Xposed源码分析
来源:互联网 发布:linux dd命令 编辑:程序博客网 时间:2024/06/05 08:17
主要行为替换Zygote,进行拓展
1.system/bin/app_process.cpp
if (zygote) { runtime.start(keepLoadingXposed ? XPOSED_CLASS_DOTS : "com.android.internal.os.ZygoteInit", startSystemServer ? "start-system-server" : "");} else if (className) { // Remainder of args get passed to startup class main() runtime.mClassName = className; runtime.mArgC = argc - i; runtime.mArgV = argv + i; runtime.start(keepLoadingXposed ? XPOSED_CLASS_DOTS : "com.android.internal.os.RuntimeInit",application ? "application" : "tool");}
其中XPOSED_CLASS_DOTS在xposed.h中
#define XPOSED_CLASS_DOTS "de.robv.android.xposed.XposedBridge"
2.XposedBridge.java,main函数
if (initNative()) {//java函数jni的注册if (startClassName == null) {// Initializations for ZygoteinitXbridgeZygote();//fork some main android class}loadModules(startClassName);//load xposed apks and call callbacks} else {log("Errors during native Xposed initialization");}
1.initNative()主要负责java函数jni的注册
//xposedHandleHookedMethod//xposedInvokeOriginalMethodNative//objectArrayClass//xresourcesClass//xresourcesTranslateResId//xresourcesTranslateAttrId//register_android_content_res_XResources
主要实现Xposed.cpp->de_robv_android_xposed_XposedBridge_initNative
2.initXbridgeZygote()和loadModules相当于是Xposed对原Zygote的扩展
initXbridgeZygote()主要是做了几个hook操作
findAndHookMethod(ActivityThread.class, "handleBindApplication", "android.app.ActivityThread.AppBindData", new XC_MethodHook());findAndHookMethod("com.android.server.ServerThread", null,Build.VERSION.SDK_INT < 19 ? "run" : "initAndLoop", new XC_MethodHook());hookAllConstructors(LoadedApk.class, new XC_MethodHook());findAndHookMethod("android.app.ApplicationPackageManager",null,"getResourcesForApplication",ApplicationInfo.class, new XC_MethodHook());if (!new File(BASE_DIR + "conf/disable_resources").exists()) {hookResources();}
find Method主要利用java的反射
findAndHookMethod-》findMethodExact-》
Method method = clazz.getDeclaredMethod(methodName, parameterTypes);//reflect
-》hookMethod(Member hookMethod, XC_MethodHook callback)
3.loadModules(startClassName);
Try to load all modules defined in <code>BASE_DIR/conf/modules.list</code>
And 安排好各种回调 IXposedHookZygoteInit,IXposedHookLoadPackage,IXposedHookInitPackageResources和IXposedHookCmdInit
Xposed扩展模块必须继承上面的4个接口之一,重写其中的handleXXX函数,即各种回调,它们就是在loadModules执行的
3.Hook原理
主要实现hookMethodNative,即Xposed.cpp中的de_robv_android_xposed_XposedBridge_hookMethodNative函数
// 保存原函数信息 XposedHookInfo* hookInfo = (XposedHookInfo*) calloc(1, sizeof(XposedHookInfo)); memcpy(hookInfo, method, sizeof(hookInfo->originalMethodStruct)); hookInfo->reflectedMethod = dvmDecodeIndirectRef(dvmThreadSelf(), env->NewGlobalRef(reflectedMethodIndirect)); hookInfo->additionalInfo = dvmDecodeIndirectRef(dvmThreadSelf(), env->NewGlobalRef(additionalInfoIndirect));
// 将函数入口替换为xposedCallHandler,每次调这个被hook的method,其实质上调用的是xposedCallHandler。
SET_METHOD_FLAG(method, ACC_NATIVE); method->nativeFunc = &xposedCallHandler; method->insns = (const u2*) hookInfo; method->registersSize = method->insSize; method->outsSize = 0;
xposedCallHandler中根据函数参数的TYPE,即(I,F...这些参数在ClassUtil.java中定义)组织好参数:
xposedSetObjectArrayElement(argsArray, dstIndex++, obj);
最后:
dvmCallMethod(self, xposedHandleHookedMethod, NULL, &result, originalReflected, (int) original, additionalInfo, thisObject,argsArray);
xposedHandleHookedMethod是对XposedBridge类handleHookedMethod的引用,de_robv_android_xposed_XposedBridge_initNative中链接:
xposedHandleHookedMethod = (Method*) env->GetStaticMethodID(xposedClass, "handleHookedMethod","(Ljava/lang/reflect/Member;ILjava/lang/Object;Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;");
XposedBridge类的handleHookedMethod, disableHooks则调用原函数,否则beforeHookedMethod-》invokeOriginalMethodNative-》afterHookedMethod
if (disableHooks) {try {return invokeOriginalMethodNative(method, originalMethodId, additionalInfo.parameterTypes,additionalInfo.returnType, thisObject, args);//......do {try {((XC_MethodHook)callbacksSnapshot[beforeIdx]).beforeHookedMethod(param);//......try {param.setResult(invokeOriginalMethodNative(method,originalMethodId,additionalInfo.parameterTypes, additionalInfo.returnType, param.thisObject, param.args));}//......try {((XC_MethodHook) callbacksSnapshot[afterIdx]).afterHookedMethod(param);}
属原创!
- Xposed源码分析
- Xposed源码阅读小结
- Xposed源码剖析——Xposed初始化
- Xposed源码剖析——Xposed初始化
- Xposed源码剖析——Xposed初始化
- xposed源码编译与集成
- Xposed
- Xposed
- XPOSED源码研究之简单介绍
- Xposed源码剖析——概述
- Xposed源码剖析——概述
- Android Root插件模式:Xposed源码剖析
- Xposed源码剖析——概述
- Xposed源码剖析——概述
- Android5.1源码Xposed框架编译
- xposed框架 微信群发源码
- Xposed源码剖析——概述
- Xposed AppSettings权限管理原理分析
- Linux的内存使用说明
- (软件工程视频总结)之软件测试
- QT Demo 之 window(2) Splash
- Junit测试相关
- 详述DRAM、SDRAM及DDR SDRAM的概念
- Xposed源码分析
- iOS工程如何支持64-bit
- 盘点8种CSS实现垂直居中水平居中的绝对定位居中技术
- 文字排版
- mysql_config_editor
- .net连接MySql ,获取中文字段乱码
- JS获取验证码,并验证
- calloc
- cisco6509switch防火墙模块