Play Hook on Android?

In the jungle of the forest of the Chinese Internet. Closed plagiarism is the monopoly of the giant's pass. Innovation is the epitaph of small entrepreneurs.

Understanding Hooks

Have not been exposed to hook technology readers will definitely feel strange about the word hook. Hook English translation is the meaning of "hook", then when we use this "hook"?

We know that the system maintains its own set of event distribution mechanisms in the Android operating system.

Applications, including application-triggered events and background logic processing, are also run down-to-back based on the event flow.

The "hook" means intercepting and monitoring the transmission of the event before the event is delivered to the end, like a hook-and-eye event.

And you can handle some of your own specific events when the event is ticked.

For example, as seen in:

Hook of this ability. Makes it possible to "incorporate" its code into the process of a hooked program, becoming part of the target process.

We also know that in the Android system using the sandbox mechanism, the normal user program process space is independent. The program runs without interference from each other.

This allows us to hope that the idea of changing certain behaviors of other programs through a program cannot be directly realized. But the advent of hooks has opened the way for us to solve such problems. Of course. Depending on the hook object and the hook post-processing event mode. Hooks are also divided into different types, such as message hooks, API hooks and so on.

Cydiasubstrate Frame

Suppose that the user who used the iphone should not be unfamiliar to the cydiasubstrate framework, as the Cydiasubstrate framework provides the jailbreak-related service framework for Apple users.

Cydiasubstrate formerly known as MobileSubstrate (the class library is the beginning of MS), the author is the famous Jay Freeman (Saurik).

Of course Cydiasubstrate also launched the Android version. Cydia substrate is a code churn platform. It can change the code of whatever main process. Written either in Java or C/s (native code).

Official address: http://www.cydiasubstrate.com/.

Install Cydiastrate Framework Android Local Service

The first is to install the Cydiasubstrate Framework's local Service application substrate.apk on Android devices. We can download it to the website again.

The official: http://www.cydiasubstrate.com/download/com.saurik.substrate.apk

Of course. After we install substrate, we need "link substrate files" (connect to the local substrate service file), this step is required to root, the connection will need to restart the device before it can take effect.

download using Cydiasubstrate library
Cydiasubstrate official recommends adding their plugin address in the Android SDK Manager to update the download.

For example, add Http://asdk.cydiasubstrate.com/addon.xml to the user's own defined URL.

After downloading the cydiasubstrate framework using the ANDROID SDK Manager tool, it is stored under directory ${android_home}\sdk\extras\saurikit\cydia_substrate.

However, because Android SDK manager in the domestic use of a lot of restrictions, the download time is not very stable. So it is recommended that you go directly to the official website to download the development library.
The official: Http://asdk.cydiasubstrate.com/zips/cydia_substrate-r2.zip.

After the download, you will get all the files (very many jar packages and so libraries) that are copied in the Libs directory under the Android project. The line is used directly.

The substrate.h header file and the so file in the Lib directory are provided as a function support library in the development of native hook programs using the NDK.

TIPS：CydiaSubstrate框架对于inline Hook的操作眼下还是存在一些bug，使用的时候可能会出现崩溃的现象，部分使用了国内定制的ROM的设备在使用CydiaSubstrate框架时会造成设备无法又一次启动或无法Hook的现象。

How to use Cydiasubstrate?

How to use Cydiasubstrate? In fact very easy,cydiasubstrate provides three static method tool classes, we just need to learn to use it just fine.

MS.hookClassLoad    拿到指定Class加载时的通知MS.hookMethod   使用一个Java方法去替换还有一个Java方法MS.moveUnderClassLoader 使用不同的ClassLoder重载对象

A detailed description such as the following:

/** * Hook a specified class * * @param name class's package name + class name, such as Android.content.res.Resources * @param Hook successful hoo K A class-after callback * /voidHookclassload (String name, MS. Classloadhook hook);/** * Hook a specified method and replace the code in the method * * @param _class Hook's CALSS * @param The method number of the member Hook class * @par the callback after successful hook method of AM hook * @param old hook method, similar to the method pointer in C */voidHookmethod (Class _class, Member Member, MS. Methodhook Hook, MS. Methodpointer old);/** * Hooks a specified method. and replace the code in the method * * @param _class Hook calss * @param member Hook class method parameters * @param alteration */< /c6>voidHookmethod (Class _class, Member Member, MS. Methodalteration alteration);/** * Use a ClassLoader to reload an object * * @param loader used by ClassLoader * @param object with overloaded objects * @return 
       the Overloaded object * /<T> T Moveunderclassloader (ClassLoader loader, t object);

Start combat (AD injection)

Hear the subject. I'm expecting a lot of packing. The party is already impatient. Don't be a bit impatient.

Rely on advertising is not earn money, the author is also a packaging party. The procedural apes are still based on growth and development. A quick cash band will keep you on the road to programming.

Back to the chase. Using the Cydiasubstrate framework we can hook up the Java API in the system at will. Of course there are a lot of reflection mechanisms in it, so can we hook up some of the methods in the application in addition to the APIs provided to developers in the system? The answer is yes.

Below we will explain how to hook an application with a practical example.

