In a previous article on the binder mechanism in Android and system remote service invocation mechanism, this article will continue to use the content of the previous article to implement the Hook system service intercept The logic of the specified method, after understanding the previous article, know that the system is actually a remote binder object, And this object is managed by the ServiceManager, the user in the use of system services, will be specified by the service of the stub method of Asinterface to the remote binder object can be converted to a localized object to use, and in this process, We also know that because the system service is in the system_server process, so this system service is used in the process of cross-process calls, then the returned object is actually proxy agent object.
This article mainly uses this knowledge point, through the hook system service to intercept the service method, below we pass the System Shearing Board service case as the analysis
As you can see here, the Getsystemservice method is used when using the system service, and the service object is obtained by defining the service description constants in the context, and the Getsystemservice method is defined in Comtextimpl.java in the class:
A servicefetcher map structure is maintained here to see where the structure fills the data:
Add a service name and a Servicefetcher object in the Registerservice method, which is called in a static code block:
We have found Clipboardmanager this service:
Here is actually a Clipboardmanager object, in fact, this object is the internal encapsulation of the Iclipboard.stub function, you can look at other services:
For example, the network service here directly calls the Iconnectivitymanager.stub class's Asinterface method to get the proxy object.
Let's go in the Clipboardmanager.java and see what happens:
See here the way to set the Clipboard content, in fact inside is called the GetService method to get the object and then call the specified method, Then you probably know that this GetService method should return the proxy object returned by Iclipboard.stub through the Asinterface method:
Well, sure enough, here we get the remote IBinder object to clipboard through ServiceManager, and then return a proxy object through the Asinterface method.
Here we simply analyzed the system in the access to the Clipboard service, in fact, the service in the system is such a logic, but some may be in the outside packaging a layer, the following summary of the process:
Now just remember one thing: every time the process of acquiring a system service is the same, the IBinder object of the remote service is obtained first through the ServiceManager GetService method. The Asinterface method of the stub class of the specified service is then transformed into a locally available object, and this object is actually a proxy object, in which the stub inherits the binder object and implements the Aidl interface type. The proxy object implements the Aidl interface type, while the Aidl interface type implements the IInterface interface type.
The above analysis of the use of system services in Android and the principle of interpretation, the following in the implementation of the hook mechanism in Android and principle analysis, we know that in many systems there is such a hook technology, some are called hooks, but regardless of any system, Hook technology is the core point is the same, only two points to complete the hook technology:
1, find the hook point , that is, you want to hook which object, then you have to find the object definition of the place, and then use reflection to get to this object instance. So here you can see that the general Hook point is a single class of a simple method or a static variable, because it is very convenient to hook up, are static types, reflection calls are more convenient without concrete instance object. And this point is the hardest point in the whole hook process, because it's hard to find this point. Android mainly relies on the analysis system source code class to do.
2, constructs a hook original object's proxy class , about this proxy actually has two kinds of methods in Java, one is the static proxy, one is the dynamic agent.
static proxy : A member variable of the original object is maintained in the proxy class, and each method calls the method of the original object before invoking it. No condition restrictions required
Dynamic Proxy: more complex than static agent is a rule: the original object must be implemented interface to operate, the principle is because the dynamic agent is automatically generated a proxy class byte code, the class name is generally proxy$0 what, this class will automatically implement the original class implementation of the interface method, All methods in the interface are then invoked using the reflection mechanism.
Case use is very simple, below we through the source code analysis this principle:
The main invocation of the GetProxyClass0 method is to generate the byte code for the proxy class:
Then generate the proxy class:
See here, in fact, the generated bytecode here is not very complex, we can use a toolkit such as ASM can manually generate a bytecode, and then loaded with the class loader, you will find the need to pass the class loader.
When the proxy class is generated above, we can reverse-compile this class and look at the call to the method, the static code block in the proxy class:
All methods of the class are obtained using reflection.
The Invoke method that passes in the Invocationhandler callback interface in the specified method is then implemented.
After analyzing the dynamic agent from the source angle, it is found that there is nothing complicated, that is, to generate a proxy class manually, and then use reflection to get all the methods in the class, in the specified method with reflection call, and callback Invocationhandler invoke method, So here we see that the first parameter object of the Invoke method in Invocationhandler is the proxy class object.
Attention:
In Javaweb development we will use AOP programming in the spring framework, in fact, he is using the dynamic agent technology in Java, but he relies on the function of Cglib, not the Java native generation of this automatic proxy class, From the above can be seen to be able to do dynamic proxy class must implement an interface, and this rule is sometimes very high, many classes do not implement the interface, resulting in the inability to implement the proxy function, so spring uses the cglib, the principle is almost the same, he uses the ASM Toolkit is also a manual generation of a class, But this class is the subclass of the original object, which can also implement the proxy function, but this also has a limitation, that is, the proxy object can not be the final type, while some of the main methods should not be the final type, of course, this limit and the above interface implementation limit is better than the.
