Shulou(Shulou.com)06/02 Report--

This article will explain in detail the practice of how to carry out Android Hook technology. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Overview

It is useful to Hook related technology in the process of learning Android plug-in, the following article also gives a brief introduction to Hook related technology, and write two small Demo, when you understand Hook, you may have one more way to solve problems when you encounter problems in the future

Define

Image.png

The word Hook means hook, so when do we use this hook? as shown above, during the execution of an event or action, intercept related events or actions, add your own code or replace your own proxy object, which is called Hook.

The principle of Hook

The main purpose of this paper is to modify or replace the object or method to be executed by using the java reflection mechanism.

Focus: in hook, we first need to find the object to Hook, what kind of object is better Hook, that is singleton and static variables, singleton and static variables are not easy to change in the process, relatively easy to be located, two ordinary elephants are easy to change (may be destroyed at any time). According to this principle, we find the so-called Hook point.

This is my understanding of Hook, and it is quite simple, but practice is the only criterion for testing truth. I will write two small Demo below.

Demo1

This example Hook is a utility class

/ * * printer tool class, providing black and white printing and color printing * / public class PrintUtil {private static IPrint colorPrint = new ColorPrint (); / / color printer private static IPrint blackWhitePrint = new BlackWhitePrint (); / / black and white printer public static void colorPrint (String content) {colorPrint.print (content);} public static void blackWhitePrint (String content) {blackWhitePrint.print (content);}}

The tools are as above

Private void operate4 () {/ / HookHelper.hookPrint (); PrintUtil.blackWhitePrint ("black and white content"); PrintUtil.colorPrint ("color content");}

Image.png

The normal result is as above. Let's hook PrintUtil. First, we find the Hook point. There are two static variables in PrintUtil. This is the Hook point we are looking for. The specific code is as follows.

/ * * hook printUtil processing * / public static void hookPrint () {try {Class printClass = Class.forName ("com.example.shiyagang.myapplication.util.PrintUtil"); Field colorPrintField= printClass.getDeclaredField ("colorPrint"); Field blackWhitePrintField = printClass.getDeclaredField ("blackWhitePrint"); colorPrintField.setAccessible (true); blackWhitePrintField.setAccessible (true) ColorPrintField.set (null,new BlackWhitePrint ()); blackWhitePrintField.set (null,new ColorPrint ());} catch (Exception e) {e.printStackTrace ();}}

We replace two static variables of PrintUtil through reflection

After the replacement, the execution result is as follows

Image.png

The color printer typed out black and white content, and we did it. Hey, hey.

Demo2

For this example, we find the relevant hook point in the call chain of context.startActivity to replace it. Let's first divide the process of context.startActivity. Context.startActivity actually goes to the startActivity of ContextImpl.

[picture uploaded... (image-318cbb-1573653549464-1)]

As shown in the figure above, the execStartActivity method of the mInstrumentation member of the ActivityThread class is finally called; notice that ActivityThread is actually the main thread, which has only one process, so this is a good Hook point

To get the mInstrumentation of ActivityThread, we first need to get an instance of ActivityThread

There is a static method currentActivityThread in the ActivityThread class that can help us get an instance of ActivityThread

Through the above steps, we can carry out the relevant hook.

/ * Hook activityThread * * / public static void attachContext () throws Exception {/ / get the current ActivityThread object Class activityThreadClass = Class.forName ("android.app.ActivityThread"); Method currentActivityThreadMethod = activityThreadClass.getDeclaredMethod ("currentActivityThread"); currentActivityThreadMethod.setAccessible (true); Object currentActivityThread = currentActivityThreadMethod.invoke (null) / / get mInstrumentation fields Field mInstrumentationField = activityThreadClass.getDeclaredField ("mInstrumentation"); mInstrumentationField.setAccessible (true); Instrumentation mInstrumentation = (Instrumentation) mInstrumentationField.get (currentActivityThread); / / create proxy object Instrumentation evilInstrumentation = new EvilInstrumentation (mInstrumentation); / / mInstrumentationField.set (currentActivityThread, evilInstrumentation);}

The proxy objects for EvilInstrumentation are as follows:

/ * * static proxy class of Instrumentation * / public class EvilInstrumentation extends Instrumentation {private static final String TAG = EvilInstrumentation.class.getSimpleName (); / / the original object in ActivityThread, saved to Instrumentation mBase; public EvilInstrumentation (Instrumentation base) {mBase = base } public ActivityResult execStartActivity (Context who, IBinder contextThread, IBinder token, Activity target, Intent intent, int requestCode, Bundle options) {Log.e (TAG, "We Hook the startup process of Activity") Try {Method execStartActivity = Instrumentation.class.getDeclaredMethod ("execStartActivity", Context.class, IBinder.class, IBinder.class, Activity.class, Intent.class, int.class, Bundle.class); execStartActivity.setAccessible (true) Return (ActivityResult) execStartActivity.invoke (mBase, who, contextThread, token, target, intent, requestCode, options);} catch (Exception e) {throw new RuntimeException ("something's wrong, go adapt");}

Let's take a look at the code of Activity, and we do Hook in attachBaseContext.

Private void operate3 () {Intent intent = new Intent (getApplicationContext (), SecondActivity.class); intent.addFlags (Intent.FLAG_ACTIVITY_NEW_TASK); getApplicationContext () .startActivity (intent);} @ Override protected void attachBaseContext (Context newBase) {super.attachBaseContext (newBase); try {/ / Hook HookHelper.attachContext () here } catch (Exception e) {e.printStackTrace ();! [integrate data .jpg] (https://upload-images.jianshu.io/upload_images/3117364-779ed9dc78882285.jpg?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)}}

Image.png

As shown in the picture above, we have succeeded, we have just printed a log here, of course you can do anything.

On how to carry out the practice of Android Hook technology to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.