XPosed解析--XposedBridge--main分析

最新推荐文章于 2021-05-26 08:24:15 发布
最新推荐文章于 2021-05-26 08:24:15 发布
阅读量1.7k 收藏 1
点赞数
分类专栏: android 文章标签: android java jni
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/weihe6666/article/details/84730931
版权
XposedBridge是Xposed框架替代ZygoteInit的文件,其中main方式是其入口,分析main方法可以更好的理解Xposed的运行模式,下面就来分析一下此函数。 


	private static void main(String[] args) {
		// the class the VM has been created for or null for the Zygote process
		String startClassName = getStartClassName();

		// initialize the Xposed framework and modules
		try {
			// initialize log file
			try {
				logFile = new File(BASE_DIR + "log/error.log");
				if (startClassName == null && logFile.length() > MAX_LOGFILE_SIZE_SOFT)
					logFile.renameTo(new File(BASE_DIR + "log/error.log.old"));
				logWriter = new PrintWriter(new FileWriter(logFile, true));
				logFile.setReadable(true, false);
				logFile.setWritable(true, false);
			} catch (IOException ignored) {}

			String date = DateFormat.getDateTimeInstance().format(new Date());
			determineXposedVersion();
			log("-----------------\n" + date + " UTC\n"
					+ "Loading Xposed v" + XPOSED_BRIDGE_VERSION
					+ " (for " + (startClassName == null ? "Zygote" : startClassName) + ")...");
			if (startClassName == null) {
				// Zygote
				log("Running ROM '" + Build.DISPLAY + "' with fingerprint '" + Build.FINGERPRINT + "'");
			}

			if (initNative()) {
				if (startClassName == null) {
					// Initializations for Zygote
					initXbridgeZygote();
				}

				loadModules(startClassName);
			} else {
				log("Errors during native Xposed initialization");
			}
		} catch (Throwable t) {
			log("Errors during Xposed initialization");
			log(t);
			disableHooks = true;
		}

		// call the original startup code
		if (startClassName == null)
			ZygoteInit.main(args);
		else
			RuntimeInit.main(args);
	}



initNative()函数对一些JNI函数的注册和回调方法的注册,JNI层对应的方法为XposedBridge_initNative,此方法后续会进行分析。


initXbridgeZygote();对Zygote进行初始化,深入探讨一下此函数,由于比较复杂,耐心跟踪一下 


private static void initXbridgeZygote() throws Throwable {
		final HashSet<String> loadedPackagesInProcess = new HashSet<String>(1);

		// normal process initialization (for new Activity, Service, BroadcastReceiver etc.)
		findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook() {
			protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
				ActivityThread activityThread = (ActivityThread) param.thisObject;
				ApplicationInfo appInfo = (ApplicationInfo) getObjectField(param.args[0], "appInfo");
				ComponentName instrumentationName = (ComponentName) getObjectField(param.args[0], "instrumentationName");
				if (instrumentationName != null) {
					XposedBridge.log("Instrumentation detected, disabling framework for " + appInfo.packageName);
					disableHooks = true;
					return;
				}
				CompatibilityInfo compatInfo = (CompatibilityInfo) getObjectField(param.args[0], "compatInfo");
				if (appInfo.sourceDir == null)
					return;

				setObjectField(activityThread, "mBoundApplication", param.args[0]);
				loadedPackagesInProcess.add(appInfo.packageName);
				LoadedApk loadedApk = activityThread.getPackageInfoNoCheck(appInfo, compatInfo);
				XResources.setPackageNameForResDir(appInfo.packageName, loadedApk.getResDir());

				LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks);
				lpparam.packageName = appInfo.packageName;
				lpparam.processName = (String) getObjectField(param.args[0], "processName");
				lpparam.classLoader = loadedApk.getClassLoader();
				lpparam.appInfo = appInfo;
				lpparam.isFirstApplication = true;
				XC_LoadPackage.callAll(lpparam);

				if (appInfo.packageName.equals(INSTALLER_PACKAGE_NAME))
					hookXposedInstaller(lpparam.classLoader);
			}
		});

		// system thread initialization
		findAndHookMethod("com.android.server.ServerThread", null,
				Build.VERSION.SDK_INT < 19 ? "run" : "initAndLoop", new XC_MethodHook() {
			@Override
			protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
				loadedPackagesInProcess.add("android");

				LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks);
				lpparam.packageName = "android";
				lpparam.processName = "android"; // it's actually system_server, but other functions return this as well
				lpparam.classLoader = BOOTCLASSLOADER;
				lpparam.appInfo = null;
				lpparam.isFirstApplication = true;
				XC_LoadPackage.callAll(lpparam);
			}
		});

		// when a package is loaded for an existing process, trigger the callbacks as well
		hookAllConstructors(LoadedApk.class, new XC_MethodHook() {
			@Override
			protected void afterHookedMethod(MethodHookParam param) throws Throwable {
				LoadedApk loadedApk = (LoadedApk) param.thisObject;

				String packageName = loadedApk.getPackageName();
				XResources.setPackageNameForResDir(packageName, loadedApk.getResDir());
				if (packageName.equals("android") || !loadedPackagesInProcess.add(packageName))
					return;

				if ((Boolean) getBooleanField(loadedApk, "mIncludeCode") == false)
					return;

				LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks);
				lpparam.packageName = packageName;
				lpparam.processName = AndroidAppHelper.currentProcessName();
				lpparam.classLoader = loadedApk.getClassLoader();
				lpparam.appInfo = loadedApk.getApplicationInfo();
				lpparam.isFirstApplication = false;
				XC_LoadPackage.callAll(lpparam);
			}
		});

		findAndHookMethod("android.app.ApplicationPackageManager", null, "getResourcesForApplication",
				ApplicationInfo.class, new XC_MethodHook() {
			@Override
			protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
				ApplicationInfo app = (ApplicationInfo) param.args[0];
				XResources.setPackageNameForResDir(app.packageName,
					app.uid == Process.myUid() ? app.sourceDir : app.publicSourceDir);
			}
		});

		if (!new File(BASE_DIR + "conf/disable_resources").exists()) {
			hookResources();
		} else {
			disableResources = true;
		}
	}




findAndHookMethod是关键,如何hook method,继续往下看 


	public static XC_MethodHook.Unhook findAndHookMethod(Class<?> clazz, String methodName, Object... parameterTypesAndCallback) {
		if (parameterTypesAndCallback.length == 0 || !(parameterTypesAndCallback[parameterTypesAndCallback.length-1] instanceof XC_MethodHook))
			throw new IllegalArgumentException("no callback defined");

		XC_MethodHook callback = (XC_MethodHook) parameterTypesAndCallback[parameterTypesAndCallback.length-1];
		Method m = findMethodExact(clazz, methodName, getParameterClasses(clazz.getClassLoader(), parameterTypesAndCallback));

		return XposedBridge.hookMethod(m, callback);
	}


findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook() );
这里是要find ActivityThread对象中的AppBindData方法,AppBindData在ActivityThread中是一个内部类。


XposedBridge.hookMethod(m, callback);
这句就是把find的method和callback进行关联,用callback替代AppBindData,看一下原理: 



public static XC_MethodHook.Unhook hookMethod(Member hookMethod, XC_MethodHook callback) {
		if (!(hookMethod instanceof Method) && !(hookMethod instanceof Constructor<?>)) {
			throw new IllegalArgumentException("Only methods and constructors can be hooked: " + hookMethod.toString());
		} else if (hookMethod.getDeclaringClass().isInterface()) {
			throw new IllegalArgumentException("Cannot hook interfaces: " + hookMethod.toString());
		} else if (Modifier.isAbstract(hookMethod.getModifiers())) {
			throw new IllegalArgumentException("Cannot hook abstract methods: " + hookMethod.toString());
		}

		boolean newMethod = false;
		CopyOnWriteSortedSet<XC_MethodHook> callbacks;
		synchronized (sHookedMethodCallbacks) {
			callbacks = sHookedMethodCallbacks.get(hookMethod);
			if (callbacks == null) {
				callbacks = new CopyOnWriteSortedSet<XC_MethodHook>();
				sHookedMethodCallbacks.put(hookMethod, callbacks);
				newMethod = true;
			}
		}
		callbacks.add(callback);
		if (newMethod) {
			Class<?> declaringClass = hookMethod.getDeclaringClass();
			int slot = (int) getIntField(hookMethod, "slot");

