Android Travel-How to eject a non-unusual form

The previous article described a method that was unheard of to execute Java commands on Android, although it was a very "advanced" technique, and then there was no OVA, so it was removed from the blog home page. In fact, it's not a little useful, and it's very helpful to have the fundamentals of Android now.

This article continues to introduce a more "advanced" technology, pop an unusual form on Android, this form is not a normal form, because it has been through the Android fragment layer, so called supperwindows, no apk file, Without installation, this form will appear out of nowhere!

The reason to play such a form is that you should see an article about Windowmanagerservice before, through such a form, the work mechanism of the surface windowmanagerservice.

Original address: http://blog.csdn.net/innost/article/details/47660193

Because of the use of the framework layer of code, the code in the text is compiled in the Android source environment.

Because compiling Android source code is a very troublesome thing, at that time think there is no other way to compile it, because before the code injection also used the fragment layer, not in the source of the environment is also can be compiled, and execute the code in the same way as I used before, also through APP_ Process

In writing the previous article, I suddenly thought, why not test to see it.

At first I wanted to take out the jar in the system directory. Decompile the jar package in the non-Dex format so that it can be added to the Lib so that the dependent function can be found.

But in the android5.0 device I found that the jar package does not have the content, took out also no use, so changed a android4.2 device, 4.2 of the/system/ Fragment directory and jar with the same life and the. odex file, so through the. Odex file finally get the jar package that can be used.

Before formally in this way to operate, but the code to compile the pop-up form is not, there are some interface classes are not found, these classes are produced by Aidl Anti-compilation and can not get these classes.

Fortunately, when searching for these aidl files, I saw a Web site where you could download the fragment layer code with the full content, including the Aidl automatically generated interface classes.

http://grepcode.com/snapshot/repository.grepcode.com/java/ext/com.google.android/android/4.2_r1/

Select "Binary download", after downloading directly into the LIB can solve the problem of dependency. The above address is the source code for 4.2.

Solve the problem of dependency, then how to compile it.

Create a new Java project, build the Supperwindows.java class, the package is COM, and copy the code from the previous Windowmanagerservice article.

