Xposed系列之Demo上手指南及源码解析(一)

文章目录

1. 1. Xposed简介
2. 2. Xposed相关工具
3. 3. Xposed Demo
   1. 3.1. 新建项目配置Xposed环境
   2. 3.2. 编写Hook代码
4. 4. Xposed原理
   1. 4.1. XposedBridge解析

先附上Demo代码地址：https://github.com/xbdcc/CXposed/tree/master/demo

Xposed简介

百度百科介绍：

Xposed框架(Xposed Framework)是一套开源的、在Android高权限模式下运行的框架服务，可以在不修改APK文件的情况下影响程序运行(修改系统)的框架服务，基于它可以制作出许多功能强大的模块，且在功能不冲突的情况下同时运作。`

Xposed相关工具

• Xposed Installer：为安装在手机上的Xposed的主体运行框架，
  手机需要Root权限安装Xposed框架，可以管理Xposed模块
• VirtualXposed：一个简单的应用程序，无需root用户即可使用Xposed，解锁引导程序或修改系统映像等
• 太极：一个带有或不带有Root/BL锁的Xposed模块框架，支持Android 5.0〜10

三个工具首页分别长这样：

Xposed Installer	VirtualXposed	太极

Xposed Demo

新建项目配置Xposed环境

• 首先创建创建一个Android Studio项目，然后New一个Module，我们要使用Xposed就需要引入Xposed库，在build.gradle加入

  compileOnly 'de.robv.android.xposed:api:82'

• 然后在AndroidManifest.xml的application节点下加入如下配置

<meta-data
         android:name="xposedmodule"
         android:value="true" />
 <meta-data
         android:name="xposeddescription"
         android:value="A Xposed demo." />
 <meta-data
         android:name="xposedminversion"
         android:value="89" />

编写Hook代码

• 新建一个类，里面写一些方法和变量后面使用，如DemoClass：

  class DemoClass {
  
      private val name = "carlos"
  
      fun printlnName() {
          log("name is:$name")
      }
  
      companion object {
  
          @JvmStatic
          fun printlnHelloWorld() {
              log("hello world!")
          }
  
      }
  
  }

• 接下来新建一个继承自IXposedHookLoadPackage的类，如：

  class MainHook : IXposedHookLoadPackage {
  
      override fun handleLoadPackage(lpparam: XC_LoadPackage.LoadPackageParam?) {
      }
  
  }

• 使用XposedHelpers调用APP的方法，使用到的就是反射，Java反射也能实现该功能

  private fun hookDemoClass(lpparam: XC_LoadPackage.LoadPackageParam) {
      // 通过类加载器加载DemoClass类
      val hookClass = lpparam.classLoader.loadClass("com.carlos.cxposed.demo.DemoClass") ?: return
      // 通过XposedHelpers调用静态方法printlnHelloWorld
      XposedHelpers.callStaticMethod(hookClass, "printlnHelloWorld")
      // 获取DemoClass的类对象
      val demoClass = hookClass.newInstance()
      // 获取私有字段name
      val field = hookClass.getDeclaredField("name")
      // 私有字段name访问属性改为公有
      field.isAccessible = true
      // 给字段name赋值为"xbd"
      field.set(demoClass, "xbd")
      // 通过XposedHelpers调用非静态方法printlnName
      XposedHelpers.callMethod(hookClass.newInstance(), "printlnName")
  }

• 然后在MainActivity中增加方法被Hook，如：

  class MainActivity : AppCompatActivity() {
  
      override fun onCreate(savedInstanceState: Bundle?) {
          super.onCreate(savedInstanceState)
          setContentView(R.layout.activity_main)
          log(getLog())
      }
  
      private fun getLog() : String {
          return "hello world"
      }
  
      fun click(view: View) {
          log("click")
      }
  
  }

• 在MainHook中增加如下代码对MainActivity的getLog和click方法进行Hook:

  private fun hookMainActivity(lpparam: XC_LoadPackage.LoadPackageParam) {
      val hookClass = lpparam.classLoader.loadClass("com.carlos.cxposed.demo.MainActivity")
  
