I have some questions to replaceHookedMethod method.
If some module uses it to replace a method, and another one uses the same function with before/after hooks, are both modules executed? Regaringless of the order the modules where loaded?
And what happens if 2 modules hook the same function, and one sets a NULL result in a before method. Here too, where both executed, doe the startorder matter?
Note to myself: Xposed accepts a "priority" for some
Related
Letts assume there is a method
public static native boolean doSomething(params...);
which gets called by regular Java code.
Can Xposed hook it?
EDIT: I'm wrong, see rovo's answer.
Yes, native methods can be hooked. However, in case this is for an app's code, it has to be done after System.loadLibrary(), otherwise the latter overwrites the hook. Ideally, the framework should take care of this itself, but it's not straight-forward and the has been vey little need for this.
rovo89 said:
Yes, native methods can be hooked. However, in case this is for an app's code, it has to be done after System.loadLibrary(), otherwise the latter overwrites the hook. Ideally, the framework should take care of this itself, but it's not straight-forward and the has been vey little need for this.
Click to expand...
Click to collapse
I've always assumed this wasn't the case. Just to clarify, Xposed is able to hook native functions, but not (native) C/C++ code/libraries? I've read more than once it can't so I'm a bit confused. Thanks for the correction.
GermainZ said:
Just to clarify, Xposed is able to hook native functions, but not (native) C/C++ code/libraries?
Click to expand...
Click to collapse
Correct. Only JNI functions can be hooked, i.e. those which are declared in and called by Java code.
How to do it "after System.loadLibrary()"?
How you go about hooking such methods? I am trying to hook some API methods, mainly the ones declared in the "Connectivity" class one such example is "isTetheringSupported" however I am struggling to do so as when I hook the method directly, the hook is never executed as I believe it is being called via the java.lang.reflect.Method invoke method, and when I try and hook that method I get the following error "java.lang.NoSuchMethodError: java.lang.reflect.Method#invoke()#exact"
hwhh_1 said:
How you go about hooking such methods? I am trying to hook some API methods, mainly the ones declared in the "Connectivity" class one such example is "isTetheringSupported" however I am struggling to do so as when I hook the method directly, the hook is never executed as I believe it is being called via the java.lang.reflect.Method invoke method, and when I try and hook that method I get the following error "java.lang.NoSuchMethodError: java.lang.reflect.Method#invoke()#exact"
Click to expand...
Click to collapse
Are you talking about EdXposed? If so it should be noted that hook not working for a particular method can also be a result of art compiler optimizations. E.g. if the method is simple and not called from many places, compiler will include body of such method directly into methods that call that method. It's called inlining. So while you can see method at source code level, during runtime it's empty and never called as original body became part of another method. To overcome this you have to find a different strategy, e.g. hook such methods that are less likely to become inlined.
C3C076 said:
Are you talking about EdXposed? If so it should be noted that hook not working for a particular method can also be a result of art compiler optimizations. E.g. if the method is simple and not called from many places, compiler will include body of such method directly into methods that call that method. It's called inlining. So while you can see method at source code level, during runtime it's empty and never called as original body became part of another method. To overcome this you have to find a different strategy, e.g. hook such methods that are less likely to become inlined.
Click to expand...
Click to collapse
In order to see if it inlined, there is a setting in EDXPOSED to deoptimize boot image.
[Q]How to resolved hidden class ItemInfo in xposed module development, thanks!
I want to develop an xposed module to hide some shortcut in the launcher workspace,
but i can't resolve the hidden class ItemInfo, because i need remove specific item from ArrayList<ItemInfo>,
how to deal with it, thanks!
You can cast it to ArrayList<?>
C3C076 said:
You can cast it to ArrayList<?>
Click to expand...
Click to collapse
sure, i think i can, but how to change the single items in the ArrayList?
because i need to iterate every element in ArrayList to check if someone need to be blocked,
but the element is ItemInfo class type, so....
is there any solution to resolve it, thanks!
is there anybody has good experience on it, thanks!
If you can't use ItemInfo directly at design time simply use xposed functions on its instances to check for property values and call its methods.
E.g. you can iterate through array list and cast items to Object. Then use xposed functions on those objects like getIntField/getFloatField/... to get property or callMethod to call function.
C3C076 said:
If you can't use ItemInfo directly at design time simply use xposed functions on its instances to check for property values and call its methods.
E.g. you can iterate through array list and cast items to Object. Then use xposed functions on those objects like getIntField/getFloatField/... to get property or callMethod to call function.
Click to expand...
Click to collapse
thanks, C3C076, it's good idea, i will try
I tried to use some function from a jnilibs library and it doesn't work with XPosed.