To this we understand the hook technology in Java, the core knowledge point, the following with the start of the Clipboard service to do the experiment, we hook the system's Clipboard service function, intercept its method, said above, since to hook service, first must find Hook point, By starting the process of invoking the system services in Android, we know that these services are some of the remote IBinder objects that are stored in ServiceManager, which is actually a hook point:
In fact, every time in the ServiceManager in the acquisition of services, in fact, the first from a cache pool lookup, if there is a direct return:
And this cache pool is exactly the global static type, so you can use the reflection mechanism to get to him, and then do the operation.
Next, we need to construct a service IBinder object for the Clipboard, and then put the object in the pool above it. Then follow the flow of the dynamic agent above,
First, the original object must implement an interface, here is exactly the same rule, each remote service is actually implemented IBinder interface.
Second, the second is to have the original object, this is also possible, through the above cache pool can be obtained
With these two conditions, you can then construct a proxy class with a dynamic proxy:
Through reflection to get the cache pool in ServiceManager Binder object is not much to say, the full reflection mechanism can be, we first get to the cache pool, then get the Clipboard Service Binder object, construct a proxy class, and finally set back. Here's a look at how to block the proxy classes after they are constructed.
Here must pay attention, some students may want to intercept directly here Setprimaryclip such a shear board method is not OK? Think that is certainly not possible, why? Because we are now acting as the binder object for the remote service, he has not converted to a local object yet? How to have these methods, and we really want to intercept the method is Iclipboardmanager, is actually the proxy class, and this object is also the stub class Asinterface method to get, so we now the idea is to have a remote service proxy object, Interception is definitely a way to intercept this proxy object binder, so what are the methods of this remote service that are called in this process? Let's look at an example of a simple aidl before:
As can be seen in the Asinterface method, passing in is a remote service IBinder object, which will call its Querylocalinerface method to get the localization object of this process, then this method is the target of interception.
Then think, if we want to intercept Iclipboardmanager Setprimaryclip method, actually is to intercept clipboardmanager$proxy these methods, then also need to do an agent, Proxy Clipboardmanager$proxy Class object
First, the Clipboardmanager$proxy class implements the Aidl interface type and conforms to the rules.
Second, we can directly use reflection to get to the Iclipboardmanager$stub class, and then reflection calls its Asinterface method can get the Iclipboardmanager$proxy object, conforms to the rules.
Here, it seems that this object also conforms to the conditions of the agent, then it is simple, continue to use the dynamic proxy mechanism to generate a proxy class:
In the invocationhandler of this proxy class, we first need to obtain the proxy original object through reflection:
Finally, the interception operation is started.
Let's look at an experimental result:
We call the system's Clipboard service, but the result of the return is:
See, the contents of the clipboard here have been intercepted before, and the contents have been replaced.
The above describes how to hook the system's Clipboard service function, the process is as follows:
1, our purpose is to intercept the service function of the system, then the first entrance is to serve the big Butler ServiceManager object, and within him there is also a remote service object IBinder cache pool, then this variable is the object of our operation, You can first use the reflection mechanism to get to him, and then in the get to the specified Clipboard service IBinder object instance.
2. The next step must be to hook the binder object of the Clipboard service, where the dynamic proxy method is used to generate a Binder object proxy class, which conforms to two rules:
1 "This binder object implements the IBinder interface type
2 "We've got the original binder object instance
After constructing the proxy class, we intercept the method is the Querylocalinterface method, why is this method? Because this method is used in the stub class after the whole service is used, many students will think why not directly intercept the system method here? This is a misunderstanding, to be clear, the proxy object here is the binder of remote services, is not a localization object, there can be no system methods, so we have to do a hook, to hook the system localization object.
3, after intercepting the binder object's Querylocalinterface method, once again do the localization service object's proxy generation operation, and this localization object is generally iclipboard$proxy, then the dynamic proxy rule:
1 "Localization service objects will implement the Aidl interface type (here are the system methods we want to intercept)
2 "Iclipboard$proxy class object instance is obtained by reflection calling the Asinterface method of Iclipboard$stub class
With these two rules, you can generate proxy objects and then start intercepting the specified methods of the service.
The above summary of the process can be fully used for other system services hook work, because the system service mechanism are consistent, so this process must understand clearly, the work in the back is good.
Some students may be curious to ask, this hook system service seems to be only valid for this application? Haha, it is true, the above interception will only be effective for this application, that some students will ask, only the effective significance of this application is not very large, in fact, this depends on the individual needs, the following will introduce some of the problems encountered in the development, need to use this technology to solve, But the real ability to intercept the system is effective for all applications, in fact, it is not difficult to realize, because the application will request services, and all the services are in the system_server process, then you can take root after the injection of system_server process, At that time at the beginning of the hook work to complete the real sense of interception operations, this use is large, such as we can modify the latitude and longitude information of the system, fake the current location information, tampering with the device's IMEI value, so that some games to identify the unique device invalid. But this requires root to be able to operate, the specific program interested students can go here to see: Android injection system process to achieve interception
Here we introduced the Android Hook system service flow, this article mainly introduces the hook system Clipboard Services, interception of the specified method, in fact, will continue to introduce the interception of AMS and PMS Services, to achieve the application initiated interception operations, to achieve the effect we want.
Click here for more information:
Focus on the public, the latest technology dry real-time push
Android System Chapter----root-free hook system service interception method
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
