- 浏览: 439051 次
- 性别:
- 来自: 深圳
文章分类
最新评论
-
su6838354:
我有点疑问啊,thread1中的i自增的慢的话,thread2 ...
浅析pthread_cond_wait -
zeronever:
请问pthread_cond_signal有解锁操纵吗?我在p ...
浅析pthread_cond_wait -
paladin1988:
你这帖子真心不错。。
浅谈bitmap算法 -
parabellum_sky:
昨天还有个姑娘让我去考我说会考虑
个人日志
XposedBridge是Xposed框架替代ZygoteInit的文件,其中main方式是其入口,分析main方法可以更好的理解Xposed的运行模式,下面就来分析一下此函数。
initNative()函数对一些JNI函数的注册和回调方法的注册,JNI层对应的方法为XposedBridge_initNative,此方法后续会进行分析。
initXbridgeZygote();对Zygote进行初始化,深入探讨一下此函数,由于比较复杂,耐心跟踪一下
findAndHookMethod是关键,如何hook method,继续往下看
findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook() );
这里是要find ActivityThread对象中的AppBindData方法,AppBindData在ActivityThread中是一个内部类。
XposedBridge.hookMethod(m, callback);
这句就是把find的method和callback进行关联,用callback替代AppBindData,看一下原理:
1. sHookedMethodCallbacks寻找要hook的method,如果不存在,则新建一个callback和hookmethod进行关联,sHookedMethodCallbacks.put(hookMethod, callbacks);callbacks.add(callback);
2. 如果是新hookmethod,进行hookMethodNative,进入JNI层调用XposedBridge_hookMethodNative
private static void main(String[] args) { // the class the VM has been created for or null for the Zygote process String startClassName = getStartClassName(); // initialize the Xposed framework and modules try { // initialize log file try { logFile = new File(BASE_DIR + "log/error.log"); if (startClassName == null && logFile.length() > MAX_LOGFILE_SIZE_SOFT) logFile.renameTo(new File(BASE_DIR + "log/error.log.old")); logWriter = new PrintWriter(new FileWriter(logFile, true)); logFile.setReadable(true, false); logFile.setWritable(true, false); } catch (IOException ignored) {} String date = DateFormat.getDateTimeInstance().format(new Date()); determineXposedVersion(); log("-----------------\n" + date + " UTC\n" + "Loading Xposed v" + XPOSED_BRIDGE_VERSION + " (for " + (startClassName == null ? "Zygote" : startClassName) + ")..."); if (startClassName == null) { // Zygote log("Running ROM '" + Build.DISPLAY + "' with fingerprint '" + Build.FINGERPRINT + "'"); } if (initNative()) { if (startClassName == null) { // Initializations for Zygote initXbridgeZygote(); } loadModules(startClassName); } else { log("Errors during native Xposed initialization"); } } catch (Throwable t) { log("Errors during Xposed initialization"); log(t); disableHooks = true; } // call the original startup code if (startClassName == null) ZygoteInit.main(args); else RuntimeInit.main(args); }
initNative()函数对一些JNI函数的注册和回调方法的注册,JNI层对应的方法为XposedBridge_initNative,此方法后续会进行分析。
initXbridgeZygote();对Zygote进行初始化,深入探讨一下此函数,由于比较复杂,耐心跟踪一下
private static void initXbridgeZygote() throws Throwable { final HashSet<String> loadedPackagesInProcess = new HashSet<String>(1); // normal process initialization (for new Activity, Service, BroadcastReceiver etc.) findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook() { protected void beforeHookedMethod(MethodHookParam param) throws Throwable { ActivityThread activityThread = (ActivityThread) param.thisObject; ApplicationInfo appInfo = (ApplicationInfo) getObjectField(param.args[0], "appInfo"); ComponentName instrumentationName = (ComponentName) getObjectField(param.args[0], "instrumentationName"); if (instrumentationName != null) { XposedBridge.log("Instrumentation detected, disabling framework for " + appInfo.packageName); disableHooks = true; return; } CompatibilityInfo compatInfo = (CompatibilityInfo) getObjectField(param.args[0], "compatInfo"); if (appInfo.sourceDir == null) return; setObjectField(activityThread, "mBoundApplication", param.args[0]); loadedPackagesInProcess.add(appInfo.packageName); LoadedApk loadedApk = activityThread.getPackageInfoNoCheck(appInfo, compatInfo); XResources.setPackageNameForResDir(appInfo.packageName, loadedApk.getResDir()); LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks); lpparam.packageName = appInfo.packageName; lpparam.processName = (String) getObjectField(param.args[0], "processName"); lpparam.classLoader = loadedApk.getClassLoader(); lpparam.appInfo = appInfo; lpparam.isFirstApplication = true; XC_LoadPackage.callAll(lpparam); if (appInfo.packageName.equals(INSTALLER_PACKAGE_NAME)) hookXposedInstaller(lpparam.classLoader); } }); // system thread initialization findAndHookMethod("com.android.server.ServerThread", null, Build.VERSION.SDK_INT < 19 ? "run" : "initAndLoop", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { loadedPackagesInProcess.add("android"); LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks); lpparam.packageName = "android"; lpparam.processName = "android"; // it's actually system_server, but other functions return this as well lpparam.classLoader = BOOTCLASSLOADER; lpparam.appInfo = null; lpparam.isFirstApplication = true; XC_LoadPackage.callAll(lpparam); } }); // when a package is loaded for an existing process, trigger the callbacks as well hookAllConstructors(LoadedApk.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { LoadedApk loadedApk = (LoadedApk) param.thisObject; String packageName = loadedApk.getPackageName(); XResources.setPackageNameForResDir(packageName, loadedApk.getResDir()); if (packageName.equals("android") || !loadedPackagesInProcess.add(packageName)) return; if ((Boolean) getBooleanField(loadedApk, "mIncludeCode") == false) return; LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks); lpparam.packageName = packageName; lpparam.processName = AndroidAppHelper.currentProcessName(); lpparam.classLoader = loadedApk.getClassLoader(); lpparam.appInfo = loadedApk.getApplicationInfo(); lpparam.isFirstApplication = false; XC_LoadPackage.callAll(lpparam); } }); findAndHookMethod("android.app.ApplicationPackageManager", null, "getResourcesForApplication", ApplicationInfo.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { ApplicationInfo app = (ApplicationInfo) param.args[0]; XResources.setPackageNameForResDir(app.packageName, app.uid == Process.myUid() ? app.sourceDir : app.publicSourceDir); } }); if (!new File(BASE_DIR + "conf/disable_resources").exists()) { hookResources(); } else { disableResources = true; } }
findAndHookMethod是关键,如何hook method,继续往下看
public static XC_MethodHook.Unhook findAndHookMethod(Class<?> clazz, String methodName, Object... parameterTypesAndCallback) { if (parameterTypesAndCallback.length == 0 || !(parameterTypesAndCallback[parameterTypesAndCallback.length-1] instanceof XC_MethodHook)) throw new IllegalArgumentException("no callback defined"); XC_MethodHook callback = (XC_MethodHook) parameterTypesAndCallback[parameterTypesAndCallback.length-1]; Method m = findMethodExact(clazz, methodName, getParameterClasses(clazz.getClassLoader(), parameterTypesAndCallback)); return XposedBridge.hookMethod(m, callback); }
findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook() );
这里是要find ActivityThread对象中的AppBindData方法,AppBindData在ActivityThread中是一个内部类。
XposedBridge.hookMethod(m, callback);
这句就是把find的method和callback进行关联,用callback替代AppBindData,看一下原理:
public static XC_MethodHook.Unhook hookMethod(Member hookMethod, XC_MethodHook callback) { if (!(hookMethod instanceof Method) && !(hookMethod instanceof Constructor<?>)) { throw new IllegalArgumentException("Only methods and constructors can be hooked: " + hookMethod.toString()); } else if (hookMethod.getDeclaringClass().isInterface()) { throw new IllegalArgumentException("Cannot hook interfaces: " + hookMethod.toString()); } else if (Modifier.isAbstract(hookMethod.getModifiers())) { throw new IllegalArgumentException("Cannot hook abstract methods: " + hookMethod.toString()); } boolean newMethod = false; CopyOnWriteSortedSet<XC_MethodHook> callbacks; synchronized (sHookedMethodCallbacks) { callbacks = sHookedMethodCallbacks.get(hookMethod); if (callbacks == null) { callbacks = new CopyOnWriteSortedSet<XC_MethodHook>(); sHookedMethodCallbacks.put(hookMethod, callbacks); newMethod = true; } } callbacks.add(callback); if (newMethod) { Class<?