?

轉載：看雪論壇 堂前燕：https://bbs.pediy.com/thread-252153.htm

Xposed 模塊編寫的那些事：https://www.freebuf.com/articles/terminal/114910.html

?

?

看了很多 xposed的教程，自以為掌握了個大概，直到今天整理，練習時才發現自己不過是眼高手低，有太多的東西需要學習了。路漫漫，還需腳踏實地！

沒有找到合適樣本，自己寫了個簡單的類練手。

abstract class person{public int age=0;public void eat(String food){}; }public class HookGoal {private static String TAG="HookGoal:";private int hookGoalNumber;public HookGoal(int number){hookGoalNumber=number;Log.i(TAG,"HookGoal hookGoalNumber:"+hookGoalNumber);}public void func0(){Log.i(TAG,"welcome");}private void func1(){new person(){@Overridepublic void eat(String food) {Log.i(TAG,"eat "+food);}}.eat("apple");}private static void func2(String s){Log.i(TAG,"func2 "+s);}private void func3(DiyClass[] arry){for(int i=0;i<arry.length;i++)Log.i(TAG,"DiyClass["+i+"].getData:"+arry[i].getData());}private class InnerClass{private int innerNumber;public InnerClass(String s){innerNumber=0;Log.i(TAG,"InnerClass 構造函數 "+s);Log.i(TAG,"InnerClass innerNumber:"+innerNumber);}private void innerFunc(String s){Log.i(TAG,"InnerClass innerFunc "+s);}}public void show(){func1();func2("私有靜態方法");DiyClass[] arry={new DiyClass(0),new DiyClass(0),new DiyClass(0)};func3(arry);InnerClass inner=new InnerClass("私有內部類");inner.innerFunc("內部類方法調用");}}public class DiyClass{private int data;public DiyClass(int data){this.data=data;}public int getData() {return data;}public void setData(int data) {this.data = data;} }

要干下面幾件事：

• hook HookGoal類的構造函數，修改靜態屬性TAG
• hook 私有成員方法func1內的匿名內部類的eat()方法 ，修改匿名內部類的age值
• hook 私有靜態方法func2 ，調用成員方法func0()、調用DiyClass類的成員方法getData()
• hook 私有成員方法func3 參數為自定義類型數組，修改參數、 調用成員方法func0()?
• hook 內部類InnerClass的構造函數（經論壇大哥指點已經可以），hook內部類innerFunc方法

public class HookMain implements IXposedHookLoadPackage {Context context;@Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {XposedBridge.log("HookMain begain");if (!lpparam.packageName.equals("com.example.goal")) {Log.i("失敗", "未找到包");XposedBridge.log("未找到包" );return;}Log.i("begin","hook is begaining");//hook context 后面可使用ToastXposedHelpers.findAndHookMethod(ContextThemeWrapper.class, "attachBaseContext",Context.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {context=(Context) param.args[0];}});final Class<?> clazz=findClass("com.example.goal.HookGoal",lpparam.classLoader);//hook 有參構造函數XposedHelpers.findAndHookConstructor(clazz,int.class,new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {//修改構造函數參數param.args[0]=666;//設置 TAG為hookingsetStaticObjectField(clazz,"TAG","hooking");}});Class nminner=findClass("com.example.goal.HookGoal$1",clazz.getClassLoader());//hook 匿名內部類的eat()方法findAndHookMethod(nminner, "eat",String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0]="is hooking";//修改匿名內部類的age屬性Log.i("nminner","修改前age值："+getIntField(param.thisObject,"age"));setIntField(param.thisObject,"age",666);Log.i("nminner","修改后age值："+getIntField(param.thisObject,"age"));}});final Class diy=findClass("com.example.goal.DiyClass",lpparam.classLoader);final Constructor init=diy.getConstructor(int.class);findAndHookMethod(clazz, "func2",String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {//hook 靜態方法參數param.args[0]="is hooking";//調用func0方法XposedHelpers.callMethod(clazz.getConstructor(int.class).newInstance(666),"func0");Log.i("hooking","way1 （靜態方法中）創建新對象調用func0");//調用外部 DiyClass的getData()int data=(int)callMethod(init.newInstance(666),"getData");Log.i("hooking","調用DiyClass中getData() 返回值："+data);}});//hook 自定義類型數組參數Class diyClassArray= Array.newInstance(diy,3).getClass();findAndHookMethod(clazz, "func3", diyClassArray, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {//調用func0方法XposedHelpers.callMethod(param.thisObject,"func0");Log.i("hooking","way2 （成員方法中）當前對象調用func0");//自定義類型數組Object a=Array.newInstance(diy,3);for(int i=0;i<3;i++)Array.set(a,i,init.newInstance(666));param.args[0]=diyClassArray.cast(a);Log.i("func3",param.args[0].toString());Log.i("hooking","func3修改參數");}});Class inner=findClass("com.example.goal.HookGoal$InnerClass",clazz.getClassLoader());findAndHookConstructor(inner,clazz, String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {//修改內部類構造函數中的參數param.args[1]="is hooking";Log.i("inner Constructor",""+param.args[1]);}@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {//在內部類構造函數中修改innerNumber值Log.i("inner Constructor","修改前的innerNumber："+getIntField(param.thisObject,"innerNumber"));// Log.i("inner Constructor",""+param.thisObject);setIntField(param.thisObject,"innerNumber",6);Log.i("inner Constructor","修改后的innerNumber："+getIntField(param.thisObject,"innerNumber"));}});findAndHookMethod(inner, "innerFunc", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0]="is hooking";Log.i("innerFunc","修改前的innerNumber："+getIntField(param.thisObject,"innerNumber"));setIntField(param.thisObject,"innerNumber",666);Log.i("innerFunc","修改后的innerNumber："+getIntField(param.thisObject,"innerNumber"));Log.i("innerFunc",""+param.args[0]);}});} }

