本文主要讨论一下如何hook字段与方法
hook字段有两种方式:
-
使用反射
-
使用 xposed api
由于xposed 模块也运行在 app 进程中,所以我们可以将 app 的代码当作自己的,直接反射访问。
Hook静态字段与成员字段
测试代码:
package com.example.hooktarge
class HookTarget2 {
private var str: String = "hello"
companion object {
@JvmStatic
private val id: Int = 10
}
override fun toString(): String {
return "HookTarget2(str='$str')"
}
}
使用 java 反射来更改静态字段:
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if (loadPackageParam.packageName.equals("com.example.hooktarge")) {
Class<?> aClass = loadPackageParam.classLoader.loadClass("com.example.hooktarge.HookTarget2");
Field id = aClass.getDeclaredField("id");
id.setAccessible(true);
XposedBridge.log("HookTarget2 id = " + id.get(null));
id.set(null, 42);
XposedBridge.log("HookTarget2 id = " + id.get(null) + ", change by field set");
}
}
输出结果:
HookTarget2 id = 10
HookTarget2 id = 42, change by field set
使用java反射来更改成员字段:
XposedHelpers.findAndHookConstructor("com.example.hooktarge.HookTarget2", loadPackageParam.classLoader, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Object thisObject = param.thisObject;
Field str = aClass.getDeclaredField("str");
str.setAccessible(true);
str.set(thisObject, "ass");
XposedBridge.log(param.thisObject.toString());
}
});
输出结果:
HookTarget2(str='ass')
从上面的测试可以看到使用反射可以成功的更改字段。
但是反射使用起来比较麻烦,所以Xposed也提供了对应的api.
int id1 = XposedHelpers.getStaticIntField(aClass, "id");
XposedBridge.log("HookTarget2 id = " + id1 + " get by api");
XposedHelpers.setStaticIntField(aClass, "id", 100);
XposedBridge.log("HookTarget2 id = " + XposedHelpers.getStaticIntField(aClass, "id") + " set by api");
Object str1 = XposedHelpers.getObjectField(thisObject, "str");
XposedBridge.log(str1 + " get by api");
XposedHelpers.setObjectField(thisObject, "str", "hhhhh");
XposedBridge.log(param.thisObject.toString() + "change by api");
使用内置的 api 就显得简洁多了。
Hook一般方法
java中有这样4种方法:
-
普通类方法
-
内部类方法
-
匿名内部类方法
-
JNI方法
由于Android Art 虚拟机中,一个方法的表示都是 ArtMethod,只不过其执行的函数入口可以选择 jni 入口或者函数体入口,所以JNI方法与普通方法的 hook 是一样的。
内部类/匿名内部类这两个的不同之处在于类名要麻烦点,不过我们可以使用反编译工具拿到其类名。Java的中匿名内部类其实也是有名字的,在开发阶段确实看不到,但是在编译后会分配一个带数字的名字,所以其实内部类与匿名内部类的hook也是一样的。
看一个例子:
package com.example.hooktarge;
import android.util.Log;
public class HookTarget3 {
public void test() {
String s = test1();
Log.e("HookTarget3", s);
String s1 = test2();
Log.e("HookTarget3", s1);
test3();
test4();
}
class AbsClass {
private String test1() {
return "test1";
}
public int run() {
return 1;
}
}
private String test1() {
return "test1";
}
private static String test2() {
return "test2";
}
private void test3() {
AbsClass absClass = new AbsClass();
Log.e("HookTarget3", absClass.test1());
}
private void test4() {
AbsClass absClass = new AbsClass() {
@Override
public int run() {
return 2;
}
};
int run = absClass.run();
Log.e("HookTarget3", run + "");
}
}
对普通方法与静态方法的 hook 是一样的:
XposedHelpers.findAndHookMethod(
"com.example.hooktarge.HookTarget3",
loadPackageParam.classLoader,
"test1",
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
param.setResult("test11111111");
}
});
XposedHelpers.findAndHookMethod(
"com.example.hooktarge.HookTarget3",
loadPackageParam.classLoader,
"test2",
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
param.setResult("test222222222");
}
});
但是对于内部类与匿名内部类方法,需要先确定其类名,我们使用 jadx 打开apk,发现它显示的很像源码,是看不出内部类的真正名字的:
package com.example.hooktarge;
import android.util.Log;
/* loaded from: classes3.dex */
public class HookTarget3 {
public void test() {
String s = test1();
Log.e("HookTarget3", s);
String s1 = test2();
Log.e("HookTarget3", s1);
test3();
test4();
}
/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes3.dex */
public class AbsClass {
AbsClass() {
}
/* JADX INFO: Access modifiers changed from: private */
public String test1() {
return "test1";
}
public int run() {
return 1;
}
}
private String test1() {
return "test1";
}
private static String test2() {
return "test2";
}
private void test3() {
AbsClass absClass = new AbsClass();
Log.e("HookTarget3", absClass.test1());
}
private void test4() {
AbsClass absClass = new AbsClass() { // from class: com.example.hooktarge.HookTarget3.1
@Override // com.example.hooktarge.HookTarget3.AbsClass
public int run() {
return 2;
}
};
int run = absClass.run();
Log.e("HookTarget3", run + "");
}
}
不过常做开发的也能自己拼出内部类的名字,就是使用 $ 连接符。我们切换到 smali 界面:
new-instance v0, Lcom/example/hooktarge/HookTarget3$AbsClass;
new-instance v0, Lcom/example/hooktarge/HookTarget3$1;
这里就看到了,内部类的名字是 HookTarget3$AbsClass。
匿名内部类的名字是:HookTarget3$1,可以看到该匿名内部类分配的数字是 1,有兴趣的可以多写几个匿名内部类看看规律。
hook代码如下:
XposedHelpers.findAndHookMethod(
"com.example.hooktarge.HookTarget3$AbsClass",
loadPackageParam.classLoader,
"test1",
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
param.setResult("test11111111");
}
});
XposedHelpers.findAndHookMethod(
"com.example.hooktarge.HookTarget3$1",
loadPackageParam.classLoader,
"run",
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
param.setResult(100);
}
});
输出log如下:
test11111111
test222222222
test11111111
100
总结:
方法hook一律使用 XposedHelpers.findAndHookMethod(xxx) api,虽然文中并没有演示 jni 的hook(比较懒),但是实际上也是一样的。对于内部类与匿名内部类需要找准其类名后再 hook。