> declaringClass = hookMethod.getDeclaringClass(); int slot = (int) getIntField(hookMethod, "slot"); Class<?>[] parameterTypes; Class<?> returnType; if (hookMethod instanceof Method) { parameterTypes = ((Method) hookMethod).getParameterTypes(); returnType = ((Method) hookMethod).getReturnType(); } else { parameterTypes = ((Constructor<?>) hookMethod).getParameterTypes(); returnType = null; } AdditionalHookInfo additionalInfo = new AdditionalHookInfo(callbacks, parameterTypes, returnType); hookMethodNative(hookMethod, declaringClass, slot, additionalInfo); } return callback.new Unhook(hookMethod); }
1. sHookedMethodCallbacks寻找要hook的method,如果不存在,则新建一个callback和hookmethod进行关联,sHookedMethodCallbacks.put(hookMethod, callbacks);callbacks.add(callback);
2. 如果是新hookmethod,进行hookMethodNative,进入JNI层调用XposedBridge_hookMethodNative
/** @function hookMethodNative 将输入的Class中的Method方法的nativeFunc替换为xposedCallHandler @para declaredClassIndirect 类对象 @para slot Method在类中的偏移位置 */ void XposedBridge_hookMethodNative(JNIEnv* env, jclass clazz, jobject reflectedMethodIndirect, jobject declaredClassIndirect, jint slot, jobject additionalInfoIndirect) { // Usage errors? if (declaredClassIndirect == NULL || reflectedMethodIndirect == NULL) { dvmThrowIllegalArgumentException("method and declaredClass must not be null"); return; } // Find the internal representation of the method ClassObject* declaredClass = (ClassObject*) dvmDecodeIndirectRef(dvmThreadSelf(), declaredClassIndirect); Method* method = dvmSlotToMethod(declaredClass, slot); if (method == NULL) { dvmThrowNoSuchMethodError("Could not get internal representation for method"); return; } if (isMethodHooked(method)) { // already hooked return; } // Save a copy of the original method and other hook info XposedHookInfo* hookInfo = (XposedHookInfo*) calloc(1, sizeof(XposedHookInfo)); memcpy(hookInfo, method, sizeof(hookInfo->originalMethodStruct)); hookInfo->reflectedMethod = dvmDecodeIndirectRef(dvmThreadSelf(), env->NewGlobalRef(reflectedMethodIndirect)); hookInfo->additionalInfo = dvmDecodeIndirectRef(dvmThreadSelf(), env->NewGlobalRef(additionalInfoIndirect)); // Replace method with our own code SET_METHOD_FLAG(method, ACC_NATIVE); method->nativeFunc = &hookedMethodCallback; method->insns = (const u2*) hookInfo; method->registersSize = method->insSize; method->outsSize = 0; if (PTR_gDvmJit != NULL) { // reset JIT cache char currentValue = *((char*)PTR_gDvmJit + MEMBER_OFFSET_VAR(DvmJitGlobals,codeCacheFull)); if (currentValue == 0 || currentValue == 1) { MEMBER_VAL(PTR_gDvmJit, DvmJitGlobals, codeCacheFull) = true; } else { ALOGE("Unexpected current value for codeCacheFull: %d", currentValue); } } }
发表评论
-
Java NIO
2015-08-09 14:58 1077java 网络编程中,不可避免的要谈论NIO,这篇文章就来谈谈 ... -
jni方法的注册和调用流程
2015-07-07 17:20 3235JNI在android中起重要作用,是连接java层和dalv ... -
MethodHooker--Hook分析
2015-07-03 17:58 2779Hook的原理是修改java层 ... -
XPosed解析--callback_XposedBridge_initNative分析
2015-07-02 10:41 2864callback_XposedBridge_initNativ ... -
ViewGroup onInterceptTouchEvent and OnTouchEvent
2014-09-16 15:46 887ViewGroup 继承View,实现了View各个方法,同时 ... -
libdgx之gdx-vectorpinball分析--整体篇
2013-09-17 09:47 1033gdx-vectorpinball分析--整体篇 gdx-v ... -
Android 归来
2011-10-21 09:09 77时隔半年,重新拾起android开发,相信自己能走下去。
相关推荐
《Xposed框架详解:深入理解xposed-v89-sdk25-x86.zip》 Xposed框架是一款在Android系统上广泛使用的模块化开发工具,它允许开发者通过编写特定的模块来改变系统的功能或应用的行为,而无需修改APK文件。在本文中,...
