What is Hook
Intercept events and monitor the transmission of events.
Common Hook Framework
- To root permissions, directly Hook system, you can kill all apps
- No root permission, but only Hook itself, powerless to other apps in the system
Common Hook Schemes
Xposed
Control Zygote by replacing /system/bin/app_processthe program, complete all the hijacking at boot time, and add custom code before and after the original execution. (supports Java code)
Cydia Substrate
A code modification platform that can modify the code of any process. (support Java, C/C++)
Legend
A Root-free Apk Hook framework. Directly construct the virtual machine data structure corresponding to the old and new methods, and then write the replacement information into the memory.
Implement API Hook using Java reflection
Through the virtual machine injection and Java reflection on the Android platform, the way the Android virtual machine calls functions (ClassLoader) is changed, so as to achieve the purpose of Java function redirection.
Use reflection Hook setOnClickListener
Create a new OnClickListener class, pass in the original OnClickListener, and execute the relevant code before and after the original onCLick through the proxy. Then, through reflection, replace the ListenerInfo in the View's setOnClickListener.
class HookedOnClickListener implements View.OnClickListener {
private View.OnClickListener origin;
HookedOnClickListener(View.OnClickListener origin) {
this.origin = origin;
}
@Override
public void onClick(View v) {
Toast.makeText(MainActivity.this, "hook click", Toast.LENGTH_SHORT).show();
Log.i(TAG,"Before click, do what you want to to.");
if (origin != null) {
origin.onClick(v);
}
Log.i(TAG,"After click, do what you want to to.");
}
}
Use Hooks to Intercept In-App Notifications
You can intercept unwanted notifications by replacing the static variable sService of NotificationManager and using a dynamic proxy (some SDKs will send their own notifications).
The dynamic proxy part of the code is as follows:
new InvocationHandler() {
@Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
if (args != null && args.length > 0) {
for (Object arg : args) {
log.debug("type:{}, arg:{}", arg != null ? arg.getClass() : null, arg);
}
}
// 操作交由 sService 处理,不拦截通知
// return method.invoke(sService, args);
// 拦截通知,什么也不做
return null;
// 或者是根据通知的 Tag 和 ID 进行筛选
}
});
Summarize
Choice points for hooks: static variables and singletons, because once an object is created, they are not easy to change and are very easy to locate.
Hook process:
Looking for hook points, the principle is static variables or singleton objects, try to hook public objects and methods.
Select the appropriate proxy method, if it is an interface, you can use dynamic proxy.
Replacing Columns - Replaces the original object with a proxy object.
There are many versions of Android API, and the methods and classes may be different, so it is necessary to do a good job of API compatibility.