Xposed环境搭建与简单Hook

环境搭建

  1. 设备已Root并安装好 Xposed Installer

  2. http://jcenter.bintray.com/de/robv/android/xposed/api/ 下载 api82.jar

  3. 在 AndroidStudio 下新建一个项目(不需要界面)

  4. 选择以 Project 方式显示目录最接近原始目录结构

  5. 在 app 目录下新建一个文件夹 lib,并将 api82.jar 复制到 lib 下,复制完后需要 Add As Library

  6. 打开 app/build gradle ,将 dependencies 中的 lib/api82.jar 的 implementation 改为 compileOnly

  7. 修改 AndroidManifest.xml 文件中的 application 如下

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    <application
    android:allowBackup="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:roundIcon="@mipmap/ic_launcher_round"
    android:supportsRtl="true"
    android:theme="@style/AppTheme">
    <meta-data
    android:name="xposedmodule"
    android:value="true" />
    <meta-data
    android:name="xposeddescription"
    android:value="my name is threetails" />
    <meta-data
    android:name="xposedminversion"
    android:value="53" />
    </application>
  8. 在 main/java/包名文件下创建一个 Hook 类,代码如下:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    package com.example.test;

    import android.util.Log;
    import de.robv.android.xposed.IXposedHookLoadPackage;
    import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

    public class Hook implements IXposedHookLoadPackage{
    public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable{

    Log.d ("threetails", "Hook Start...");

    if (!lpparam.packageName.equals("com.xx.xx")) return; //Hook的app包名过滤

    Log.d ("threetails", "Hooking...");
    }
    }
  9. 在 main 下创建 assets 目录,并在 assets 下创建一个文本文件 xposed_init

  10. 在 xposed_init 中输入入口类如 com.example.test.Hook

  11. 选择 Build - Build Bundle / Apk - Build Apk 编译apk

  12. 在 app/build/outputs/apk/debug 下找到 app-debug.apk,安装至设备

  13. 在 xposed installer 中激活该模块,并软重启

  14. 在 Android Studio 的 Logcat 中查看输出(可添加 tag 和包名过滤)

Hook静态变量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
package com.example.test;

import android.util.Log;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

public class Hook implements IXposedHookLoadPackage{
public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable{
Log.d ("threetails", "Hook Start...");
if (!lpparam.packageName.equals("com.xx.xx")) return;

//找到要hook的静态变量所在的类
Class<?> clazz = XposedHelpers.findClass("com.xx.xx.classname", lpparam.classLoader);

//hook整型静态变量
XposedHelpers.setStaticIntField(clazz,"staticInt",100);

//hook字符串变量
XposedHelpers.setStaticObjectField(clazz,"staticString","hookString");
}
}

Hook构造函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
package com.example.test;

import android.util.Log;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

public class Hook implements IXposedHookLoadPackage{
public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable{
Log.d ("threetails", "Hook Start...");
if (!lpparam.packageName.equals("com.xx.xx")) return;

//找到要hook的静态变量所在的类
Class<?> clazz = XposedHelpers.findClass("com.xx.xx.classname", lpparam.classLoader);

//hook无参构造函数
XposedHelpers.findAndHookConstructor(clazz, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.d("threetails","这是无参构造函数前");
}

@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Log.d("threetails","这是无参构造函数后");
}
});

//hook有参构造函数
XposedHelpers.findAndHookConstructor(clazz, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = "hookParam";
Log.d("threetails","这是有参构造函数前");
}

@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Log.d("threetails","这是有参构造函数后");
}
});
}
}

Hook普通方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
package com.example.test;

import android.util.Log;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

public class Hook implements IXposedHookLoadPackage{
public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable{
Log.d ("threetails", "Hook Start...");
if (!lpparam.packageName.equals("com.xx.xx")) return;

//找到要hook的静态变量所在的类
Class<?> clazz = XposedHelpers.findClass("com.xx.xx.classname", lpparam.classLoader);

//私有、公有、静态等普通方法都用该函数来Hook
XposedHelpers.findAndHookMethod(clazz, "publicFunc", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.d("threetails","publicFunc is hooked before");
}

@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Log.d("threetails","publicFunc is hooked after");
}
});
}
}