Xposed提供`XposedBridge.log()`方法用于调试,帮助开发者查看被Hook的方法何时被调用以及传递的参数。 2. **ClassLoader Hook**:这种方法涉及到类加载过程的修改,可以控制哪些类会被加载,或者在类加载后立即...
- **XposedBridge API**:这是Xposed框架的核心接口,包括`IXposedHookLoadPackage`、`IXposedHookZygoteInit`等,它们定义了如何在系统启动或加载应用时执行自定义逻辑。 - **Hook技术**:理解Java反射和Method ...
由于这两种架构的不同,Xposed框架也需要为每个架构提供相应的版本,即“xposed-x86”和“xposed-x86_64”。这确保了框架在不同硬件平台上能够正常运行。 安装Xposed框架的步骤通常包括以下几步: 1. 获取对应架构...
标题 "xposed-v88-sdk25-x86.zip" 提供了关于这个压缩包的重要信息,它是一个针对特定环境的 Xposed 框架版本。Xposed 是一个在 Android 系统上运行的框架,允许用户通过安装模块来修改系统行为,无需root权限。这里...
而“xposed-uninstaller-20180117-arm.zip”则是专门为Xposed框架提供的卸载工具,适用于基于ARM架构的Android 5.0系统。 在深入探讨Xposed框架之前,我们需要理解Android系统的运行机制。Android系统基于Linux内核...
xposed-v89-sdk25-arm86与xposed-v89-sdk25-arm64两个版本对应的系统是安卓5.0以上的
"framework-xposed-v89-sdk25-x86"这个标题表明这是Xposed框架的一个版本,针对的是Android SDK Level 25(即Android 7.1.1 Nougat)的x86架构设备。下面我们将深入探讨Xposed框架的基本概念、工作原理以及与SDK 25...
"xposed-v89-sdk25-x86.zip" 文件名表明这是一款针对Android SDK 25(即Android 7.1 Nougat)的Xposed框架版本,适用于x86架构的设备。"script.sh" 文件则可能是一个脚本,用于帮助用户安装或配置Xposed框架。 1. *...
《Xposed框架与XposedBridgeApi-89.jar详解》 在Android开发领域,Xposed框架是一个极具影响力的神器,它允许开发者通过修改系统的运行时行为,实现对系统和应用的深度定制,而无需修改APK文件。XposedBridgeApi-89...
"xposed-v89-sdk22-x86.zip"是针对Android SDK 22(即Android 5.1)的Xposed框架的特定版本,适用于x86架构的设备。 首先,我们来详细了解一下Xposed框架的核心功能和工作原理。Xposed框架通过hooking技术在系统层...
XposedBridgeApi是一个用于Android系统的库,它允许开发者在不修改应用程序源代码的情况下,通过使用Xposed框架来实现对应用程序的修改和增强。XposedBridgeApi-54提供了一组API,使得开发者可以在运行时动态地修改...
xposed-v88-sdk23-x86.zip
xposed api 82 AndroidManifest.xml <meta-data android:name="xposedmodule" android:value="true" /> <meta-data android:name="xposeddescription" android:value="..." /> <meta-data ...
在本例中,我们有两个版本的Xposed框架:xposed-v90-sdk26-arm64-beta3.zip和xposed-v90-sdk26-arm-beta3.zip。它们分别适用于基于ARM64架构和ARM架构的Android 8.0设备。选择适合自己设备架构的版本至关重要,因为...
xposed-api-82-sources resources 资源文件 和xposed-api-82放到同一个文件夹下
标题中的"xposed-v78-sdk22-arm64.zip"指的是Xposed框架的一个特定版本,适用于基于Android SDK 22(Android 5.1 Lollipop)的arm64架构设备,比如MeiZu(魅族)手机。 在Android生态系统中,Xposed框架由Rovo89...
XposedBridgeApi是Xposed框架的核心API库,它为开发者提供了与系统底层交互的接口,使得开发者能够实现各种高级功能,如系统级别的Hook、应用程序的定制化修改等。 XposedBridgeApi-54.jar和XposedBridgeApi-87.jar...
内有XposedBridgeApi-82.jar XposedBridgeApi-82-source.jar两个文件 api-82.jar SHA-1:35866b507b360d4789ff389ad7386b6e8bbf6cc4 api-82-source.jar SHA-1:2030f71764b06b2f39fa1a85660690aa834cfd84