			Class<?>[] parameterTypes;
			Class<?> returnType;
			if (hookMethod instanceof Method) {
				parameterTypes = ((Method) hookMethod).getParameterTypes();
				returnType = ((Method) hookMethod).getReturnType();
			} else {
				parameterTypes = ((Constructor<?>) hookMethod).getParameterTypes();
				returnType = null;
			}

			AdditionalHookInfo additionalInfo = new AdditionalHookInfo(callbacks, parameterTypes, returnType);
			hookMethodNative(hookMethod, declaringClass, slot, additionalInfo);
		}

		return callback.new Unhook(hookMethod);
	}


1. sHookedMethodCallbacks寻找要hook的method,如果不存在,则新建一个callback和hookmethod进行关联,sHookedMethodCallbacks.put(hookMethod, callbacks);callbacks.add(callback);
2. 如果是新hookmethod,进行hookMethodNative,进入JNI层调用XposedBridge_hookMethodNative 



/** 
@function hookMethodNative 将输入的Class中的Method方法的nativeFunc替换为xposedCallHandler 
@para declaredClassIndirect 类对象 
@para slot Method在类中的偏移位置 
*/ 
void XposedBridge_hookMethodNative(JNIEnv* env, jclass clazz, jobject reflectedMethodIndirect,
            jobject declaredClassIndirect, jint slot, jobject additionalInfoIndirect) {
    // Usage errors?
    if (declaredClassIndirect == NULL || reflectedMethodIndirect == NULL) {
        dvmThrowIllegalArgumentException("method and declaredClass must not be null");
        return;
    }

    // Find the internal representation of the method
    ClassObject* declaredClass = (ClassObject*) dvmDecodeIndirectRef(dvmThreadSelf(), declaredClassIndirect);
    Method* method = dvmSlotToMethod(declaredClass, slot);
    if (method == NULL) {
        dvmThrowNoSuchMethodError("Could not get internal representation for method");
        return;
    }

    if (isMethodHooked(method)) {
        // already hooked
        return;
    }

    // Save a copy of the original method and other hook info
    XposedHookInfo* hookInfo = (XposedHookInfo*) calloc(1, sizeof(XposedHookInfo));
    memcpy(hookInfo, method, sizeof(hookInfo->originalMethodStruct));
    hookInfo->reflectedMethod = dvmDecodeIndirectRef(dvmThreadSelf(), env->NewGlobalRef(reflectedMethodIndirect));
    hookInfo->additionalInfo = dvmDecodeIndirectRef(dvmThreadSelf(), env->NewGlobalRef(additionalInfoIndirect));

    // Replace method with our own code
    SET_METHOD_FLAG(method, ACC_NATIVE);
    method->nativeFunc = &hookedMethodCallback;
    method->insns = (const u2*) hookInfo;
    method->registersSize = method->insSize;
    method->outsSize = 0;

