当前位置：首页 > news >正文

那些年的Xposed开发经验记录

news 2025/6/23 1:25:41

把之前写的Xposed相关文章合并到一块，方便查阅

多进程App的Hook问题

以及App中单个方法被多个模块Hook时的Hook代码优先级问题

XposedHelper中的静态变量

在这里插入图片描述

demo的AndroidManifest.xml的测试核心代码

        <activityandroid:name=".ProcessActivity"android:process=":process"></activity>//私有进程<activityandroid:name=".PublicProcessActivity"android:process="com.publicProcess">//公共进程</activity>

结论

以下"所有进程"都包括应用内创建的私有进程和公共进程
经过测试[测试代码过多就不贴了]，得出结论：
1.所有进程的创建都会执行而且会多次执行handleLoadPackage函数；
2.每个进程都会重新创建一个fieldCache，methodCache,constructorCache静态变量；
3.若两个模块Hook了当前App的同一个函数则beforeHookedMethod执行顺序是按Xposed框架私有目录下conf/modules.list的顺序执行的，afterHookedMethod则与beforeHookedMethod执行顺序相反[测试数据是这样的，具体真实情况就不太想探究了，应该90%正确]，举个例子：

模块A和模块B同时Hook了应用C的方法D，modules.list中模块A比模块B的顺序靠前，则Hook代码执行顺序为：
A->beforeHookedMethod,B->beforeHookedMethod,D,B->afterHookedMethod,A->afterHookedMethod

4.lpparam.isFirstApplication并不是仅仅在主进程执行handleLoadPackage函数时才会置为true,在所有进程执行该函数时都会置为true[测试数据是这样的，具体真实情况就不太想探究了，应该90%正确]；
5.在App的一个进程A中对某函数进行Hook只会影响进程A执行该函数，不会影响该App其它未被Hook的进程执行该函数。

限制handleLoadPackage被单个进程多次执行的问题

    /***防止重复执行Hook代码* @param flag 判断标识,针对不同Hook代码分别进行判断* @return 是否已经注入Hook代码*/private boolean isInjecter(String flag) {try {if (TextUtils.isEmpty(flag)) return false;Field methodCacheField = XposedHelpers.class.getDeclaredField("methodCache");methodCacheField.setAccessible(true);HashMap<String, Method> methodCache = (HashMap<String, Method>) methodCacheField.get(null);Method method=XposedHelpers.findMethodBestMatch(Application.class,"onCreate");String key=String.format("%s#%s",flag,method.getName());if (methodCache.containsKey(key)) return true;methodCache.put(key, method);return false;} catch (Throwable e) {e.printStackTrace();}return false;}

在handleLoadPackage做判断

@Keeppublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) {if (isInjecter(this.getClass().getName())) {return;}//hook代码
}

多dex Hook问题

//解决多dex问题public static void findHideDex(final OnFindDexListener listener) {XposedBridge.hookAllMethods(ContextWrapper.class, "attachBaseContext", new XC_MethodHook() {public void beforeHookedMethod(MethodHookParam param) {ClassLoader classLoader = ((Context) param.args[0]).getClassLoader();if (classLoader == null) return;if (listener != null) listener.onFind(classLoader);}});XposedBridge.hookAllConstructors(ClassLoader.class, new XC_MethodHook() {public void beforeHookedMethod(MethodHookParam param) {ClassLoader classLoader = (ClassLoader) param.args[0];if (classLoader == null) return;if (listener != null) listener.onFind(classLoader);}});}
public interface OnFindDexListener {void onFind(ClassLoader classLoader);}