(to be specific,the qualcomm module. I tried it's sample app and it works great on my LG G3 device.)
I heard there is some modifications you need to do when using jni libs with xposed, but I don't know what are these modifications in specific...
Any hint on what I could be doing wrong?
update:
I have written all jni related code in the xposed setting activity and tested it via clicking at the module name in xposed module list. The vuforia init process worked fine....
Now I can only doubt that if it's the JNI call, or the "activity" argument I passed to Vuforia.setInitParameters is not working....
below are what I tried and not working:
pass null;
pass "param.thisObject" from a method in the activity.
pass the context object which is actually the activity
pass a new unrelated activity.
by the way, I looked at the iOS version of the setInitParameters. Which doesn't need an activity argument. So sad..
Hello!
I am sorry if this may be confusing as I am quite sure I don't use the right terms. What I want to do is hook native library calls/syscalls made from native code within an app. I want to use xposed to launch the code that hooks the library/system call - but I do not know how to do and how the android system will complicate things for me.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Another thought was to, as previously at the startup of the app launch jni code. But in this case find the local symbol table and modify it to jump to my hook - but I am not sure if different jni code run in the same memory space and have access to mess with each other. [And also, how often would I need to redo this modification, would android reload/restart of the app destroy my changes]
Hopefully I didn't come off as too confusing. Thanks for the help!
I think you asked me this in my thread but Ill answer it here.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
I have hooked native code with xposed and LD_PRELOAD, you can manipulate the data via your LD_PRELOAD lib. I do not know if its been linked to public code yet. LD_PRELOAD does not require Xposed to work(just makes it easier to manage imo). Also note that i have not tested this using the newer Android OS'es(>4.4). Not (yet)necessary for my use case. I would recommend getting LD_PRELOAD to work without Xposed first. Then add the Xposed integration
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
I have not tried via ptrace, also note that some apps will ptrace itself for protection against reversing. LD_PRELOAD works fine for me. Personally I use LD_PRELOAD to modify the arguments and the return values but most of the time just for logging information.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Ptrace to me sounds more complex but it does sound cool to attempt. No sudo is needed for the app that you are hooking using LD_PRELOAD.
t436h05t said:
I think you asked me this in my thread but Ill answer it here.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
I have hooked native code with xposed and LD_PRELOAD, you can manipulate the data via your LD_PRELOAD lib. I do not know if its been linked to public code yet. LD_PRELOAD does not require Xposed to work(just makes it easier to manage imo). Also note that i have not tested this using the newer Android OS'es(>4.4). Not (yet)necessary for my use case. I would recommend getting LD_PRELOAD to work without Xposed first. Then add the Xposed integration
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
I have not tried via ptrace, also note that some apps will ptrace itself for protection against reversing. LD_PRELOAD works fine for me. Personally I use LD_PRELOAD to modify the arguments and the return values but most of the time just for logging information.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Ptrace to me sounds more complex but it does sound cool to attempt. No sudo is needed for the app that you are hooking using LD_PRELOAD.
Click to expand...
Click to collapse
Thanks! Is there a nice way to set LD_PRELOAD on app startup using Xposed or do you simply run the shell command when configuring which apps to hook?
Wropzter said:
Thanks! Is there a nice way to set LD_PRELOAD on app startup using Xposed or do you simply run the shell command when configuring which apps to hook?
Click to expand...
Click to collapse
Hooking the app and setting your native hooks is easy in Xposed, after you hook your package just load your lib with your hooks.
System.load("/data/data/org.xxx.app/lib/xxx.so");
The application will default use the preloaded lib you injected(same as LD_PRELOAD without the mess of bash).
It took more time to write code that would enable and disable the hooks inside the hook lib.
Now I have got it working with LD_PRELOAD manually, but using Xposed I do not seem to be able to load the library before libc - that is my replacement function is never called as the symbol was already loaded. Are you using the deprecated IXposedHookCmdInit to be able to load the package earlier? [If I remember correctly you were also hooking libc]
This is my code for the Xposed App.
if (lpparam.packageName.equals("app.to.hook")) {
System.load("/data/data/app.to.hook/lib/hook.so");
XposedBridge.log("Loaded native hook");
}
I don't know if something similar already exists, but it would be useful for any security analyst an Xposed Module that logs all Android API methods (of a certain kind) that an app calls with the value of it's parameters.
For "kind" I mean, for example, all' methods that require a certain permission or, more interesting, methods involved in cryptography.
If something exists, can you link it?
Otherwise, the only way to implement it that I figure out is:
1) create a generic XC_MethodHook that logs all method's parameters.
2) use the HookMethod for-each method within a pre-constructed set of relevant Android api methods
3) launch the app and enjoy