Method of Hook APP without Root
Core Foundation Framework for Hook Free from Root: VirtualApp of asLody
- asLody/VirtualApp: An open source implementation of MultiAccount.(Support 4.0 - 8.0).
- Interview with Roddy: The Way for Android Daniel to Grow up in Senior Two
0. Attempts at different Hook modes
- [On 8 May 2017:
Using the form of YAHFA plug-in, Hook can specify the method of class assignment, but it is unstable. After loading the Hook plug-in, the running APP will collapse. The bottom JNI layer reported an error and could not understand what the exception was.
Maybe it's because the test phones are all 7.0(API 24)? Because the official description is that the system with more than 7.0 is "experimental" support. - [] On 10 May 2017:
Trying to complete code injection through PatchManager in VirtualApp core lib. Successfully deceiving Gaud Map APP and Daydao APP. Mobile base station spoofing code has reached the level of usability. - [] On 11 May 2017:
In order to use only base station positioning (Golden Location Type: 6), the interference of WiFi positioning (Golden Location Type: 5) must be eliminated.- Open flow
- Guan WiFi
- Disable WiFi Advanced Settings - Scannable at Any Time
- [October?] Day, 2017:
DroidPluginTeam/DroidPlugin: A plugin framework on android,Run any third-party apk without installation, modification or repackage
1. Hook plug-in based on YAHFA
Reference Documents
- rk700/VirtualHook: Android application hooking tool based on VirtualApp
- rk700/YAHFA: Yet Another Hook Framework for ART
- Determine the signature of a method - Real's Java How-to
- Use javap to get method signatures in for Android Activity - Stack Overflow
Writing of methodSig
public static String className = "android.content.res.AssetManager";
public static String methodName = "open";
public static String methodSig = "(Ljava/lang/String;)Ljava/io/InputStream;";
public static InputStream hook(Object thiz, String fileName) {
Log.w("YAHFA", "open asset "+fileName);
return origin(thiz, fileName);
}
public static InputStream origin(Object thiz, String msg) {
Log.w("YAHFA", "should not be here");
return null;
}Within methodSig parentheses: method call parameters
Outside of method Sig parentheses: method return value
View the method of the specified class signature
-
How to view JAVA classes
X:\>javap -s java.awt.Label
-
How to view Android classes
javap -s -bootclasspath /android-sdk/platforms/android-8/android.jar -classpath bin/classes android.app.Activity
For example:
javap -s -bootclasspath "D:\Program Files\Android\android-sdk\platforms\android-25\android.jar" -classpath bin/classes android.app.Activity
-
How to view third-party JAR classes
javap -s -classpath "D:\AMap_Location.jar" com.amap.api.location.AMapLocation
For example:
javap -s -classpath "D:\UserProfile\Desktop\AMapLocationDemo\app\libs\AMap_Location_V3.4.0_20170427.jar" com.amap.api.location.AMapLocation
Key code fragments
Class name: com/lody/virtual/client/VClientImpl.java
Method: Bid Application NoCheck
Code: At the end of the method
ClassLoader appClassLoader = mInitialApplication.getClassLoader();
String patchApkPath = "/sdcard/io.virtualhook/patch.apk";
File libDir = ensureCreated(new File(VEnvironment.getDataUserPackageDirectory(VUserHandle.myUserId(), "patch"), "lib"));
NativeLibraryHelperCompat.copyNativeBinaries(new File(patchApkPath), libDir);
DexClassLoader dexClassLoader = new DexClassLoader(patchApkPath,
VEnvironment.getDalvikCacheDirectory().getAbsolutePath(),
libDir.getAbsolutePath(),
appClassLoader);
new HookMain().doHookDefault(dexClassLoader, appClassLoader);Quickly import APK to batch handset.bat
SET LOCAL="D:\UserProfile\Desktop\VirtualHook-master\VirtualApp\demoHookPlugin\build\outputs\apk\demoHookPlugin-debug.apk" SET TMP=/sdcard/io.virtualhook/patch.apk adb push %LOCAL% %TMP%
2. Hook based on VirtualApp core lib
Hook Base Station Location Information
com.lody.virtual.client.hook.proxies.telephony - MethodProxies.java
Reference GetDeviceId Writing of,Implement the following key functions once:
- getAllCellInfo
- getNeighboringCellInfo
- getCellLocation
For example:
static class getCellLocation extends ReplaceCallingPkgMethodProxy
{
public getCellLocation()
{
super("getCellLocation");
}
@Override
public Object afterCall(Object who, Method method, Object[] args, Object result) throws Throwable
{
final Object oldResult = super.afterCall(who, method, args, result);
if (oldResult.getClass().getSimpleName().equals("Bundle"))
{
// Debug.waitForDebugger();
final android.os.Bundle cellInfo = (android.os.Bundle) oldResult;
try
{
cellInfo.keySet();
}
catch (Exception ex)
{
ex.printStackTrace();
}
//Test base station location
//cellInfo.putInt("cid", 123306);
//cellInfo.putInt("lac", 12338);
//cellInfo.putInt("psc", -1);
Log.e("----Ye", "getCellLocation old_value2:" + cellInfo);
return cellInfo;
//Log.i(TAG, " MCC = " + mcc + "\t MNC = " + mnc + "\t LAC = " + lac + "\t CID = " + cellId);
}
else
{
//Debug.waitForDebugger();
Log.e("----Ye", "getCellLocation old_value1:" + oldResult);
}
return oldResult;
//TODO:TEST return super.afterCall(who, method, args, result);
}
@Override
public boolean beforeCall(Object who, Method method, Object... args)
{
MethodParameterUtils.replaceFirstAppPkg(args);
return super.beforeCall(who, method, args);
}
}Hook Wireless WiFi Location
The principle of WiFi location is to get the Mac address (optional information) of all WiFi hotspots scanned nearby and the Mac address (necessary information) of the currently connected WiFi.
So in theory, as long as Hook lives in a function that gets the Mac address of the current WiFi connection.
However, WiFi-based Mac addresses are important privacy for individuals, so Android can't be accessed through the previous WiFi Manager code since version 6.0.
Furthermore, after version 7.0, the way of accessing device underlying information directly by reading / sys/class/net/wlan0/address is also disabled.
Therefore, at this stage, in order to complete the function of Hook to get Mac address, we need to involve:
- Android System Function (WifiManager) = VirtualApp Core lib has a ready-made place to Hook
- Java System Functions (NetworkInterface.getNetworkInterfaces) = You need to study how to Hook yourself, there is no ready-made place.
Result: Temporarily abandon the idea of Hook's WiFi location.
Reference Documents
Reprinted at: https://www.cnblogs.com/AsionTang/p/6837340.html