原理是hook系统loadclass函数,在app把模拟内核注入系统时hook模拟内核。
Frida
[JavaScript] 纯文本查看 复制代码console.log("Script loaded successfully ");
Java.perform(function () {
Java.enumerateClassLoaders({
"onMatch": function(loader) {
if (loader.toString().indexOf("/data/fakeloc/libfakeloc.so")!=-1) {
Java.classFactory.loader = loader; // 将当前class factory中的loader指定为我们需要的
}
},
"onComplete": function() {
console.log("success");
}
});
// 此处需要使用Java.classFactory.use
let C0006 = Java.classFactory.use("com.lerist.inject.utils.\u058F");
C0006["\u0620"].implementation = function (str, str2, str3) {
console.log('\u0620 is called' + ', ' + 'str: ' + str + ', ' + 'str2: ' + str2 + ', ' + 'str3: ' + str3);
let ret = this.\u0620(str, str2, str3);
console.log('\u0620 ret value is ' + ret);
return ret;
};
});
Lsposed
[Java] 纯文本查看 复制代码public class hook implements IXposedHookLoadPackage {
@Override
public void handleLoadPackage(LoadPackageParam loadPackageParam) throws Throwable {
if (loadPackageParam.packageName.equals("android")) {
XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
if (param.hasThrowable()) return;
Class cls = (Class) param.getResult();
if(cls.getClassLoader().toString().contains("/data/fakeloc/libfakeloc.so")) {
XposedBridge.log("hook libfakeloc.so");//注入到fakelocation模拟定位模块
new Thread(new Runnable() {
@Override
public void run() {
try {
Thread.sleep(3500);
XposedBridge.log("start");
XposedHelpers.findAndHookMethod("com.lerist.inject.utils.ޏ", cls.getClassLoader(), "އ", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
param.setResult(true);
}
});
XposedHelpers.findAndHookMethod("com.lerist.inject.utils.ބ", cls.getClassLoader(), "ރ", java.lang.String.class, int.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0]="114.114.114.114";//把vef.api.fakeloc.cc改为114.114.114.114
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
}
});
}catch (Exception e){
e.printStackTrace();
}
}
}).start();
}
}
});
}
}
}
需要注意的是使用lsp框架hook系统loadclass函数后马上hook被加载的dex时,部分机型会出现卡死,所以新开了一个线程延时几秒再hook。
