Xposed hook大全
Xposed常用HOOK方法
不讲废话
hook修改静态方法
XposedHelpers.setBooleanField("对象", "名称", false);
XposedHelpers.setIntField("对象", "名称", 1);
XposedHelpers.setObjectField("对象", "名称", "值");
hook 构造函数
// 找到类名方法
Class<?> clazz = XposedHelpers.findClass("xxx.xxx.类名", lpparam.classLoader);
XposedHelpers.findAndHookConstructor(clazz, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
});
XposedHelpers.findAndHookConstructor(clazz, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
});
hook 普通方法
// 找到类名方法
Class<?> clazz = XposedHelpers.findClass("xxx.xxx.类名", lpparam.classLoader);
XposedHelpers.findAndHookMethod(clazz, "方法名", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
}
});
hook 复杂函数
// 找到类名方法
Class<?> clazz = XposedHelpers.findClass("xxx.xxx.类名", lpparam.classLoader);
XposedHelpers.findAndHookMethod(clazz, "方法名",
String[][].class,
String.class,
Map.class,
ArrayList.class,
new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
}
}
);
或者
// 找到类名方法
XposedHelpers.findAndHookMethod(clazz, "方法名",
"[[Ljava.lang.String",
"java.lang.String",
Class.forName("java.utils.Map"),
Class.forName("java.util.ArrayList"),
new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
}
}
);
hook 自定义类参数
获取类的方式
- 类名.class
- 对象.getClass()
- class.forName()
- xposedHelpers.findClass("","")
- new DexClassLoader("","","","").loadClass() .// 加载类 用于脱壳加固
// 类名.class 对象.getClass() class.forName() xposedHelpers.findClass("","")
Class<?> JiaZaiClazz = lpparam.classLoader.loadClass("xxxx.xxx.xxx.类名");
Class<?> clazz = XposedHelpers.findClass("xxx.xxx.类名", lpparam.classLoader);
XposedHelpers.findAndHookMethod(clazz, "方法名",
"[[Ljava.lang.String",
"java.lang.String",
JiaZaiClazz,// 加载的自定义类
Class.forName("java.utils.Map"),
Class.forName("java.util.ArrayList"),
new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
}
);
或者用上面的前四种的方法。
简单示例
Class<?> JiaZaiClazz = Class.forName("xxxx.xxx.xxx.类名", // 路径类名
false,// 是否初始化,一般都是false
lpparam.classLoader// 这个意思是用哪个加载器加载这个类
);
Class<?> JiaZaiClazz = XposedHelpers.findClass("xxxx.xxx.xxx.类名","lpparam.classLoader");
还有一种特殊的
"xxxx.xxx.xxx.类名" // 直接输入即可
hook 替换函数
即改掉整个函数,不在提前或者之后hook
Class<?> clazz = XposedHelpers.findClass("xxx.xxx.类名", lpparam.classLoader);
XposedHelpers.findAndHookMethod(clazz, "方法名", new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
Log.d(TAG, "替换的函数输出");
return null;
}
});
hook内部类
XposedHelpers.findAndHookMethod(XposedHelpers.findClass("xxx.xxx.xxx.类名$内部类名", lpparam.classLoader),
"内部类的方法名",
String.class,
new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
}
);
主动调用
final Class<?> clazz = XposedHelpers.findClass("xxx.xxx.类名", lpparam.classLoader);
XposedHelpers.findAndHookMethod(XposedHelpers.findClass("xxx.xxx.xxx.类名$内部类名", lpparam.classLoader),
"内部类的方法名",
String.class,
new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedHelpers.callMethod(clazz.newInstance(),"具体方法","值");
super.beforeHookedMethod(param);
}
}
);
打印堆栈
log.e("标签","打印的数据",,new Throwable("打印的堆栈"));
Java 反射大法
反射调用方法
- 找到类
- 找到字段和方法
- 修改字段或者调用方法
Class.forName("com.xxx.xxx",false,ClassLoader);
Class.forName("com.xxx.xxx")
类名.class
对象.getClass()
Xposed中的findClass
classLoader中的LoadClass
Class clazz = lpparam.classLoader.loadClass("");
XposedHelpers.findClass("",lpparam.classLoader);
clazz.getClass();
String.class;
调用
Class clazz = lpparam.classLoader.loadClass("");
Class DemoClazz = Class.forName("xxx.xxx.xxx");
