Hookメカニズム学習(一)-weishuシリーズブログ学習ノート

weishuシリーズブログ

一:Hookポイントの選択:

1 Hookの対象は、Hookポイントと呼ばれます.一般的に見つけやすいオブジェクトはHookポイントです.したがって、静的変数と単一の例が一般的に選択されます.2 1つのプロセス内では、静的変数と単一の変数は相対的に変化しにくいため、位置決めが非常に容易であり、通常のオブジェクトはフラグができないか、変更しやすい.この原則に基づいていわゆるHookポイントを見つけます.

二:Hook例-Hook Instrumentation.execStartActivity()

ContextImpl.startActivity()

@Override
public void startActivity(Intent intent, Bundle options) {
    warnIfCallingFromSystemProcess();
    if ((intent.getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) == 0) {
        throw new AndroidRuntimeException(
                "Calling startActivity() from outside of an Activity "
                + " context requires the FLAG_ACTIVITY_NEW_TASK flag."
                + " Is this really what you want?");
    }
    mMainThread.getInstrumentation().execStartActivity(
        getOuterContext(), mMainThread.getApplicationThread(), null,
        (Activity)null, intent, -1, options);
}

EvilInstrumentation:Instrumentationを継承します.

public class EvilInstrumentation extends Instrumentation {

    private static final String TAG = "EvilInstrumentation";

    // ActivityThread ,  
    Instrumentation mBase;

    public EvilInstrumentation(Instrumentation base) {
        mBase = base;
    }

    public ActivityResult execStartActivity(
            Context who, IBinder contextThread, IBinder token, Activity target,
            Intent intent, int requestCode, Bundle options) {

        // Hook , XXX !
        Log.d(TAG, "
 startActivity,  : 
" + "who = [" + who + "], " +
                "
contextThread = [" + contextThread + "], 
token = [" + token + "], " +
                "
target = [" + target + "], 
intent = [" + intent +
                "], 
requestCode = [" + requestCode + "], 
options = [" + options + "]");

        //  ,  , ,  startActivity .
        //  , ; 
        try {
            Method execStartActivity = Instrumentation.class.getDeclaredMethod(
                    "execStartActivity",
                    Context.class, IBinder.class, IBinder.class, Activity.class, 
                    Intent.class, int.class, Bundle.class);
            execStartActivity.setAccessible(true);
            return (ActivityResult) execStartActivity.invoke(mBase, who, 
                    contextThread, token, target, intent, requestCode, options);
        } catch (Exception e) {
            //  rom    
            throw new RuntimeException("do not support!!! pls adapt it");
        }
    }
}

システムの代わりにevilInstrumentationオブジェクトを設定するInstrumentation

public static void attachContext() throws Exception{
    //  ActivityThread 
    Class> activityThreadClass = Class.forName("android.app.ActivityThread");
    Method currentActivityThreadMethod = activityThreadClass.getDeclaredMethod("currentActivityThread");
    currentActivityThreadMethod.setAccessible(true);
    Object currentActivityThread = currentActivityThreadMethod.invoke(null);

    //   mInstrumentation 
    Field mInstrumentationField = activityThreadClass.getDeclaredField("mInstrumentation");
    mInstrumentationField.setAccessible(true);
    Instrumentation mInstrumentation = (Instrumentation) mInstrumentationField.get(currentActivityThread);

    //  
    Instrumentation evilInstrumentation = new EvilInstrumentation(mInstrumentation);

    //  
    mInstrumentationField.set(currentActivityThread, evilInstrumentation);
}