mikrom xposed hook 注入改造

源码分析

manager 提供 ui，将配置信息存入 PackageItem 对象，并且塞入 packageList 集合
保存功能会通过 FileHelper.SaveMikromConfig(packageList); 进行写入/data/system/mik.conf

public class ConfigUtil {
public static String configPath=”/data/system/mik.conf”;
public static String breakConfigPath=”/data/system/break.conf”;
public static boolean sysHide=true;
public static String TAG=”MikManager”;
}

public static void SaveMikromConfig(List packageList){
Log.e(ConfigUtil.TAG,”SaveMikromConfig”);
Gson gson = new Gson();
String savejson=gson.toJson(packageList);
try {
ServiceUtils.getiMikRom().writeFile(ConfigUtil.configPath,savejson);
} catch (RemoteException e) {
Log.e(ConfigUtil.TAG,”writeConfig err:”+e.getMessage());
}
}

ROM 层进行读取

Fartext.java

public static String getMikConfig(){ try { IMikRom mikrom=getiMikRom();
if(mikrom==null){ return ""; } return mikrom.readFile("/data/system/mik.conf");
} catch (RemoteException e) { e.printStackTrace(); } return ""; }

//注入dex public static void loadConfigDex(Application app){ String processName
= ActivityThread.currentProcessName(); for(PackageItem item : mikConfigs){
if(!item.packageName.equals(processName)) continue; if(item.dexPath.length()<=0)
continue; String[] dexList=item.dexPath.split("\n"); for(String dexpath
:dexList){ loadDex(dexpath,app); DexClassLoader dexClassLoader=
loadDex(dexpath,app); Class clzz = null; try { if(item.dexClassName.length()>0){
Log.e("mikrom", "loadConfigDex class:"+item.dexClassName); clzz =
dexClassLoader.loadClass(item.dexClassName); }else{ clzz =
dexClassLoader.loadClass("cn.mik.InjectDex"); } IMikDex lib =
(IMikDex)clzz.newInstance(); Log.e("mikrom", "loadConfigDex
class:"+item.dexClassName+" invoke onStart"); String path="";
if(System.getProperty("os.arch").indexOf("64") >= 0) {
path="/system/lib64/libsandhook.so"; }else{ path="/system/lib/libsandhook.so"; }
String tagPath = "/data/data/" + processName + "/libsandhook.so";//64位so的目录
mycopy(path, tagPath); int perm = FileUtils.S_IRWXU | FileUtils.S_IRWXG |
FileUtils.S_IRWXO; FileUtils.setPermissions(tagPath, perm, -1,
-1);//将权限改为777 lib.onStart(tagPath); } catch (ClassNotFoundException e) {
e.printStackTrace(); } catch (IllegalAccessException e) { e.printStackTrace(); }
catch (InstantiationException e) { e.printStackTrace(); } } } }

dexClassLoader.loadClass()
然后通过反射 IMikDexlib = (IMikDex)clzz.newInstance();

if(System.getProperty("os.arch").indexOf("64") >= 0) {
path="/system/lib64/libsandhook.so"; }else{ path="/system/lib/libsandhook.so"; }
String tagPath = "/data/data/" + processName + "/libsandhook.so";//64位so的目录
mycopy(path, tagPath);

copy libsandhook.so 到/data/data/PACKAGENAME//libsandhook.so
实例化对象，然后调用 onStart()

onStrat()

public void onStart(String path) { Log.e(TAG, "Inject onStart");
SandHookConfig.libSandHookPath = path; Log.e(TAG, "Inject 1"); //
MikXpHelpers.findHkMethod(String.class, "toString", new MIK_MethodHk() { //
@Override // protected void beforeHookedMethod(MethodHookParam param) throws
Throwable { // super.beforeHookedMethod(param); // String result = (String)
param.getResult(); // Log.e(TAG,"my hook success"); // } // }); ClassLoader
classLoader = getClassloader(); MikXpHelpers.findHkMethod("ms.bd.c.k",
classLoader, "a", int.class, int.class, long.class, String.class, Object.class,
new MIK_MethodHk() { @Override protected void beforeHookedMethod(MethodHookParam
param) throws Throwable { super.beforeHookedMethod(param); for (int i = 0; i <
param.args.length; i++) { Log.e(TAG, "args" + i + ": " + param.args[i]); } }
@Override protected void afterHookedMethod(MethodHookParam param) throws
Throwable { super.afterHookedMethod(param); Log.e(TAG, "result" +
param.getResult()); } }); Log.e(TAG, "Inject 2"); }

SandHookConfig.libSandHookPath = path; //设置 sandhook path

思路：

改思路的问题是权限没办法解决。需要自己提供一个有读取 data/app 权限的功能。先放弃。
最后写个 bat 方便自己