Xposed 使用教程

2018-05-21  本文已影响1457人  咻咻ing

Xposed作为Android开发中的神器,功能强大之处就不做过多介绍了,本文主要讲解一些常用的API,基本包含常用的Hook操作。

Hook静态变量
Class cla = XposedHelpers.findClass(claName, loadPackageParam.classLoader);
XposedHelpers.setStaticBooleanField(cla, fieldName, val);

XposedHelpers下包含有各种变量类型的api:

image.png
Hook 修改方法返回值
 XposedHelpers.findAndHookMethod(clazz, method, new Object[]{new XC_MethodHook() {
      protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    param.setResult(result);  // 设置返回值
                }
            }});
Hook 获取方法返回值
XposedHelpers.findAndHookMethod(clazz, method, new Object[]{new XC_MethodHook() {
      protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    Object result = param.getResult(); //获取返回值
                }
            }});
Hook 获取方法传入的参数值
XposedHelpers.findAndHookMethod(claName, cl, "i", String.class, String.class, Object[].class, new XC_MethodHook() {
    @Override
    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
         // 数组param.args存储的参数列表里的值
         XposedBridge.log(TAG + param.args[0]);
         XposedBridge.log(TAG + param.args[1]);
         XposedBridge.log(TAG + param.args[2]);
          }
  });
Hook 给方法传值
Class cla = XposedHelpers.findClass(className, loadPackageParam.classLoader);
Object com = XposedHelpers.callStaticMethod(cla, "getInstance");
XposedHelpers.callMethod(com, "setDebug", true); // 传入指定值
Hook 获取Intent的值
    private void hookGetIntent(XC_LoadPackage.LoadPackageParam loadPackageParam) {
        try {
            XposedHelpers.findAndHookMethod("android.app.Activity", loadPackageParam.classLoader, "getIntent", new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    Intent sou = (Intent) param.getResult();
                    KLog.d("hookGetIntent:" + sou.toURI().toString());
                }
            });
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
Hook 广播发送的Intent信息
    private void hookSendBroadcast(XC_LoadPackage.LoadPackageParam loadPackageParam) {
        try {
            XposedHelpers.findAndHookMethod("android.content.ContextWrapper", loadPackageParam.classLoader, "sendBroadcast", Intent.class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    Intent sou = (Intent) param.args[0];
                    KLog.d("sendBroadcast:" + sou.toURI().toString());
                }
            });
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

Xposed一般Hook的是默认的dex文件,但是现在很多的APP都有多个Dex文件,所以使用Xposed时,经常遇到类名路径正确却出现ClassNotFoundError找不到类的错误。要解决这个问题,需要获取对应Dex文件的上下文环境。

Android在加载dex文件后会创建一个Application类,然后会调用attach方法,attach方法的参数就是上下文context,而且attach方法是final方法,不会因为被覆盖而hook不到,拿到这个context就可以获取对应的classload,然后就可以顺利hook到multidex的类了。

XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {
    @Override
    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        ClassLoader cl = ((Context) param.args[0]).getClassLoader(); // 获取ClassLoader
        Class<?> hookClass = null;
        try {
            hookClass = cl.loadClass(claName); // 获取Class
            // 使用cl 和 hookClass 完成hook
            XposedHelpers.setStaticIntField(hookClass, fieldName, val);
            XposedHelpers.findAndHookMethod(claName, cl, "i", String.class, String.class, Object[].class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    XposedBridge.log(TAG + param.args[0]);
                    XposedBridge.log(TAG + param.args[1]);
                    XposedBridge.log(TAG + param.args[2]);
                }
            });
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
});
上一篇 下一篇

猜你喜欢

热点阅读