Here are our browser apps for Android OS. Hook its home Activity OnCreate method (other methods do not necessarily exist, but the OnCreate method will certainly have). and inject our ads into them. Based on the introduction of Cydiasubstrate, we have a simple idea.

First, we fill in our Androidmanifest.xml file with some ad-related IDs based on the rules of an advertising platform. Also, fill in the Androidmanifest.xml file with some configuration and permissions that are related to cydiasubstrate. Of course, we will also declare an ad activity. and set this activity as the background transparent activity, why set the activity of the transparent background, for example:

All right. Let's take a look at the following.

Some of the contents of its Androidmanifest.xml file are as follows:

<!--ad-related permissions--<uses-permission android:name="Android.permission.INTERNET" /><uses-permission android:name="Android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="Android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="Android.permission.READ_PHONE_STATE" /><uses-permission android:name="Android.permission.WRITE_EXTERNAL_STORAGE" /><uses-permission android:name="Android.permission.GET_TASKS" /> <!--join substrate permissions --<uses-permission android:name="Cydia.permission.SUBSTRATE" /><applicationandroid:allowbackup="true"android:icon="@drawable/ Ic_launcher "android:label=" @string/app_name "android:theme=" @style/ Apptheme " >                    <!--related to ads -    <meta-dataandroid:name= "app_id"android:value=" C62bd976138fa4f2ec853bb408bb38af " />                    <meta-dataandroid:name="App_pid"android:value="DEFAULT" />                    <!--statement substrate injection Flavor main class--    <meta-dataandroid:name="Com.saurik.substrate.main"android:value= "Com.example.hookad.Main" />                    <!--Transparent, non-animated ads activity--    <activityandroid:name="com.example.hookad.MainActivity"android:theme ="@android: Style/theme.translucent.notitlebar" >                        <intent-filter>            <action android:name="Android.intent.action.VIEW" />            <category android:name="Android.intent.category.DEFAULT" />            <!--ad action--            <action android:name="Com.example.hook.AD" />        </intent-filter>    </activity></Application>

For the main entry of Cydiasubstrate, create a new main class that includes the Initialize method, following the previous steps.

This time we want to use the Ms.hookclassload method to find the activity name of the browser homepage.

Here we use the Dumpsys Activity command under the ADB shell to find the activity name of the browser home page called Com.android.browser.BrowserActivity.

Use the Ms.hookclassload method to get the browseractivity and then hook the OnCreate method. Start an activity that contains ads. The code for the main class looks like the following:

 Public classMain {/** * Substrate the Portal after initialization * *    Static voidInitialize () {//hook Browser's main activity,browseractivityMs.hookclassload ("Com.android.browser.BrowserActivity",NewMs. Classloadhook () { Public voidClassloaded (Class<?> resources) {LOG.E ("Test","Com.android.browser.BrowserActivity");//Get the OnCreate method of BrowseractivityMethod onCreate;Try{onCreate = Resources.getmethod ("OnCreate", Bundle.class); }Catch(Nosuchmethodexception e) {onCreate =NULL; }if(OnCreate! =NULL) {final MS. Methodpointer old =NewMs. Methodpointer ();//Hook OnCreate methodMs.hookmethod (Resources, OnCreate,NewMs. Methodhook () { PublicObjectinvoked(ObjectObject, Object...args) throws Throwable {LOG.E ("Test","Show ad");//Run the OnCreate method before the hook to ensure that the browser starts normallyObject result = Old.invoke (Object, args);//No context                            //Run a Shell to launch our ad activityCmd.run ("AM start-a Com.example.hook.AD");returnResult                }}, old);    }            }        }); }}

For the launch of the ad mainactivity, there is a pop-up interstitial ads.

Of course, but also other forms of advertising or floating layer, the content is relatively simple here does not do a demonstration. Compile and run the entire project.

This time we once again launched the android comes with the browser when it was found that the browser will pop up an ad bullet box.

From the picture above we can see that, before we set the interstitial ad mainactivity for untitled Transparent (Theme.Translucent.NoTitleBar) is to make the pop-up ads and browser integration. Let the user feel that the browser pop-up ads. is also a malicious advertising program in order to prevent itself from being uninstalled some of the common hidden means.

The injected ad shown here is a OnCreate method in the activity specified by the hook to initiate an ad activity. Of course. The activity we're demonstrating here is just a simple bounce out of an ad.

Assume that the activity started is malicious. If the activity is done in the same fishing activity as the original activity. It is very deceptive for mobile device users.

After the writing

In fact, I do not want to send this article, I have done advertising packaging party, know that this also for the various underground nuggets packaging party to provide ideas.

But. Cydiasubstrate is not just for the purpose of injecting advertising. I hope you dig a lot of ideas. With the common learning to promote the main.

Finally, interested in the discussion of add me a bit, we make friends.

/*
* @author Zhoushengtao (Zhou San)
* @since August 6, 2015 16:52:22
* @weixin stchou_zst
* @blog http://blog.csdn.net/yzzst
* @ Exchange Learning QQ Group: 341989536
* @ Private qq:445914891
/

Playing hooks on Android?