一、Xposed 框架实现 Hook 的原理介绍
Zygote是Android的核心,每运行一个app,Zygote就会fork一个虚拟机实例来运行app,Xposed Framework深入到了Android核心机制中,通过改造Zygote来实现一些很牛逼的功能。Zygote的启动配置在init.rc 脚 本 中,由系统启动的时候开启此进程,对应的执行文件是/system/bin/app_process,这个文件完成类库加载及一些函数调用的工作。当系统中安装了Xposed Framework之后,会对app_process进行扩展,也就是说,Xposed Framework 会拿自己实现的app_process覆盖掉Android原生提供的app_process文件,当系统启动的时候,就会加载由 Xposed Framework 替换过的进程文件,并且,Xposed Framework 还定义了一个 jar 包,系统启动的时候,也会加载这个包:/data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar
二、常见检测
import java.io.BufferedReader;import java.io.File;import java.lang.reflect.Method;import java.lang.reflect.Modifier;import java.util.Arrays;import android.annotation.SuppressLint;import de.robv.android.xposed.IXposedHookLoadPackage;import de.robv.android.xposed.XC_MethodHook;import de.robv.android.xposed.XposedHelpers;import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;public class Module implements IXposedHookLoadPackage {// 定义全局变量 modifyprivate int modify;@Overridepublic void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {//通过 ClassLoader 的loadClass加载XposedHelper来修改一些局部变量值,阻止hook//处理方式,通过Hook类加载修改加载的类名//XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {// @Override// protected void beforeHookedMethod(MethodHookParam param) throws Throwable {// super.beforeHookedMethod(param);// if(param.args != null && param.args[0] != null && // param.args[0].toString().startsWith("de.robv.android.xposed.")){// // // 改成一个不存在的类// param.args[0] = "de.robv.android.xposed.ThTest";// }// // }// });//通过代码抛出一个异常,在堆栈中,查找Xposed相关的内容,进行判定//处理方式,通过Hook堆栈获取类名替换的方式进行阻止XposedHelpers.findAndHookMethod(StackTraceElement.class, "getClassName", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { String result = (String) param.getResult(); if (result != null){ if (result.contains("de.robv.android.xposed.")) { param.setResult(""); }else if(result.contains("com.android.internal.os.ZygoteInit")){ param.setResult(""); } } super.afterHookedMethod(param); } });//通过读取 shell 命令 /proc/pid(应用进程id)/maps 可以拿到当前上下文的so和jar列表,查找Xposed相关//处理方式,通过使用 BufferedReader进行读取命令的内容,过滤掉 XposedBridge.jar。XposedHelpers.findAndHookMethod(BufferedReader.class, "readLine", new XC_MethodHook() { @SuppressLint("SdCardPath") @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { String result = (String) param.getResult(); if(result != null) { if (result.contains("/data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar")) { param.setResult(""); new File("").lastModified(); } } super.afterHookedMethod(param); } });//其它,由于Xposed的hook,是通过so修改被hook的方法为native来实现的,所以检测方也可以通过检测方法是否变成了native来达到检测的目的//处理方式,对指定的方法,进行返回正常的值,来达到屏蔽的效果,这里用getDeviceId举例// 定义全局变量 modifyXposedHelpers.findAndHookMethod(Method.class, "getModifiers", new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {Method method = (Method)param.thisObject;String[] array = new String[]{"getDeviceId"};String method_name = method.getName();if(Arrays.asList(array).contains(method_name)){modify = 0;}else{modify = (Integer) param.getResult();}super.afterHookedMethod(param);}}); XposedHelpers.findAndHookMethod(Modifier.class, "isNative", int.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = modify;super.beforeHookedMethod(param);}});}}
来源地址:https://blog.csdn.net/qq_41369057/article/details/131242951