为应用增加权限

利用Xposed删除权限

这个已经有人实现了，就是Xposed的作者，我们就先来研究研究他是怎么实现的,先上他的实现代码

public class PackagePermissions extends BroadcastReceiver {private final Object pmSvc;private final Map<String, Object> mPackages;private final Object mSettings;@SuppressWarnings("unchecked")public PackagePermissions(Object pmSvc) {this.pmSvc = pmSvc;this.mPackages = (Map<String, Object>) getObjectField(pmSvc, "mPackages");this.mSettings = getObjectField(pmSvc, "mSettings");}/*这个函数主要hook了 PackageManager 服务（负责系统中Package的管理，应用程序的安装、卸载、信息查询），实现了通过监听我们自己发出的广播，拦截权限授予功能来进行修改apk的权限的*/public static void initHooks() {try {final Class<?> clsPMS = findClass("com.android.server.pm.PackageManagerService", XposedMod.class.getClassLoader());//获取这个PackageManager类//注册监听广播,监听我们的设置更改，以实现立即应用设置findAndHookMethod(clsPMS, "systemReady", new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param)throws Throwable {Context mContext = (Context) getObjectField(param.thisObject, "mContext");//这个应该是系统的上下文，具体待研究mContext.registerReceiver(new PackagePermissions(param.thisObject),new IntentFilter(Common.MY_PACKAGE_NAME + ".UPDATE_PERMISSIONS"),Common.MY_PACKAGE_NAME + ".BROADCAST_PERMISSION",null);//注册广播}});//拦截PackageManager类中的grantPermissionsLPw函数findAndHookMethod(clsPMS, "grantPermissionsLPw", "android.content.pm.PackageParser$Package", boolean.class,new XC_MethodHook() {@SuppressWarnings("unchecked")@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {String pkgName = (String) getObjectField(param.args[0], "packageName");if (!XposedMod.isActive(pkgName) || !XposedMod.prefs.getBoolean(pkgName + Common.PREF_REVOKEPERMS, false))return;Set<String> disabledPermissions = XposedMod.prefs.getStringSet(pkgName + Common.PREF_REVOKELIST, null);if (disabledPermissions == null || disabledPermissions.isEmpty())return;ArrayList<String> origRequestedPermissions = (ArrayList<String>) getObjectField(param.args[0], "requestedPermissions");param.setObjectExtra("orig_requested_permissions", origRequestedPermissions);ArrayList<String> newRequestedPermissions = new ArrayList<String>(origRequestedPermissions.size());for (String perm: origRequestedPermissions) {if (!disabledPermissions.contains(perm))newRequestedPermissions.add(perm);else// you requested those internet permissions? I didn't read that, sorryLog.w(Common.TAG, "Not granting permission " + perm+ " to package " + pkgName+ " because you think it should not have it");}setObjectField(param.args[0], "requestedPermissions", newRequestedPermissions);}@SuppressWarnings("unchecked")@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {// restore requested permissions if they were modifiedArrayList<String> origRequestedPermissions = (ArrayList<String>) param.getObjectExtra("orig_requested_permissions");if (origRequestedPermissions != null)setObjectField(param.args[0], "requestedPermissions", origRequestedPermissions);}});} catch (Throwable e) {XposedBridge.log(e);}}@Overridepublic void onReceive(Context context, Intent intent) {try {// The app broadcasted a request to update settings for a running app// Validate the action being requestedif (!Common.ACTION_PERMISSIONS.equals(intent.getExtras().getString("action")))return;String pkgName = intent.getExtras().getString("Package");boolean killApp = intent.getExtras().getBoolean("Kill", false);XposedMod.prefs.reload();Object pkgInfo;synchronized (mPackages) {pkgInfo = mPackages.get(pkgName);callMethod(pmSvc, "grantPermissionsLPw", pkgInfo, true);callMethod(mSettings, "writeLPr");}// Apply new permissions if neededif (killApp) {try {ApplicationInfo appInfo = (ApplicationInfo) getObjectField(pkgInfo, "applicationInfo");if (Build.VERSION.SDK_INT <= 18)callMethod(pmSvc, "killApplication", pkgName, appInfo.uid);elsecallMethod(pmSvc, "killApplication", pkgName, appInfo.uid, "apply App Settings");} catch (Throwable t) {XposedBridge.log(t);}}} catch (Throwable t) {XposedBridge.log(t);}}
}

这段代码的地址

参考

1.AppSettingshook权限代码
2.Android5.1.1源码 - 添加应用权限

Hook框架集锦