Xposed模块编写

Xposed框架的原理:它部署在ROOT后的安卓手机上,通过替换/system/bin/app_process程序控制zygote进程,使得app_process在启动过程中会加载XposedBridge.jar这个jar包,从而完成对Zygote进程及其创建Dalvik虚拟机的劫持。

编写步骤

新建项目(xposedtry1)并编辑AndroidManifest.xml

<application>标签内添加:

1
2
3
4
5
6
7
8
9
<meta-data
    android:name="xposedmodule"
    android:value="true" />
<meta-data
    android:name="xposeddescription"
    android:value="My First Xpoesd" />
<meta-data
    android:name="xposedminversion"
    android:value="53" />

修改app下的build.gradle

1
2
3
4
5
6
7
8
...
repositories{
    jcenter()
}
dependencies {
    compileOnly 'de.robv.android.xposed:api:82'
    compileOnly 'de.robv.android.xposed:api:82:sources'
    ...

新建一项目(xposedtest)作为靶场

添加按钮,并且修改MainActivity代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        Button check = (Button) findViewById(R.id.check);
        check.setOnClickListener(new View.OnClickListener(){
            @Override
            public void onClick(View v){
                Toast.makeText(MainActivity.this, toastmsg(), Toast.LENGTH_LONG).show();
            }

        });
    }

    private String toastmsg(){
        return "我未被劫持";
    }
}

回到xposedtry1项目中新建类HOOK_function

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package com.example.xposedtry1;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;

public class HOOK_function implements IXposedHookLoadPackage {
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable{
        if(loadPackageParam.packageName.equals("com.example.xposedtest")){
            XposedBridge.log("has Hooked!");
            Class clazz = loadPackageParam.classLoader.loadClass("com.example.xposedtest.MainActivity");
            XposedHelpers.findAndHookMethod(clazz, "toastmsg", new XC_MethodHook() {
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable{
                    super.beforeHookedMethod(param);
                }
                protected void afterHookedMethod(MethodHookParam param) throws Throwable{
                    param.setResult("你被劫持了");
                }
            });
        }
    }
}

添加入口点

new->Folder->Assets Folder新建assets文件夹,新建xposed_init文件(text类型),写入:

1
com.example.xposedtry1.HOOK_function

安装

直接在编译器里将app安装上去,然后xposed中勾上,重启即可看到效果。

参考文章

新手不要再被误导!这是一篇最新的Xposed模块编写教程 - FreeBuf互联网安全新媒体平台 https://www.freebuf.com/articles/terminal/189021.html

Xposed Framework API https://api.xposed.info/reference/packages.html