Package Com;import Android.content.context;import Android.content.res.configuration;import android.graphics.*; Import android.hardware.display.idisplaymanager;import android.os.*;import android.view.*;p ublic class SuperWindows {public static void main (string[] args) {System.out.println ("Hello superwindows"); try {//samplewindow.run () is the main entry for this program, New Superwindows (). Run ();} catch (Exception e) {e.printstacktrace ();}} Iwindowsession is the intermediary agent that the client requests a window operation to the WMS, and is the process's only iwindowsession msession = Null;//inputchannel is the pipeline that the window receives the user input event. In the 5th chapter, it will be discussed in detail inputchannel Minputchannel = new Inputchannel ();//The following three Rect saves the layout result of the window. Where mframe represents the position and size of the window on the screen//in 4.4 will describe in detail their role as well as the calculation principle of rect minsets = new rect (); Rect mframe = new rect (); Rect mvisibleinsets = new rect (); Configuration Mconfig = new configuration ();//The surface of the window, the drawing on this surface will be displayed on this window surface msurface = new surface ();// Paint Mpaint = new paint () for drawing on a window;//Add the required token for the window, which will be introduced in section 4.2 IBinder Mtoken = new Binder ();//A Window object, This example demonstrates how to add this window to a WMS and draw on it mywindow mwindow = new Mywindow ();//windowmanager.layoutparams defines layout properties for Windows, including location, size, and window type windowmanager.layoutparams mLp = new Windowmanager.layoutparams (); Choreographer Mchoreographer = Null;//inputhandler used to respond from Inputchannel receive key events Inputhandler Minputhandler = Null;boolean Mcontinueanime = True;public void Run () throws Exception{looper.prepare ();//Get WMS service Iwindowmanager WMS = IWindowManager.Stub.asInterface (Servicemanager.getservice (Context.window_service));// Gets the unique iwindowsession instance of the process through Windowmanagerglobal. It will be used to send requests to wms//. Note that this function is located in the Viewrootimpl class in the earlier Android version (such as 4.1) msession= windowmanagerglobal.getwindowsession (Looper.mylooper ());// Get screen resolution Idisplaymanager DM = IDisplayManager.Stub.asInterface (Servicemanager.getservice (Context.display_service)) ;D isplayinfo di = Dm.getdisplayinfo (display.default_display); Point scrnsize = new Point (Di.appwidth, di.appheight);//Initialize Windowmanager.layoutparamsinitlayoutparams (scrnsize);// Add a new window to Wmsinstallwindow (WMS);//Initializes an instance of choreographer, which is a thread-unique instance. The usage of this class is similar to handler//, but it is always in VSYC is a callback when synchronizing, so it is more suitable for animating the circulator than handler [1]mchoreographer= choreographer.getinstance ();//start processing the animation of the first frame schedulenextframe ();// The current thread is stuck in the message loop until Looper.quit () looper.loop ();//Mark do not continue to draw the animation frame mcontinueanime= false;//unload the current Windowuninstallwindow (WMS); public void Initlayoutparams (point screensize) {//marks the window type that is about to be installed is System_alert, which causes the ZOrder Order of the window to be compared to the previous mlp.type = Windowmanager.layoutparams.type_system_alert;mlp.settitle ("Samplewindow");//Set the upper-left corner coordinates of the window and the height and width mlp.gravity = Gravity.left | gravity.top;mlp.x = SCREENSIZE.X/4;MLP.Y = Screensize.y/4;mlp.width = Screensize.x/2;mlp.height = screensize.y/2;/ /and the flag associated with the input event, hoping that when the input event occurs outside of this window, other windows can also accept input events Mlp.flags = Mlp.flags | WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL;} public void Installwindow (Iwindowmanager wms) throws Exception {//First declare a token to the WMS, Any window needs to be subordinate to a specific type of tokenwms.addwindowtoken (Mtoken,windowmanager.layoutparams.type_system_alert);// The Settings window is attached to the Tokenmlp.token = mtoken;//the window is installed into the WMS via iwindowsession, note that at this point it is only installed in the WMS, the window//of this example still does not have a valid surface. However, after this call, MinputThe channel has been used to accept//input Events Msession.add (mwindow,0, MLp, view.visible, Minsets, Minputchannel);/* By iwindowsession require WMS to re-layout this window, after this operation, the WMS will create a piece for the window to draw the surface and save in the parameter msurface. At the same time, this surface is placed by the WMS in the location specified by Layoutparams */msession.relayout (mwindow,0, MLp, Mlp.width, Mlp.height, view.visible,0, Mframe, Minsets,mvisibleinsets, Mconfig, Msurface), if (!msurface.isvalid ()) {throw new RuntimeException ("Failed Creating Surface. ");} Create a handler based on the Inputchannel returned by the WMS to listen for input events//minputhandler once created, the input event is already being monitored minputhandler= new inputhandler ( Minputchannel, Looper.mylooper ());} public void Uninstallwindow (Iwindowmanager wms) throws Exception {//unload Windows Msession.remove from WMS (Mwindow);// Remove the previously added Tokenwms.removewindowtoken (Mtoken) from the WMS;} public void Schedulenextframe () {//requires callback Mframerender when the display system refreshes the next frame, notice that only one mchoreographer.postcallback is recalled ( Choreographer.callback_animation, mframerender, null);} This Runnable object is used to paint a frame on the window public Runnable mframerender = new Runnable () {@Overridepublic void run () {try{//get current timestamp long Tim E = MchorEographer.getframetime ()% 1000;//drawing if (Msurface.isvalid ()) {Canvas canvas = Msurface.lockcanvas (NULL); Canvas.drawcolor (Color.White); Canvas.drawrect (2 * mlp.width/1000-mlp.width, 0, 2 *mlp.width/1000, MLp.height,mPaint) ; String Text = "Haha This is a non-unusual form!" "; Canvas.drawtext (text, 0, Text.length (), ten, Mpaint); Msurface.unlockcanvasandpost (canvas); Msession.finishdrawing (Mwindow);} if (mcontinueanime) Schedulenextframe ();} catch (Exception e) {e.printstacktrace ();}}};/ /defines a class that inherits Inputeventreceiver to receive the input event of a window in its oninputevent () function class Inputhandler extends Inputeventreceiver {Looper Mlooper = Null;public Inputhandler (inputchannel inputchannel, Looper Looper) {super (inputchannel,looper); mlooper= Looper;} @Overridepublic void Oninputevent (InputEvent event) {if (event instanceof motionevent) {motionevent me = (motionevent) Event;if (Me.getaction () ==motionevent.action_up) {//Exit program Mlooper.quit ();}} Super.oninputevent (event);}} Implements a class Mywindow that inherits from Iwindow.stub. Class Mywindow extends Iwindow.stub {//remain defaultThe implementation can}} 

　　

Import the above mentioned Android-4.2_r1.jar dependency package, solve the dependency problem, compile can get Superwindows.jar file.

Of course the original. Jar could not be run under Android and would be turned into Dex, so use the DX command in the SDK to turn Superwindows.jar into Superwindows.dex. The DX program is located in the SDK in the Build-tool directory.

DX--dex--output=superwindows.dex Superwindows.jar

Transferring Dex to an Android device: ADB push supperwindows.dex/data/local/tmp/

Execute the SU command to get root, and if it is not root execute the following command, you will be prompted without permission.

Executes App_process-djava.class.path=/data/local/tmp/superwindows.dex/system/bin com. Superwindows, run supperwindows. The app_process code can be seen in the app_main.cpp.

The first time you do not know what the cause of the program will crash, execute the command again there is no problem, if there is no other problem, you can see the pop-up supperwindows form.

After performing the SU root permission, the code loaded with app_process also feels rooted, and hopefully this article will not be seen by terrorists.

For more information, please follow my public number: Zhaojietec

Android Travel-How to eject a non-unusual form