      XposedHelpers.findAndHookMethod(hookClass, "getLog", object : XC_MethodHook() {
          override fun beforeHookedMethod(param: MethodHookParam?) {
              xlog("hook before getLog")
              // 修改方法返回值
              param?.result = "this is a hook message."
          }
  
          override fun afterHookedMethod(param: MethodHookParam?) {
              xlog("hook after getLog")
          }
      })
  
      XposedHelpers.findAndHookMethod(hookClass, "click", View::class.java,
          object : XC_MethodReplacement() {
              override fun replaceHookedMethod(param: MethodHookParam?): Any {
                  xlog("hook replace click")
                  val thisObject = param?.thisObject ?: return ""
                  // 修改textView的显示内容
                  val activity = thisObject as Activity
                  val textView = activity.findViewById<TextView>(R.id.textview)
                  textView.text = "carlos"
                  return ""
              }
          })
  
  }

• 最后在main下新建assets目录，在里面创建xposed_init文件（文件名必须是这个，后面介绍为什么必须为这个），文件里面就可以添加我们刚刚的类了，如：

  com.carlos.cxposed.demo.MainHook

• 模拟器安装好Xposed Installer后，运行项目，可以看出来弹出框：
  
  
  点击重启或软重启生效，然后执行操作可以看到打印日志如下，Hook成功：

  07-06 22:28:43.470 3965-3965/? I/Xposed: MainHook->MainHook->hook an app start:com.carlos.cxposed.demo
  07-06 22:28:43.472 3965-3965/? D/MainHook->: hello world!
  07-06 22:28:43.472 3965-3965/? D/MainHook->: name is:xbd
  07-06 22:28:45.352 3965-3965/com.carlos.cxposed.demo I/Xposed: MainHook->hook before getLog
  07-06 22:28:45.352 3965-3965/com.carlos.cxposed.demo I/Xposed: MainHook->hook after getLog
  07-06 22:28:45.352 3965-3965/com.carlos.cxposed.demo D/MainHook->: this is a hook message.
  07-06 22:28:51.193 3965-3965/com.carlos.cxposed.demo I/Xposed: MainHook->hook replace click

Xposed原理

Xposed还有C库，我们这里简单分析下我们引用的他的Java层de.robv.android.xposed:api:82，看下我们用到的两个类XposedHelpers和XposedBridge的源码

XposedBridge解析

• 首先找个入口，就从我们Hook类实现的IXposedHookLoadPackage接口开始吧，我们查看到该接口被Xposed自己的jar包调用的有如下几个地方：
  

• 跟进去new出这个接口的地方，调用到的代码块如下：

  hookLoadPackage(new IXposedHookLoadPackage.Wrapper((IXposedHookLoadPackage) moduleInstance));

• 跟进hookLoadPackage方法，可以看到这里将该接口添加到集合里存起来了

  public static void hookLoadPackage(XC_LoadPackage callback) {
      synchronized (sLoadedPackageCallbacks) {
          sLoadedPackageCallbacks.add(callback);
      }
  }

• 继续回来看hookLoadPackage方法，可以看到他是被XposedBridge的loadModule方法调用：

  /**
   * Load a module from an APK by calling the init(String) method for all classes defined
   * in <code>assets/xposed_init</code>.
   */
  private static void loadModule(String apk) {
      log("Loading modules from " + apk);
  
      if (!new File(apk).exists()) {
          log("  File does not exist");
          return;
      }
  
      ClassLoader mcl = new PathClassLoader(apk, BOOTCLASSLOADER);
      InputStream is = mcl.getResourceAsStream("assets/xposed_init");
      if (is == null) {
          log("assets/xposed_init not found in the APK");
          return;
      }
  
