环境
| 名称 | 值 |
|---|---|
| 硬件 | LG Nexus 5X |
| OS | android 8.1.0 |
| 是否Root | 是 |
| Root工具 | Magisk-v20.4 |
安装 LSPosed
bash
wget https://github.com/LSPosed/LSPosed/releases/download/v1.9.2/LSPosed-v1.9.2-7024-zygisk-release.zip
adb push LSPosed-v1.9.2-7024-zygisk-release.zip /sdcard - 安装时会提示 要求Magisk 24+
- 用Magisk 升级到最新版本即可。
- 要求打开zygisk,在magisk设置里边打开即可
被hook 工程
java
package com.example.demo2;
import android.os.Bundle;
import android.util.Log;
import androidx.activity.EdgeToEdge;
import androidx.appcompat.app.AppCompatActivity;
import androidx.core.graphics.Insets;
import androidx.core.view.ViewCompat;
import androidx.core.view.WindowInsetsCompat;
public class MainActivity extends AppCompatActivity {
private String total = "hello";
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
EdgeToEdge.enable(this);
setContentView(R.layout.activity_main);
ViewCompat.setOnApplyWindowInsetsListener(findViewById(R.id.main), (v, insets) -> {
Insets systemBars = insets.getInsets(WindowInsetsCompat.Type.systemBars());
v.setPadding(systemBars.left, systemBars.top, systemBars.right, systemBars.bottom);
return insets;
});
while(true)
{
try{
Thread.sleep(1000);
}catch (InterruptedException e)
{
e.printStackTrace();
}
fun(50,30);
Log.d("r0ysue.string",fun("LoWeRcAsE Me !!!!"));
}
}
void fun(int x,int y)
{
Log.d("r0ysue.sum",String.valueOf(x + y));
}
String fun(String x) {
return x.toLowerCase();
}
void secret()
{
total += " secretFunc";
Log.d("r0ysue.secret","this is secret func");
}
static void staticSecret()
{
Log.d("r0ysue.secret","this is static secret func");
}
}XposedDemo android studio 工程
- settings.gradle.kts
bash
dependencyResolutionManagement {
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
repositories {
google()
mavenCentral()
maven("https://jitpack.io")
maven("https://api.xposed.info/")
}
}- build.gradle.kts
bash
dependencies {
compileOnly("de.robv.android.xposed:api:82")
compileOnly("de.robv.android.xposed:api:82:sources")
}- AndroidManifest.xml
xml
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools">
<application
android:allowBackup="true"
android:dataExtractionRules="@xml/data_extraction_rules"
android:fullBackupContent="@xml/backup_rules"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/Theme.XposedDemo">
<meta-data
android:name="xposedmodule"
android:value="true" />
<meta-data
android:name="xposeddescription"
android:value="LSPosed示例模块" />
<meta-data
android:name="xposedminversion"
android:value="93" />
<activity
android:name=".MainActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>- MainActivity
java
package com.example.xposeddemo;
import android.os.Bundle;
import androidx.activity.EdgeToEdge;
import androidx.appcompat.app.AppCompatActivity;
import androidx.core.graphics.Insets;
import androidx.core.view.ViewCompat;
import androidx.core.view.WindowInsetsCompat;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
EdgeToEdge.enable(this);
setContentView(R.layout.activity_main);
ViewCompat.setOnApplyWindowInsetsListener(findViewById(R.id.main), (v, insets) -> {
Insets systemBars = insets.getInsets(WindowInsetsCompat.Type.systemBars());
v.setPadding(systemBars.left, systemBars.top, systemBars.right, systemBars.bottom);
return insets;
});
}
}- XposedModule.java
java
package com.example.xposeddemo;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class XposedModule implements IXposedHookLoadPackage{
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
if(lpparam.packageName.equals("com.example.demo2")){
XposedBridge.log(lpparam.packageName + " has Hooked!");
Class clazz = lpparam.classLoader.loadClass("com.example.demo2.MainActivity");
XposedHelpers.findAndHookMethod(clazz,"fun",String.class,new XC_MethodHook(){
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
XposedBridge.log("input: " + param.args[0]);
}
protected void afterHookedMethod(MethodHookParam param) throws Throwable{
param.setResult("You has been hijacked");
}
});
}
}
}- File->New->Folder->Assets Fold, 在assets下建立文件xposed_init,写入内容如下:
bash
com.example.xposeddemo.XposedModule- 安装 com.example.xposeddemo 到手机,点击通知栏。
- 开启模块 XposedDemo
- 重启手机,启动demo2.查看Logcat,判断hook是否成功。
文章示例来源于 <<安卓Frida逆向与抓包实践>>