Xposed学习(2)_hook_test

Posted on | Comments:

要hook的目标

这是个frida教程的一个简单的apk.

URL: https://11x256.github.io/Frida-hooking-android-part-1/

Apk的源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package com.example.a11x256.frida_test;

import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.util.Log;
import android.util.Base64;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Random;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

public class my_activity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_my_activity);
        while (true){

            try {
                Thread.sleep(1000);
            } catch (InterruptedException e) {
                e.printStackTrace();
            }

            fun(50,30);
        }
    }

    void fun(int x , int y ){
        Log.d("Sum" , String.valueOf(x+y));
    }


}

我们要Hook fun这个方法。

新建类

upload successful

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
package com.example.michael.xposed_1;

import de.robv.android.xposed.IXposedHookLoadPackage;
import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;
import android.util.Log;

public class test implements IXposedHookLoadPackage {
    @Override
    public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable{
        if (lpparam.packageName.equals("com.example.a11x256.frida_test")) {
            findAndHookMethod("com.example.a11x256.frida_test.my_activity", lpparam.classLoader,"fun", int.class, int.class, new XC_MethodHook(){
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                    Log.e("Xposed", "Xposed Hooked");
                }
            });
        }
    }
}

配置xposed

在如下的目录中新建如图所示的文件夹与文件。

upload successful

xposed_init中的内容为完整的实现hook的类名(前面为包名):

1
com.example.michael.xposed_1.test

Build APK

安装、运行frida-test(这就是要hook的apk),查看logcat。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
12-04 17:48:55.688 24664 24664 E Xposed  : Xposed Hooked
12-04 17:48:55.688 24664 24664 D Sum     : 80
12-04 17:48:56.503 21811 21827 D PhoneInterfaceManager: [PhoneIntfMgr] getDataEnabled: subId=2 phoneId=0
12-04 17:48:56.504 21811 21827 D PhoneInterfaceManager: [PhoneIntfMgr] getDataEnabled: subId=2 retVal=false
12-04 17:48:56.504 24040 24040 D TelephonyManager: getDataEnabled: retVal=false
12-04 17:48:56.689 24664 24664 E Xposed  : Xposed Hooked
12-04 17:48:56.690 24664 24664 D Sum     : 80
12-04 17:48:56.854 22435 22840 I CheckinRequestBuilder: Classify the device as Phone.
12-04 17:48:57.636 21811 22233 D PhoneInterfaceManager: [PhoneIntfMgr] getDataEnabled: subId=2 phoneId=0
12-04 17:48:57.637 21811 22233 D PhoneInterfaceManager: [PhoneIntfMgr] getDataEnabled: subId=2 retVal=false
12-04 17:48:57.640 24040 24040 D TelephonyManager: getDataEnabled: retVal=false
12-04 17:48:57.690 24664 24664 E Xposed  : Xposed Hooked
12-04 17:48:57.691 24664 24664 D Sum     : 80
12-04 17:48:58.692 24664 24664 E Xposed  : Xposed Hooked
12-04 17:48:58.694 24664 24664 D Sum     : 80
12-04 17:48:58.768 21811 22246 D PhoneInterfaceManager: [PhoneIntfMgr] getDataEnabled: subId=2 phoneId=0
12-04 17:48:58.770 21811 22246 D PhoneInterfaceManager: [PhoneIntfMgr] getDataEnabled: subId=2 retVal=false
12-04 17:48:58.771 24040 24040 D TelephonyManager: getDataEnabled: retVal=false
12-04 17:48:59.695 24664 24664 E Xposed  : Xposed Hooked
12-04 17:48:59.696 24664 24664 D Sum     : 80

参考

https://www.cnblogs.com/yhjoker/p/8653020.html