Last time I talked about copying the internal data of other applications without root. This time I will talk about directly accessing the target application process without root, and then hooking it. The principle of this cross-process hook is through dex injection and resource file modification. to achieve.
First create a module in android studio, create an Activity in the module, and add test code to the Activity's onCreate method, for example: Toast's current package name:
Toast.makeText(appContext, this.getPackageName(), Toast.LENGTH_SHORT).show();Then compile and generate apk, open it with winRAR, drag out the classes.dex file inside, and find a host application for testing, such as WeChat.apk. Use winRAR to open WeChat.apk and check the dex files inside, which may be multiple dex files. , take a look at the maximum number of the dex file. If it is 12, rename your dex to classes13.dex, which is the maximum value plus 1, and then drag your dex file into the WeChat apk to make it a part of WeChat.
The second step is to build a temporary project and add execution code to it. First, import the arsclib library, then use the code to modify the resource configuration file AndroidManifest of WeChat apk, add the Activity statement in the module just now, and set exported to true:
<activity android:name="com.plugin.test.TestActivity"
android:exported="true" />
The main code is as follows:
ApkModule module = ApkModule.loadApkFile(new File("/sdcard/微信.apk"));
AndroidManifestBlock manifestBlock = module.getAndroidManifestBlock();
ResXmlElement applicationElement = manifestBlock.getApplicationElement();
ResXmlElement activityElement = manifestBlock.getOrCreateActivity("com.plugin.test.TestActivity", false);
ResXmlAttribute exportedAttr = activityElement.getOrCreateAndroidAttribute("exported", android.R.attr.exported);
exportedAttr.setValueAsBoolean(true);You can set launcherMode to singleInstance to avoid starting it only once. If you set singleTask, the root Activity will be opened every time.
ResXmlAttribute launcherModeAttr = activityElement.getOrCreateAndroidAttribute("launcherMode", android.R.attr.launchMode);
launcherModeAttr.setTypeAndData(ValueType.DEC, 3); //singleInstance
Finally, add the code to start the Activity in the temporary project:
Intent intent = new Intent();
intent.setClassName("com.tencent.mm", "com.plugin.test.TestActivity");
startActivity(intent);Executing the above code will start our own activity. In fact, the WeChat app is started, so the package name printed is the WeChat package name. In this Activity we can do some things of our own, such as accessing the WeChat process, monitoring its behavior, setting up agents, etc. However, this method has a disadvantage, that is, every time the module code is modified, the target application must be repackaged, and then re-signed and installed. The way to solve this problem is to use the plug-in mode. The target application only puts some loading code, and the module is placed outside, and then the The same principle applies to target loading modules and WalxPlugin plug-ins. For specific implementation methods, please see
the article "WalxPlugin Root-free Framework Usage Detailed Explanation and Sample Code".
The following is the obtained list of WeChat main interface controls:
