xposed基础语法
# 类
# 元类
# class
类名.class
# 实例化后的对象
対象.getClass()
# 反射
Class.forName
# java api
java.lang.String
# 使用 xposed读取
XposedHelpers.findClass
# 读取 dex path、jar path
new DexClassLoader().loadClass
# smail语法
[[Ljava.lang.Strings
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 普通类
# 直接使用下面的方式获取
Class<?> MSManager = XposedHelpers.findClass("com.bytedance.mobsec.metasec.ml.MSManager", lpparam.classLoader);
1
2
2
# 匿名类
# 从1开始
XposedHelpers.findClass( className: "com.xiaojianbang. xposeddemo. Demo$1", loadPackageParam. classLoader)
1
2
2
# 内部类
# 直接 $ 内部类 (支持直接的内部类中的方法调用)
XposedHelpers.findClass( className: "com.xiaojianbang. xposeddemo. Demo$InnerClass", loadPackageParam. classLoader)
1
2
2
# instance
获取实例的方式
1
# newInstance
Class<?> MSManager = XposedHelpers.findClass("com.bytedance.mobsec.metasec.ml.MSManager", lpparam.classLoader);
instance = MSManager.newInstance();
1
2
2
# param.thisObject
XposedHelpers.findAndHookMethod(MSManager, "setDeviceID", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.i("hook_dy", "res:" + param.args[0]);
instance = param.thisObject;
}
});
1
2
3
4
5
6
7
2
3
4
5
6
7
# XposedHelpers
# 相关hook
# findAndHookConstructor
# 如果是无参构造,则不传入参数
(Class<?> clazz, Object... parameterTypesAndCallback)
1
2
3
4
2
3
4
# findAndHookMethod
# findAndHookMethod 即可以hook普通方法又可以hook私有方法
findAndHookMethod(Class<?> clazz, String methodName, Object... parameterTypesAndCallback)
1
2
2
# hook多dex
attch
# http://blog.minihu.top/2021/04/17/xposed-hook-%E5%A4%9Adex%E7%9A%84apk/
# https://www.cnblogs.com/c-x-a/p/12582487.html
//过滤一下不关注的包,排除影响
if(!loadPackageParam.packageName.equals("yourPkgName"))
return;
XposedHelpers.findAndHookMethod(Application.class, "attach",
Context.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
ClassLoader cl = ((Context) param.args[0]).getClassLoader();
Class<?> hookclass = null;
try {
//查看dex有没有这个Class
hookclass = cl.loadClass("com.umeng.commonsdk.UMConfigure");
} catch (Exception e) {
XposedBridge.log("load class error"+e);
return;
}
//确定有这个Class再进行hook方法的操作
XposedBridge.log( "load success");
XposedHelpers.findAndHookMethod(hookclass, "init", Context.class,String.class,String.class,int.class,String.class,
new XC_MethodHook() {
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
XposedBridge.log( "has Hooked!");
}
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
//打印一下形参
XposedBridge.log("param.args[0] = "+param.args[0]);
XposedBridge.log("param.args[1] = "+param.args[1]);
XposedBridge.log("param.args[2] = "+param.args[2]);
XposedBridge.log("param.args[3] = "+param.args[3]);
XposedBridge.log("param.args[4] = "+param.args[4]);
}
});
}
});
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# 可混合传入参数
# 相关call
# callMethod
Object result = XposedHelpers.callMethod(targetObject, "privateMethodName", arg1, arg2, ...);
1
# 相关回调
# XC_MethodReplacement
new XC_MethodReplacement
1
# 字段
# getIntField
XposedHelpers.getIntField(param.thisObject, fieldName: "innerPublicInt");
1
# 类操作
# 仅公有方法
democlazz.getMethod();
# 全部的声明方法
democlazz.getDeclaredMethod();
# 仅公有字段
democlazz.getField();
# 所有字段
democlazz.getDeclaredField();
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# 流程
1、找到类
2、找到字段或方法 设定访问权限
3、修改字段或调用方法
1
2
3
2
3
# getField
String str = (String)reffield.get(obj):
1
# getDeclaredMethod
# 如果调用私有方法,需要声明一下操作权限
refmethod.setAccessible(true);
1
2
2
# getDeclaredFields
1
# getDeclaredClasses
# 获取声明的类
1
# classloader
# 安卓的所有class 底层都是通过 ClassLoader中的 loadClass 方法进行加载的
1
# 获取声明
reffield.getType //获取字段类型
reffield.getName //获取字段名称
reffield.getModifiers //获取访问修饰
1
2
3
2
3
# invoke
# 加载类
Class democlazz = Class.forName( name: "com.xiaojianbang xposeddemo.Demo", initialize: false, classloader)
# 获取声明的方法
Method refmethod = democlazz.getDeclaredMethod( name: "refl");
refmethod.setAccessible(true);
# invoke 调用
refmethod.invoke(obi);
1
2
3
4
5
6
7
2
3
4
5
6
7
# XposedBridge
XposedBridge.hookALLConstructors()
XposedBridge.hookAlLMethods
1
2
2
# hookAllMethods
hook 函数重载
1
# hookAllConstructors
可以根据 构造函数的参数进行判断
1
# 栈
# 堆栈输出
Log.e("逆向有你", "Stack:", new Throwable("stack dump"));
1
# 自吐
# 算法自吐
因为在java层 必然会调用java的相关函数 例如 javax和java.utils下的函数
可以直观的看到 iv key 偏移量 块填充 等相关信息
1
2
3
2
3
# md5
# RSA
上次更新: 2023-06-27 16:49:11