/** * hookSystemServices, but need to compatible with Android O in future. */ private void hookSystemServices() { try { Singleton<IActivityManager> defaultSingleton = (Singleton<IActivityManager>) ReflectUtil.getField(ActivityManagerNative.class, null, "gDefault"); IActivityManager activityManagerProxy = ActivityManagerProxy.newInstance(this, defaultSingleton.get()); // Hook IActivityManager from ActivityManagerNative ReflectUtil.setField(defaultSingleton.getClass().getSuperclass(), defaultSingleton, "mInstance", activityManagerProxy); if (defaultSingleton.get() == activityManagerProxy) { this.mActivityManager = activityManagerProxy; } } catch (Exception e) { e.printStackTrace(); } }
private void hookAMSForO() { try { Singleton<IActivityManager> defaultSingleton = (Singleton<IActivityManager>) ReflectUtil.getField(ActivityManager.class, null, "IActivityManagerSingleton"); IActivityManager activityManagerProxy = ActivityManagerProxy.newInstance(this, defaultSingleton.get()); ReflectUtil.setField(defaultSingleton.getClass().getSuperclass(), defaultSingleton, "mInstance", activityManagerProxy); } catch (Exception e) { e.printStackTrace(); } }
public static boolean run(float delta) { try { IActivityManager amn = ActivityManagerNative.getDefault(); Configuration config = amn.getConfiguration(); config.fontScale = (delta == 0) ? 1 : (config.fontScale + delta); amn.updatePersistentConfiguration(config); return true; } catch (Throwable e) { Debug.log(e); return false; } }
@Override public void inject() throws Throwable { Field f_gDefault = ActivityManagerNative.class.getDeclaredField("gDefault"); if (!f_gDefault.isAccessible()) { f_gDefault.setAccessible(true); } if (f_gDefault.getType() == IActivityManager.class) { f_gDefault.set(null, getHookObject().getProxyObject()); } else if (f_gDefault.getType() == Singleton.class) { Singleton gDefault = (Singleton) f_gDefault.get(null); Field f_mInstance = Singleton.class.getDeclaredField("mInstance"); if (!f_mInstance.isAccessible()) { f_mInstance.setAccessible(true); } f_mInstance.set(gDefault, getHookObject().getProxyObject()); } else { // 不会经过这里 throw new UnsupportedOperationException("Singleton is not visible in AMN."); } HookBinder<IActivityManager> hookAMBinder = new HookBinder<IActivityManager>() { @Override protected IBinder queryBaseBinder() { return ServiceManager.getService(Context.ACTIVITY_SERVICE); } @Override protected IActivityManager createInterface(IBinder baseBinder) { return getHookObject().getProxyObject(); } }; hookAMBinder.injectService(Context.ACTIVITY_SERVICE); }
public static void allMethods() throws HackAssertionException { ActivityThread_currentActivityThread = ActivityThread.method("currentActivityThread"); AssetManager_addAssetPath = AssetManager.method("addAssetPath", String.class); if(Build.VERSION.SDK_INT>=24) { AssetManager_addAssetPathAsSharedLibrary = AssetManager.method("addAssetPathAsSharedLibrary", String.class); } Application_attach = Application.method("attach", Context.class); PackageParser$Component_getComponentName = PackageParser$Component.method("getComponentName"); ClassLoader_findLibrary = ClassLoader.method("findLibrary", String.class); ContextImpl_setOuterContext = ContextImpl.method("setOuterContext",Context.class); if (LexFile != null && LexFile.getmClass() !=null ) { LexFile_loadLex = LexFile.method("loadLex", String.class, int.class); LexFile_loadClass = LexFile.method("loadClass", String.class, java.lang.ClassLoader.class); LexFile_close = LexFile.method("close"); DexClassLoader_findClass = DexClassLoader.method("findClass", String.class); } try { if (Build.VERSION.SDK_INT>20){ AssetManager_getResourceIdentifier = AssetManager.method("getResourceIdentifier", String.class, String.class, String.class); AssetManager_ensureStringBlocks = AssetManager.method("ensureStringBlocks"); } } catch (Throwable e) { } ActivityThread_installContentProviders = ActivityThread.method("installContentProviders",Context.class,List.class); if(Build.VERSION.SDK_INT>25 || (Build.VERSION.SDK_INT==25 && Build.VERSION.PREVIEW_SDK_INT>0)) { ActivityThread_installProvider = ActivityThread.method("installProvider", Context.class, android.app.ContentProviderHolder.class, ProviderInfo.class, boolean.class, boolean.class, boolean.class); }else if(Build.VERSION.SDK_INT==14){ ActivityThread_installProvider = ActivityThread.method("installProvider", Context.class, android.app.ContentProviderHolder.class, ProviderInfo.class, boolean.class); }else if(Build.VERSION.SDK_INT==15){ ActivityThread_installProvider = ActivityThread.method("installProvider", Context.class, android.app.ContentProviderHolder.class, ProviderInfo.class, boolean.class,boolean.class); }else{ ActivityThread_installProvider = ActivityThread.method("installProvider", Context.class, IActivityManager.ContentProviderHolder.class, ProviderInfo.class, boolean.class, boolean.class, boolean.class); } Service_attach = Service.method("attach",Context.class,ActivityThread.getmClass(),String.class,IBinder.class,Application.getmClass(),Object.class); AssetManager_addAssetPathNative = AssetManager.method("addAssetPathNative", String.class); if(AssetManager_addAssetPathNative==null || AssetManager_addAssetPathNative.getMethod()==null) { AssetManager_addAssetPathNative24 = AssetManager.method("addAssetPathNative", String.class, boolean.class); } if((AssetManager_addAssetPathNative==null || AssetManager_addAssetPathNative.getMethod()==null) && (AssetManager_addAssetPathNative24==null || AssetManager_addAssetPathNative24.getMethod()==null)){ AssetManager_addAssetPathNativeSamSung = AssetManager.method("addAssetPathNative", String.class, int.class); } AssetManager_getStringBlockCount=AssetManager.method("getStringBlockCount"); AssetManager_getNativeStringBlock = AssetManager.method("getNativeStringBlock",int.class); }
public static IActivityManager newInstance(PluginManager pluginManager, IActivityManager activityManager) { return (IActivityManager) Proxy.newProxyInstance(activityManager.getClass().getClassLoader(), new Class[] { IActivityManager.class }, new ActivityManagerProxy(pluginManager, activityManager)); }
public ActivityManagerProxy(PluginManager pluginManager, IActivityManager activityManager) { this.mPluginManager = pluginManager; this.mActivityManager = activityManager; }
public IActivityManager getActivityManager() { return this.mActivityManager; }
@SuppressWarnings("unchecked") public static List getRecentTasks(IActivityManager am, int maxNum, int flags, int userId) { return am.getRecentTasks(maxNum, flags, userId); }
public static IActivityManager getAMN() { return ActivityManagerNative.getDefault(); }
@Override protected HookObject<IActivityManager> initHookObject() { return new HookObject<IActivityManager>(getAMN()); }
