Create a new hookTest Android project and add xposedBridgeapI-54.jar to the project’s build-path

API download addressForum.xda-developers.com/xposed/xpos…

Create a new lib directory in your project and add the JAR package to build PaHT

Create a new Hook class that implements the IXposedHookLoadPackage interface

Implement the handleLoadPackage method

public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable { if (! lpparam.packageName.equals("com.example.showtimer")) return; XposedBridge.log("Loaded app name : " + lpparam.packageName); }Copy the code

The above code defines that only packageName is com.example.showtimer to hook

FindAndHookMethod () is the method that finds and hooks the findAndHookMethod. The first parameter defines the class to Hook, which for an AKP is its package name +activity. The second argument is a fixed lpparam.classLoader, the third argument is the name of the method to hook, and the second argument is the type of argument that the method needs. Finally, it initializes an XC_MethodHook object. Then override its beforeHookedMethod and afterHookedMethod methods.

findAndHookMethod("java.util.Calendar", lpparam.classLoader,"get",int.class,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { // this will be called before the clock was updated by the original method XposedBridge.log("Enter->beforeHookedMethod:Calendar.get"); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { // this will be called after the clock was updated by the original method XposedBridge.log("Enter->afterHookedMethod:Calendar.get"); param.setResult((int)11); }});Copy the code

BeforeHookedMethod and afterHookedMethod overwrite two methods in findAndHookMethod, beforeHookedMethod and afterHookedMethod, you can guess their function by looking at the name, before is before hook, can get some normal values, The after function can modify some of the return values. Calendar class, all return values of the get method are 11

The total code for Hook. Java is

package com.example.xposedtest; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.XposedBridge; import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam; import static de.robv.android.xposed.XposedHelpers.findAndHookMethod; import java.util.ArrayList; import java.util.List; import android.view.View; import android.view.ViewGroup; import android.widget.TextView; import android.widget.Toast; public class Hook implements IXposedHookLoadPackage { @Override public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable { if (! lpparam.packageName.equals("com.example.showtimer")) return; XposedBridge.log("Loaded app name : " + lpparam.packageName); findAndHookMethod("java.util.Calendar", lpparam.classLoader,"get",int.class,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { // this will be called before the clock was updated by the original method XposedBridge.log("Enter->beforeHookedMethod:Calendar.get"); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { // this will be called after the clock was updated by the original method XposedBridge.log("Enter->afterHookedMethod:Calendar.get"); param.setResult((int)11); }}); }}Copy the code

Declare the main entry path

You need to create a new xposed_init file in the Assets folder and declare the main entry class init. Such as our main entrance here for com. Example. Xposedtest. J Hook

Configure the plug-in name and Api version number in the androidmanifest.xml file




    

    
          

        

          


        
            
                

                
            
        
    


Copy the code

Compile and secure the APK

Xposed will already identify, open the Xposed “module”, enable the module just installed

Open the showTime app you wrote earlier and click the button to see

The log recorded using xposedbridge.log () can be seen in the Xposed log

Hook A custom function

ShowTime (showTime, showTime, showTime, showTime, showTime, showTime

package com.example.showtimer; import java.util.Calendar; import android.app.Activity; import android.os.Bundle; import android.view.View; import android.view.View.OnClickListener; import android.view.Window; import android.widget.Button; import android.widget.EditText; import android.widget.TextView; import android.widget.Toast; public class MainActivity extends Activity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); requestWindowFeature(Window.FEATURE_NO_TITLE); setContentView(R.layout.activity_main); final EditText usename = (EditText) findViewById(R.id.username); final EditText password = (EditText) findViewById(R.id.password); Button login = (Button) findViewById(R.id.button1); final TextView tv = (TextView) findViewById(R.id.tv); Button show = (Button) findViewById(R.id.showTimer); show.setOnClickListener(new OnClickListener() { public void onClick(View v) { Calendar c = Calendar.getInstance(); int year = c.get(Calendar.YEAR); int month = c.get(Calendar.MONTH); int day = c.get(Calendar.DAY_OF_MONTH); int hour = c.get(Calendar.HOUR); int min = c.get(Calendar.MINUTE); String time = ""+year+"-"+month+"-"+day+" "+hour+":"+min; tv.setText(time); }}); login.setOnClickListener(new OnClickListener() { public void onClick(View v) { String user = usename.getText()+""; String pass = password.getText()+""; If (validate(user,pass)) {toast.maketext (mainactivity. this, "login succeeded ", toast.length_long).show(); }else{toast.maketext (mainactivity.this, "login failed ", toast.length_long).show(); }}}); } private boolean validate(String user, String pass) { if (user.equals("yang")&&pass.equals("123")) { return true; } return false; }}Copy the code

If the user is “Yang” and pass is 123, Toast will return true and Toast will return false.

And then we write Hook method in the Hook class

package com.example.xposedtest; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.XposedBridge; import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam; import static de.robv.android.xposed.XposedHelpers.findAndHookMethod; import java.util.ArrayList; import java.util.List; import android.view.View; import android.view.ViewGroup; import android.widget.TextView; import android.widget.Toast; public class Hook implements IXposedHookLoadPackage { @Override public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable { if (! lpparam.packageName.equals("com.example.showtimer")) return; XposedBridge.log("Loaded app name : " + lpparam.packageName); XposedBridge.log("Loaded app process: " + lpparam.processName); XposedBridge.log("Loaded app appInfo: " + lpparam.appInfo); findAndHookMethod("java.util.Calendar", lpparam.classLoader,"get",int.class,new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { // this will be called before the clock was updated by the original method XposedBridge.log("Enter->beforeHookedMethod:Calendar.get"); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { // this will be called after the clock was updated by the original method XposedBridge.log("Enter->afterHookedMethod:Calendar.get"); param.setResult((int)11); }}); findAndHookMethod("com.example.showtimer.MainActivity", lpparam.classLoader, "validate", String.class,String.class,new XC_MethodHook(){ protected void beforeHookedMethod(MethodHookParam param) throws Throwable  { XposedBridge.log("Enter->beforeHookedMethod:validate"); XposedBridge.log("afterHookedMethod userName:" + param.args[0]); // Pass xposedbridge.log ("afterHookedMethod pass:" + param.args[1]); Xposedbridge.log ("afterHookedMethod result:" + param.getresult ()); } protected void afterHookedMethod(MethodHookParam param) throws Throwable { // this will be called after the clock was updated by the original method XposedBridge.log("Enter->afterHookedMethod:validate"); param.setResult(true); XposedBridge.log("afterHookedMethod userName:" + param.args[0]); // Pass xposedbridge.log ("afterHookedMethod pass:" + param.args[1]); Xposedbridge.log ("afterHookedMethod result:" + param.getresult ()); }}); }Copy the code

Set param.setresult (true) in afterHookedMethod; Return true regardless of what is entered or not, so a Toast login is displayed in any case.

Postscript: if the test apK uses the obfuscation, the hook should also modify the corresponding function to the obfuscation function. Xposed this tool can do a lot of things, in the test industry can be used to construct some very bad simulation environment, and a variety of plug-ins can also play very 6.