xposed基础语法

# 类

# 元类


# class
类名.class

# 实例化后的对象
対象.getClass()

# 反射
Class.forName

# java api
java.lang.String

# 使用 xposed读取
XposedHelpers.findClass

# 读取 dex path、jar path
new DexClassLoader().loadClass

# smail语法
[[Ljava.lang.Strings

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# 普通类

# 直接使用下面的方式获取
Class<?> MSManager = XposedHelpers.findClass("com.bytedance.mobsec.metasec.ml.MSManager", lpparam.classLoader);

1
2

# 匿名类

# 从1开始
XposedHelpers.findClass( className: "com.xiaojianbang. xposeddemo. Demo$1", loadPackageParam. classLoader)

1
2

# 内部类

# 直接 $ 内部类  （支持直接的内部类中的方法调用）
XposedHelpers.findClass( className: "com.xiaojianbang. xposeddemo. Demo$InnerClass", loadPackageParam. classLoader)

1
2

# instance

获取实例的方式

# newInstance

Class<?> MSManager = XposedHelpers.findClass("com.bytedance.mobsec.metasec.ml.MSManager", lpparam.classLoader);  
instance = MSManager.newInstance();

1
2

# param.thisObject

XposedHelpers.findAndHookMethod(MSManager, "setDeviceID", String.class, new XC_MethodHook() {  
    @Override  
    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {  
        Log.i("hook_dy", "res:" + param.args[0]);  
        instance = param.thisObject;  
    }  
});

1
2
3
4
5
6
7

# XposedHelpers

# 相关hook

# findAndHookConstructor

# 如果是无参构造，则不传入参数
(Class<?> clazz, Object... parameterTypesAndCallback)

1
2
3
4

# findAndHookMethod

# findAndHookMethod 即可以hook普通方法又可以hook私有方法
findAndHookMethod(Class<?> clazz, String methodName, Object... parameterTypesAndCallback)

1
2

# hook多dex

attch
# http://blog.minihu.top/2021/04/17/xposed-hook-%E5%A4%9Adex%E7%9A%84apk/
# https://www.cnblogs.com/c-x-a/p/12582487.html

//过滤一下不关注的包，排除影响
 if(!loadPackageParam.packageName.equals("yourPkgName"))
	return;
XposedHelpers.findAndHookMethod(Application.class, "attach",
    Context.class, new XC_MethodHook() {
        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            ClassLoader cl = ((Context) param.args[0]).getClassLoader();
            Class<?> hookclass = null;
            try {
            	//查看dex有没有这个Class
                hookclass = cl.loadClass("com.umeng.commonsdk.UMConfigure");
            } catch (Exception e) {
                XposedBridge.log("load class error"+e);
                return;
            }
            //确定有这个Class再进行hook方法的操作
            XposedBridge.log( "load success");
            XposedHelpers.findAndHookMethod(hookclass, "init", Context.class,String.class,String.class,int.class,String.class,
                new XC_MethodHook() {
                    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                        super.beforeHookedMethod(param);
                        XposedBridge.log( "has Hooked!");
                    }
                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                        //打印一下形参
                        XposedBridge.log("param.args[0] = "+param.args[0]);
                        XposedBridge.log("param.args[1] = "+param.args[1]);
                        XposedBridge.log("param.args[2] = "+param.args[2]);
                        XposedBridge.log("param.args[3] = "+param.args[3]);
                        XposedBridge.log("param.args[4] = "+param.args[4]);
                    }
                });
        }
 });

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

# 可混合传入参数

# 相关call

# callMethod

Object result = XposedHelpers.callMethod(targetObject, "privateMethodName", arg1, arg2, ...);

# 相关回调

# XC_MethodReplacement

new XC_MethodReplacement

# 字段

# getIntField

XposedHelpers.getIntField(param.thisObject, fieldName: "innerPublicInt");

# 类操作

# 仅公有方法
democlazz.getMethod();
# 全部的声明方法
democlazz.getDeclaredMethod();

# 仅公有字段
democlazz.getField();
# 所有字段
democlazz.getDeclaredField();

1
2
3
4
5
6
7
8
9

# 流程

1、找到类
2、找到字段或方法 设定访问权限
3、修改字段或调用方法

1
2
3

# getField

String str = (String)reffield.get(obj):

# getDeclaredMethod

# 如果调用私有方法，需要声明一下操作权限
refmethod.setAccessible(true);

1
2

# getDeclaredFields

# getDeclaredClasses

# 获取声明的类

# classloader

# 安卓的所有class 底层都是通过  ClassLoader中的 loadClass 方法进行加载的

# 获取声明

reffield.getType //获取字段类型
reffield.getName //获取字段名称
reffield.getModifiers //获取访问修饰

1
2
3

# invoke

# 加载类
Class democlazz = Class.forName( name: "com.xiaojianbang xposeddemo.Demo", initialize: false, classloader)
# 获取声明的方法
Method refmethod = democlazz.getDeclaredMethod( name: "refl");
refmethod.setAccessible(true);
# invoke 调用
refmethod.invoke(obi);

1
2
3
4
5
6
7

# XposedBridge

XposedBridge.hookALLConstructors()
XposedBridge.hookAlLMethods

1
2

# hookAllMethods

hook 函数重载

# hookAllConstructors

可以根据 构造函数的参数进行判断

# 栈

# 堆栈输出

Log.e("逆向有你", "Stack：", new Throwable("stack dump"));

# 自吐

# 算法自吐

因为在java层  必然会调用java的相关函数  例如 javax和java.utils下的函数

可以直观的看到 iv  key 偏移量 块填充 等相关信息

1
2
3

# md5

# RSA

上次更新: 2023-06-27 16:49:11

← xposed精选资源 xposed结合grpc进行签名获取→