// DemoClazz.getMethod("");
Method DeclareMethodName = DemoClazz.getDeclaredMethod("方法名称");
DeclareMethodName.setAccessible(true); // 给权限
DeclareMethodName.invoke(clazz.newInstance());
反射调用属性
Class clazz = lpparam.classLoader.loadClass("");
Class DemoClazz = Class.forName("xxx.xxx.xxx");
// 获取
Field DeclaredFieldName = DemoClazz.getDeclaredField("对象");
DeclaredFieldName.getType();// 获取字段类型
DeclaredFieldName.getName(); // 获取字段名称
DeclaredFieldName.getModifiers();// 获取访问修饰符
DeclaredFieldName.setAccessible(true);// 给权限
Object insClass = clazz.newInstance();
Object GD = DeclaredFieldName.get(insClass);
Log.d("标签", "取值 MSG:" + (String) GD);
DeclaredFieldName.set(insClass, "值");
Object SD = DeclaredFieldName.get(insClass);
Log.d("标签", "设置 MSG:" + (String) SD);
遍历所有的方法和字段
if (!lpparam.processName.equals("com.xxx.xxx"))return;
Class<?> clazz = XposedHelpers.findClass("com.xiaojianbang.XposedDemo.demo", lpparam.classLoader);
Method[] md = clazz.getDeclaredMethods(); // 获取方法
for(int i =0;i < md.length;i++){
Log.d("遍历",md[i].toString());
}
Field[] fd = clazz.getDeclaredFields(); // 获取字段
for(int i =0;i < fd.length;i++){
Log.d("遍历",fd[i].toString());
}
遍历所有内部类
clazz.getDeclaredClasses(); // 遍历所有类
clazz.getDeclaredConstructors();// 遍历所有构造函数
Class<?>[] cls = clazz.getDeclaredClasses();
for (int i = 0; i < cls.length; i++) {
Log.d(TAG, "正在遍历内部类");
Method[] innerMDs = clazz.getDeclaredMethods(); // 获取方法
for (Method innerMD : innerMDs) {
Log.d("遍历", innerMD.toString());
}
Field[] innerFDs = clazz.getDeclaredFields(); // 获取字段
for (Field innerFD : innerFDs) {
Log.d("遍历", innerFD.toString());
}
}
遍历所有类
XposedHelpers.findAndHookMethod(
ClassLoader.class,
"com.xxx.xx",
String.class,
new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Class clazz = (Class) param.getResult();
Log.d(TAG, "loadClass" + clazz.getName());
}
});
hook所有类中的所有方法
XposedBridge.hookAllConstructors(); // hook所有构造函数
XposedBridge.hookAllMethods(); // hook单个类所有函数
XposedBridge.hookMethod(); // hook 所有函数
XposedHelpers.findAndHookMethod(
ClassLoader.class,
"com.xxx.xx",
String.class,
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Class clazz = (Class) param.getResult();
String className = clazz.getName();
Log.d(TAG, "loadClass" + clazz.getName());
if (className.equals("xxx")) {
for (Method md : clazz.getDeclaredMethods()) {
XposedBridge.hookMethod(md, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.d(TAG, "Hook_Method:" + md.toString());
}
});
}
}
}
});
得到了一个方法 如何判断呢?
for (Method md : clazz.getDeclaredMethods())
XposedHelpers.findAndHookMethod(
ClassLoader.class,
"com.xxx.xx",
String.class,
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Class clazz = (Class) param.getResult();
String className = clazz.getName();
Log.d(TAG, "loadClass" + clazz.getName());
if (className.equals("xxx")) {
for (Method md : clazz.getDeclaredMethods()) {
int mod = md.getModifiers();
if (!Modifier.isAbstract(mod) // 是不是一个抽象类 判断
&& !Modifier.isNative(mod) // 是不是一个Native方法 判断
&& !Modifier.isInterface(mod)) // 是不是一个Interface接口
{
XposedBridge.hookMethod(md, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.d(TAG, "Hook_Method:" + md.toString());
}
});
}
}
}
}
});
获取参数
if (md.getName().contains("xxxx")) {
for (int i = 0; i < param.args.length; i++) {
Log.d(TAG, param.args[i].getClass().getName());
}
}
自吐算法模块开发
浙公网安备 33010602011771号