      BufferedReader moduleClassesReader = new BufferedReader(new InputStreamReader(is));
      try {
          String moduleClassName;
          while ((moduleClassName = moduleClassesReader.readLine()) != null) {
              moduleClassName = moduleClassName.trim();
              if (moduleClassName.isEmpty() || moduleClassName.startsWith("#"))
                  continue;
  
              try {
                  log ("  Loading class " + moduleClassName);
                  Class<?> moduleClass = mcl.loadClass(moduleClassName);
  
                  if (!IXposedMod.class.isAssignableFrom(moduleClass)) {
                      log ("    This class doesn't implement any sub-interface of IXposedMod, skipping it");
                      continue;
                  } else if (disableResources && IXposedHookInitPackageResources.class.isAssignableFrom(moduleClass)) {
                      log ("    This class requires resource-related hooks (which are disabled), skipping it.");
                      continue;
                  }
  
                  final Object moduleInstance = moduleClass.newInstance();
                  if (isZygote) {
                      if (moduleInstance instanceof IXposedHookZygoteInit) {
                          IXposedHookZygoteInit.StartupParam param = new IXposedHookZygoteInit.StartupParam();
                          param.modulePath = apk;
                          param.startsSystemServer = startsSystemServer;
                          ((IXposedHookZygoteInit) moduleInstance).initZygote(param);
                      }
  
                      if (moduleInstance instanceof IXposedHookLoadPackage)
                          hookLoadPackage(new IXposedHookLoadPackage.Wrapper((IXposedHookLoadPackage) moduleInstance));
  
                      if (moduleInstance instanceof IXposedHookInitPackageResources)
                          hookInitPackageResources(new IXposedHookInitPackageResources.Wrapper((IXposedHookInitPackageResources) moduleInstance));
                  } else {
                      if (moduleInstance instanceof IXposedHookCmdInit) {
                          IXposedHookCmdInit.StartupParam param = new IXposedHookCmdInit.StartupParam();
                          param.modulePath = apk;
                          param.startClassName = startClassName;
                          ((IXposedHookCmdInit) moduleInstance).initCmdApp(param);
                      }
                  }
              } catch (Throwable t) {
                  log(t);
              }
          }
      } catch (IOException e) {
          log(e);
      } finally {
          try {
              is.close();
          } catch (IOException ignored) {}
      }
  }

• 通过这里可以得知，他是会找APK下assets/xposed_init是否存在，如果不存在则会打印日志并且return返回不往下执行了，所以前面说的文件名必须为xposed_init是因为这里做了判断，如果不按规则来则Hook都会无效

  InputStream is = mcl.getResourceAsStream("assets/xposed_init");
  if (is == null) {
      log("assets/xposed_init not found in the APK");
      return;
  }

• 继续往上跟会发现loadModule方法被loadModules调用，而loadModules被main函数调用，也就是Java的主函数入口，代码如下：

  protected static void main(String[] args) {
      // Initialize the Xposed framework and modules
      try {
          SELinuxHelper.initOnce();
          SELinuxHelper.initForProcess(null);
  
          runtime = getRuntime();
          if (initNative()) {
              XPOSED_BRIDGE_VERSION = getXposedVersion();
              if (isZygote) {
                  startsSystemServer = startsSystemServer();
                  initForZygote();
              }
  
              loadModules();
          } else {
              log("Errors during native Xposed initialization");
          }
      } catch (Throwable t) {
          log("Errors during Xposed initialization");
          log(t);
          disableHooks = true;
      }
  
      // Call the original startup code
      if (isZygote)
          ZygoteInit.main(args);
      else
          RuntimeInit.main(args);
  }

• 接下来我们看MainHook里我们用到的XposedHelpers.callStaticMethod和XposedHelpers.callMethod，
  可以看到他们调用到的方法都是callMethod，而在其内部调用了findMethodBestMatch方法，
  最终通过invoke(obj, args)反射来执行Hook的方法：

  public static Object callMethod(Object obj, String methodName, Object... args) {
      try {
          return findMethodBestMatch(obj.getClass(), methodName, args).invoke(obj, args);
      } catch (IllegalAccessException e) {
          // should not happen
          XposedBridge.log(e);
          throw new IllegalAccessError(e.getMessage());
      } catch (IllegalArgumentException e) {
          throw e;
      } catch (InvocationTargetException e) {
          throw new InvocationTargetError(e.getCause());
      }
  }

