// 过防止调用loadClass加载 de.robv.android.xposed.        XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {            @Override            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {                if(param.args != null && param.args[0] != null && param.args[0].toString().startsWith("de.robv.android.xposed.")){                     // 改成一个不存在的类                    param.args[0] = "de.robv.android.xposed.ThTest";                }                 super.beforeHookedMethod(param);            }        });

XposedHelpers.findAndHookMethod(StackTraceElement.class, "getClassName", new XC_MethodHook() {            @Override            protected void afterHookedMethod(MethodHookParam param) throws Throwable {                String result = (String) param.getResult();                if (result != null){                    if (result.contains("de.robv.android.xposed.")) {                        param.setResult("");                        // Log.i(tag, "替换了，字符串名称 " + result);                    }else if(result.contains("com.android.internal.os.ZygoteInit")){                        param.setResult("");                    }                }                 super.afterHookedMethod(param);            }        });

findAndHookMethod("android.app.ApplicationPackageManager", lpparam.classLoader, "getInstalledApplications", int.class, new XC_MethodHook() {            @SuppressWarnings("unchecked")            @Override            protected void afterHookedMethod(MethodHookParam param) throws Throwable { // Hook after getIntalledApplications is called                if (debugPref) {                    XposedBridge.log("Hooked getInstalledApplications");                }                 List<ApplicationInfo> packages = (List<ApplicationInfo>) param.getResult(); // Get the results from the method call                Iterator<ApplicationInfo> iter = packages.iterator();                ApplicationInfo tempAppInfo;                String tempPackageName;                  // Iterate through the list of ApplicationInfo and remove any mentions that match a keyword in the keywordSet                while (iter.hasNext()) {                    tempAppInfo = iter.next();                    tempPackageName = tempAppInfo.packageName;                    if (tempPackageName != null && tempPackageName.equals("de.robv.android.xposed.installer")) {                        iter.remove();                        if (debugPref) {                            XposedBridge.log("Found and hid package: " + tempPackageName);                        }                    }                }                 param.setResult(packages); // Set the return value to the clean list            }        });

Constructor<?> constructLayoutParams = findConstructorExact(java.io.File.class, String.class);        XposedBridge.hookMethod(constructLayoutParams, new XC_MethodHook(XCallback.PRIORITY_HIGHEST) {            @Override            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {                if (param.args[0] != null) {                    if (debugPref) {                        XposedBridge.log("File: Found a File constructor: " + ((String) param.args[0]));                    }                }                 if (isRootCloakLoadingPref) {                    // RootCloak is trying to load it's preferences, we shouldn't block this.                    return;                }                if (((String) param.args[0]).contains("XposedBridge")) {                    if (debugPref) {                        XposedBridge.log("File: Found a File constructor with word super, noshufou, or chainfire");                    }                    param.args[0] = "/system/app/" + FAKE_FILE;                }            }        });

XposedHelpers.findAndHookConstructor("java.io.FileReader",lpparam.classLoader ,String.class , new XC_MethodHook() {          @Override          protected void beforeHookedMethod(MethodHookParam param) throws Throwable {              String arg0 = (String) param.args[0];              if(arg0.toLowerCase().contains("/proc/")){                  param.setResult(null);              }          }      });

XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getProperty", String.class, new XC_MethodHook() {           @Override           protected void beforeHookedMethod(MethodHookParam param) throws Throwable {               String arg0 = (String)param.args[0];               if(arg0.equals("vxp")){                   param.setResult(null);               }           }       });

findAndHookMethod("java.lang.Runtime", lpparam.classLoader, "exec", String[].class, String[].class, File.class, new XC_MethodHook() {           @Override           protected void beforeHookedMethod(MethodHookParam param) throws Throwable {               if (debugPref) {                   XposedBridge.log("Hooked Runtime.exec");               }                String[] execArray = (String[]) param.args[0]; // Grab the tokenized array of commands               if ((execArray != null) && (execArray.length >= 1)) { // Do some checking so we don't break anything                   String firstParam = execArray[0]; // firstParam is going to be the main command/program being run                   if (debugPref) { // If debugging is on, print out what is being called                       String tempString = "Exec Command:";                       for (String temp : execArray) {                           tempString = tempString + " " + temp;                       }                       XposedBridge.log(tempString);                   }                    if (stringEndsWithFromSet(firstParam, commandSet)) { // Check if the firstParam is one of the keywords we want to filter                       if (debugPref) {                           XposedBridge.log("Found blacklisted command at the end of the string: " + firstParam);                       }                        // A bunch of logic follows since the solution depends on which command is being called                       // TODO: ***Clean up this logic***                       if (commandSet.contains("ls") && execArray.length >= 3 && execArray[1].contains("lib")) {                           param.setThrowable(new IOException());                       } else {                           param.setThrowable(new IOException());                       }                        if (debugPref && param.getThrowable() == null) { // Print out the new command if debugging is on                           String tempString = "New Exec Command:";                           for (String temp : (String[]) param.args[0]) {                               tempString = tempString + " " + temp;                           }                           XposedBridge.log(tempString);                       }                   }               } else {                   if (debugPref) {                       XposedBridge.log("Null or empty array on exec");                   }               }           }       });

XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getenv", String.class, new XC_MethodHook() {           @Override           protected void beforeHookedMethod(MethodHookParam param) throws Throwable {               String arg0 = (String)param.args[0];               if(arg0.equals("CLASSPATH")){                   param.setResult("FAKE.CLASSPATH");               }           }       });

// 定义全局变量 modifyXposedHelpers.findAndHookMethod(Method.class, "getModifiers", new XC_MethodHook() {            @Override            protected void afterHookedMethod(MethodHookParam param) throws Throwable {                Method method = (Method)param.thisObject;                String[] array = new String[] { "getDeviceId" };                String method_name = method.getName();                if(Arrays.asList(array).contains(method_name)){                    modify = 0;                }else{                    modify = (int)param.getResult();                }                 super.afterHookedMethod(param);            }        });         XposedHelpers.findAndHookMethod(Modifier.class, "isNative", int.class, new XC_MethodHook() {            @Override            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {                param.args[0] = modify;                 super.beforeHookedMethod(param);            }        });

# 往期推荐

1、源代码静态分析方法——代码属性图Code Property Graphs

2、详解典型CVE内核漏洞

3、php(phar)反序列化漏洞及各种绕过姿势

4、Windows 2000系统的一个0day漏洞发现过程

5、wibu证书 - asn1码流

6、COM 进程注入技术-编程技术