安卓逆向之LSposed开发（一）

环境

名称	值
硬件	LG Nexus 5X
OS	android 8.1.0
是否Root	是
Root工具	Magisk-v20.4

安装 LSPosed

bash 复制代码

wget https://github.com/LSPosed/LSPosed/releases/download/v1.9.2/LSPosed-v1.9.2-7024-zygisk-release.zip 
adb push LSPosed-v1.9.2-7024-zygisk-release.zip /sdcard

安装时会提示要求Magisk 24+
用Magisk 升级到最新版本即可。
要求打开zygisk，在magisk设置里边打开即可

被hook 工程

java 复制代码

package com.example.demo2;

import android.os.Bundle;
import android.util.Log;

import androidx.activity.EdgeToEdge;
import androidx.appcompat.app.AppCompatActivity;
import androidx.core.graphics.Insets;
import androidx.core.view.ViewCompat;
import androidx.core.view.WindowInsetsCompat;

public class MainActivity extends AppCompatActivity {

    private String total = "hello";
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        EdgeToEdge.enable(this);
        setContentView(R.layout.activity_main);
        ViewCompat.setOnApplyWindowInsetsListener(findViewById(R.id.main), (v, insets) -> {
            Insets systemBars = insets.getInsets(WindowInsetsCompat.Type.systemBars());
            v.setPadding(systemBars.left, systemBars.top, systemBars.right, systemBars.bottom);
            return insets;
        });
        while(true)
        {
            try{
                Thread.sleep(1000);

            }catch (InterruptedException e)
            {
                e.printStackTrace();
            }
            fun(50,30);
            Log.d("r0ysue.string",fun("LoWeRcAsE Me !!!!"));
        }
    }
    void fun(int x,int y)
    {
        Log.d("r0ysue.sum",String.valueOf(x + y));
    }
    String fun(String x) {
        return x.toLowerCase();
    }
    void secret()
    {
         total += " secretFunc";
         Log.d("r0ysue.secret","this is secret func");
    }
    static void staticSecret()
    {
        Log.d("r0ysue.secret","this is static secret func");
    }

}

XposedDemo android studio 工程

settings.gradle.kts

bash 复制代码

dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
        mavenCentral()
        maven("https://jitpack.io")
        maven("https://api.xposed.info/")
    }
}

build.gradle.kts

bash 复制代码

dependencies {
    compileOnly("de.robv.android.xposed:api:82")
    compileOnly("de.robv.android.xposed:api:82:sources")
    }

AndroidManifest.xml

xml 复制代码

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">

    <application
        android:allowBackup="true"
        android:dataExtractionRules="@xml/data_extraction_rules"
        android:fullBackupContent="@xml/backup_rules"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/Theme.XposedDemo">
        <meta-data
            android:name="xposedmodule"
            android:value="true" />
        <meta-data
            android:name="xposeddescription"
            android:value="LSPosed示例模块" />
        <meta-data
            android:name="xposedminversion"
            android:value="93" />
        <activity
            android:name=".MainActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

MainActivity

java 复制代码

package com.example.xposeddemo;

import android.os.Bundle;

import androidx.activity.EdgeToEdge;
import androidx.appcompat.app.AppCompatActivity;
import androidx.core.graphics.Insets;
import androidx.core.view.ViewCompat;
import androidx.core.view.WindowInsetsCompat;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        EdgeToEdge.enable(this);
        setContentView(R.layout.activity_main);
        ViewCompat.setOnApplyWindowInsetsListener(findViewById(R.id.main), (v, insets) -> {
            Insets systemBars = insets.getInsets(WindowInsetsCompat.Type.systemBars());
            v.setPadding(systemBars.left, systemBars.top, systemBars.right, systemBars.bottom);
            return insets;
        });
    }
}

XposedModule.java

java 复制代码

package com.example.xposeddemo;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class XposedModule implements IXposedHookLoadPackage{

    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
        if(lpparam.packageName.equals("com.example.demo2")){
            XposedBridge.log(lpparam.packageName + " has Hooked!");
            Class clazz = lpparam.classLoader.loadClass("com.example.demo2.MainActivity");
            XposedHelpers.findAndHookMethod(clazz,"fun",String.class,new XC_MethodHook(){
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                    super.beforeHookedMethod(param);
                    XposedBridge.log("input: " + param.args[0]);
                }
                    protected void afterHookedMethod(MethodHookParam param) throws Throwable{
                        param.setResult("You has been hijacked");
                    }

            });

        }
    }
}

File->New->Folder->Assets Fold, 在assets下建立文件xposed_init，写入内容如下：

bash 复制代码

com.example.xposeddemo.XposedModule

安装 com.example.xposeddemo 到手机，点击通知栏。

开启模块 XposedDemo
重启手机，启动demo2.查看Logcat，判断hook是否成功。

文章示例来源于 <<安卓Frida逆向与抓包实践>>