hook 前 Log

com.example.goal I/HookGoal:: HookGoal hookGoalNumber:0 com.example.goal I/HookGoal:: eat apple com.example.goal I/HookGoal:: func2 私有靜態方法 com.example.goal I/HookGoal:: DiyClass[0].getData:0 com.example.goal I/HookGoal:: DiyClass[1].getData:0 com.example.goal I/HookGoal:: DiyClass[2].getData:0 com.example.goal I/HookGoal:: InnerClass 構造函數 私有內部類 com.example.goal I/HookGoal:: InnerClass innerNumber:0 com.example.goal I/HookGoal:: InnerClass innerFunc 內部類方法調用

hook 后 Log

com.example.goal I/hooking: HookGoal hookGoalNumber:666 com.example.goal I/hooking: eat is hooking com.example.goal I/hooking: HookGoal hookGoalNumber:666 com.example.goal I/hooking: welcome com.example.goal I/hooking: 調用DiyClass中getData() 返回值：666 com.example.goal I/hooking: func2 is hooking com.example.goal I/func3: [Lcom.example.goal.DiyClass;@4a89752c com.example.goal I/hooking: func3修改參數 com.example.goal I/hooking: DiyClass[0].getData:666 com.example.goal I/hooking: DiyClass[1].getData:666 com.example.goal I/hooking: DiyClass[2].getData:666 com.example.goal I/inner Constructor: is hooking com.example.goal I/hooking: InnerClass 構造函數 is hooking com.example.goal I/hooking: InnerClass innerNumber:0 com.example.goal I/inner Constructor: 修改前的innerNumber：0 com.example.goal I/inner Constructor: 修改后的innerNumber：6 com.example.goal I/innerFunc: 修改前的innerNumber：6 com.example.goal I/innerFunc: 修改后的innerNumber：666 com.example.goal I/innerFunc: is hooking com.example.goal I/hooking: InnerClass innerFunc is hooking

錯誤之處，還請不吝賜教，十分感謝！

同時也希望有疑惑的同學留下你的問題，大家多多交流。

?

實踐是檢驗真理的唯一標準，今后還要勤加練習，多多實戰。

計劃：

• 掌握Java層xposed hook及原理
• 掌握native層frida hook及原理
• 自己實現hook框架

?

學如逆水行舟，不進則退。與君共勉！

?

?

?

總結

以上是生活随笔為你收集整理的安卓逆向_22（ 二 ） --- Xposed 学习记录的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。