【BackGround】:
As the privacy and security issues on Android devices become more and more important to the public, the threat of malware to user privacy, especially private information such as phone calls and text messages, has become increasingly prominent. Major mainstream security software has launched its own privacy behavior monitoring function. , in the case of root, it can effectively prevent malware from stealing user privacy, so what is the technical principle behind this? How do we block malware from calling text messages, contacts or your private photos? This involves the chapter of ContentProvider, interested students can watch http://429899791.iteye.com/blog/2205792
It is not easy to call these APIs in the Java layer and the Dalvik layer (Android virtual machine), because these layers do not provide hooks, so they can only be called in the Native native layer.
So when you see this, you will definitely think about what Hook is. ee also has such questions, so more and more information needs to be checked, so here I will summarize it for you:
[What is Hook]:
Android security can be considered from three levels, one is the java virtual machine layer, the native layer, and the linux kernel layer. This time the hook api belongs to the native layer. After the hook api, the program's call to the original system function can be changed to a call to the function written by ourselves, which can be used as a means of attack, and can also update the program while maintaining the program running.
Thinking about it this way, if we HOOK the call, then the function called will be replaced by us, and then click to call, the phone number we will call is also the number we specified. For example, ee wants to chase a male god and attack his mobile phone (of course The premise is to install our app secretly) So no matter who he calls, he will call me, is it very powerful? In fact, what we are talking about here is network security, but ee always wants to attack others, but attack and protection complement each other. Only by learning how to attack can we think about how to protect.
[How to do it]: When it comes to the question of how to do it here: At the Native level, I think a feasible solution is to Hook the runtime library so of calls and SMS (such as the system runtime library \system\lib\libreference-ril. so or \system\lib\libril.so), if you inject your own so into the above process, and obtain the original API address through dlopen() and dlsym(), replace the original API address with the API address in your own so The purpose of Hook can be achieved.
So do you know what Hook is? It's "a civet cat for a prince " . The next time an interviewer asks you, you can say that, but I hope you can explain the principle clearly.
========================================================================
[About Xpose framework]:
After talking about a lot of Hooks, what does the Xpose framework do? The Xposed framework is a framework service that can affect the operation of the program without modifying the APK. By replacing the /system/bin/app_process program to control the zygote process, the app_process will load the XposedBridge.jar jar package during the startup process, thus completing the Hijacking of the Zygote process and the virtual machines it creates.
Mom, it's a bunch of new terms, what should I do? One word "check" ! !
Introduction to the principle of implementing Hook in the Xposed framework
Zygote is the core of Android. Every time an app is run, Zygote will fork a virtual machine instance to run the app. Xposed Framework penetrates into the core mechanism of Android, and realizes some awesome functions by transforming Zygote. The startup configuration of Zygote is in the /init.rc script. This process is started when the system starts. The corresponding execution file is /system/bin/app_process, which completes the work of loading the class library and calling some functions.
When the Xposed Framework is installed in the system, the app_process will be extended, that is to say, the Xposed Framework will overwrite the app_process file provided by Android natively with its own app_process. When the system starts, it will be loaded and replaced by the Xposed Framework. process file, and XposedFramework also defines a jar package, which will also be loaded when the system starts:
/data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar
Well, after seeing this, I have probably understood that Xpose and Hook cooperate with each other. First, Xposed FrameWork bribes the Zygote palace guards, and then Hook sneaks into the palace to perform the shameful act of "civet cat for prince".
===========================================================================================
That's it for the principle, now we start to make preparations
Conditions for the Xposed Framework to run
1.RootedDevice / Emulator (rooted phone or emulator)
2. XposedInstaller (Xposed installer download)
3.HookingAndroid App (the target App to be hooked)
The Xposed framework installer can be regarded as a management tool for the Xposed framework. We need to write the app containing the xpose framework and add it to the XposedInstaller for management. At the same time, our hook code has been written to attack which function in which app. The civet cat changes the prince, so don't delusionally think that you can attack a powerful app like QQ WeChat, so write a low-end app yourself to attack your own implementation.
The theory class is here, the next class, start the actual combat! ! ! !