    if (PTR_gDvmJit != NULL) {
        // reset JIT cache
        char currentValue = *((char*)PTR_gDvmJit + MEMBER_OFFSET_VAR(DvmJitGlobals,codeCacheFull));
        if (currentValue == 0 || currentValue == 1) {
            MEMBER_VAL(PTR_gDvmJit, DvmJitGlobals, codeCacheFull) = true;
        } else {
            ALOGE("Unexpected current value for codeCacheFull: %d", currentValue);
        }
    }
}
twrp Xposed zip包脚本定制全解析
zhonglunshun的专栏
01-04 1066
想要研究一个新技术,最好的办法就是`read the fuck source code`,读源码时最直接高效的方式,当然,这很难啃,所以通常也可以配合网上一些教程来理解,但是通常,值钱的技术一般人是不会在网上发布的,因为技术的价值就在于它的稀缺性。 本文介绍Xposed的一些基础知识以及相关插件的定制方法。帮大家梳理了一下如何定制twrp刷机包。
XposedBridge
05-28
XposedBridge 53 ,可方便地用于xposed 进行 hook代码,
XposedBridgeApi
01-30
Xposed开发的jar包,XposedBridgeApi-30.jar,适用于安卓4.4以下
XposedBridgeApi45-89
01-16
不同版本的XposedBridgeApi.jar,包含:XposedBridgeApi-54.jar、XposedBridgeApi-82.jar、XposedBridgeApi-87.jar、XposedBridgeApi-89.jar
xposed源码编译&安装--第2步编译XposedBridge
weixin_33705053的博客
11-08 2240
xposed编译系列文章xposed源码编译--源码及工具概述xposed源码编译--第一步android源码编译以及环境配置xposed源码编译--第2步编译XposedBridgexposed源码编译--第3步编译XposedInstall.apkxposed源码编译--自定义xposed方法(暂时不便公开,放置有道云)欢迎我今日关注今日头条号--可以私信哦今日头条--牵手生活https://...
Xposed是如何为所欲为的?
hao_qi
09-12 6949
Flutter使用Dart语言开发。本篇整体介绍一下Dart语言。 上一篇Android Studio使用Google Flutter完整教程中SDK和插件以及环境变量的配置都很详细了。 如下截图是Dart语言SDK下载地址。对于Android开发,我们仅用到FlutterSDK。Web和服务端开发都是从此处下载SDK。 与上一篇提到 Flutter官网下载的FlutterSDK是一...
Xposed原理分析
赵小龙同学的博客
10-23 2370
Xposed原理分析https://www.cnblogs.com/boycelee/p/13418371.html 安卓系统启动 什么zygote? init是内核启动的第一个用户级进程,zygote是由init进程通过解析init.zygote.rc文件而创建的,zygote所对应的具体可执行程序是app_process,所对应的源文件是App_main.cpp,进程名称为zygote。 init.zygote.rc: service zygote /system/bin/app_pr..
android8 检测xposed,Xposed检测与自定义Xposed
weixin_39743064的博客
05-26 1260
Xposed检测与自定义Xposed前言:Xposed检测1、遍历App安装列表检测2、自造异常检测堆栈信息。3、检查关键Java方法是否变为native方法4、反射XposedHelper类和XposedBridge类5、检测Xposed相关文件6、Root检测7、安全建议自定义Xposed一、修改XposedBridge.jar包名二、修改Xposed相关文件名三、修改installer包名前...
Xposed 实现原理分析
l0neman 的博客
10-11 4057
Xposed 实现原理分析 文章目录Xposed 实现原理分析前言Xposed 使用方法Xposed 原理概述Android zygote 进程基于 Dalvik 的方法 Hook基于 ART 的方法 HookXposed 工作流程Xposed 项目结构XposedXposedBridgeXposedInstallerandroid_artXposedToolsXposed 源码分析Xposed 安装下载直接刷入使用 recovery 刷入Xposed 启动Native 层JavaXposed 模块加载
XposedBridge89.jar
08-02
Xposed XposedBridge89.jar 下载,自己编译的,自己在用着。
XposedBridgeAPI-89.jar
01-02
这是最新的XposedBridgeAPI.jar包,是XposedBridgeAPI-89.jar。
XposedBridgeApi-82
11-15
支持andorid6.0.1以及以下系统,这个高版本jar下载资源太少,本人花了很大精力才弄到 网上较多的都是XposedBridgeApi-54,但是只能在4.0.3-4.4.4系统中使用,5.0以后就不支持了,所以感觉更新吧
XposedBridgeApi-54 jar包
03-21
方便查找,因为xda那个网站真心难用。。。
XposedBridge-54.jar
04-17
很多人没有XposedBridge-54.jar,这里暂时提供一个下载给大家使用
Xposed框架分析
热门推荐
成长中的蒲公英
07-14 1万+
1. 概述 1.1 什么是hook hook本质就是劫持函数调用,但由于处于linux用户态,每个进程都有自己独立的进程空间,所以必须先注入到所要hook的进程空间,修改其内存中的进程代码,替换其过程表的符号地址。 Android中一般通过ptrace函数附加进程,然后向远程进程注入so库,从而达到监控以及远程进程关键函数挂钩。 Hook的难点在于寻找函数的入口点、替换函数,这就涉及到...
XposedBridge_89.zip
08-21
最新XposedBridgeAPI.jar包,网上找了很久,都是就版本,放出来一个便宜点的,针对高版本Xposed开发使用.希望对大家有所帮助
XposedBridgeApi框架
04-04
XposedBridgeApi框架,Xposed是一款可以在不修改APK的情况下影响程序运行的框架服务,基于Xposed能够制作出许多功能强大的模块,且在功能不冲突的情况下同时运作。在本文中,作者详细介绍了Xposed的操作步骤以及登陆劫持实战演练
XposedBridgeApi合集(54~89)
03-19
XposedBridgeApi合集(54~89),自用拿出来便宜贡献一下。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值