• 我们继续看XposedHelpers.findAndHookMethod，可以看到调用的是XposedHelpers的findAndHookMethod方法，将方法传入的最后一个对象转为XC_MethodHook，
  接着通过findMethodExact方法传入最后一个参数前的所有参数，在findMethodExact方法内部又通过反射clazz.getDeclaredMethod找出具体的方法，
  并且设置该方法访问权限为公有，所有XposedHelpers.findAndHookMethod公有私有方法都能Hook

  public static XC_MethodHook.Unhook findAndHookMethod(Class<?> clazz, String methodName, Object... parameterTypesAndCallback) {
      if (parameterTypesAndCallback.length == 0 || !(parameterTypesAndCallback[parameterTypesAndCallback.length-1] instanceof XC_MethodHook))
          throw new IllegalArgumentException("no callback defined");
  
      XC_MethodHook callback = (XC_MethodHook) parameterTypesAndCallback[parameterTypesAndCallback.length-1];
      Method m = findMethodExact(clazz, methodName, getParameterClasses(clazz.getClassLoader(), parameterTypesAndCallback));
  
      return XposedBridge.hookMethod(m, callback);
  }

• 接着来看看刚刚的XposedBridge.hookMethod，可以看到该方法内部最终通过hookMethodNative调用了Native层的Hook方法。
  继续跟XposedBridge.hookMethod，会发现他又是被hookResources方法调用，而hookResources是被initForZygote方法调用，
  而刚刚我们知道在main函数里调用了initForZygote方法，接下来我们就再看下initForZygote方法

• 首先我们看到该类中有一个main方法入口，主要看其中的initForZygote和loadModules方法，我们看下其中这段代码，
  可以看到他主要是Hook了ActivityThread类的handleBindApplication这个方法，
  而我们看下ActivityThread的源码就会发现handleBindApplication里面调用了mInstrumentation.callApplicationOnCreate(app)，
  其实就是Application的onCreate，所以在Application的onCreate方法前Xposed就做了Hook拦截执行自己的方法

// normal process initialization (for new Activity, Service, BroadcastReceiver etc.)
    findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook() {
        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
            ActivityThread activityThread = (ActivityThread) param.thisObject;
            ApplicationInfo appInfo = (ApplicationInfo) getObjectField(param.args[0], "appInfo");
            String reportedPackageName = appInfo.packageName.equals("android") ? "system" : appInfo.packageName;
            SELinuxHelper.initForProcess(reportedPackageName);
            ComponentName instrumentationName = (ComponentName) getObjectField(param.args[0], "instrumentationName");
            if (instrumentationName != null) {
                XposedBridge.log("Instrumentation detected, disabling framework for " + reportedPackageName);
                disableHooks = true;
                return;
            }
            CompatibilityInfo compatInfo = (CompatibilityInfo) getObjectField(param.args[0], "compatInfo");
            if (appInfo.sourceDir == null)
                return;

            setObjectField(activityThread, "mBoundApplication", param.args[0]);
            loadedPackagesInProcess.add(reportedPackageName);
            LoadedApk loadedApk = activityThread.getPackageInfoNoCheck(appInfo, compatInfo);
            XResources.setPackageNameForResDir(appInfo.packageName, loadedApk.getResDir());

            LoadPackageParam lpparam = new LoadPackageParam(sLoadedPackageCallbacks);
            lpparam.packageName = reportedPackageName;
            lpparam.processName = (String) getObjectField(param.args[0], "processName");
            lpparam.classLoader = loadedApk.getClassLoader();
            lpparam.appInfo = appInfo;
            lpparam.isFirstApplication = true;
            XC_LoadPackage.callAll(lpparam);

            if (reportedPackageName.equals(INSTALLER_PACKAGE_NAME))
                hookXposedInstaller(lpparam.classLoader);
        }
    });