I have one app which can call java functions from scripts defined at runtime, but has not enough permissions to do most of the stuff, like toggling wifi.
So I tried to create a module hooking the Packagemanager to grant these permissions.
My code so far:
Code:
public class Hook implements IXposedHookLoadPackage, IXposedHookZygoteInit {
ArrayList<String> newPerms;
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if(!loadPackageParam.packageName.equals("android"))return;
final Class<?> clsPMS = findClass("com.android.server.pm.PackageManagerService", loadPackageParam.classLoader);
XC_MethodHook hookGrantPermissions = new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
String pkgName = (String) getObjectField(param.args[0], "packageName");
if(!(pkgName.equals(Strings.LLX)||pkgName.equals(Strings.LL)))return;
//XposedBridge.log("Package: "+pkgName);
if(newPerms == null || newPerms.isEmpty() ) return;
ArrayList<String> origRequestedPermissions = (ArrayList<String>) getObjectField(param.args[0], "requestedPermissions");
param.setObjectExtra("orig_requested_permissions", origRequestedPermissions);
//XposedBridge.log("Old Permissions "+Arrays.toString(origRequestedPermissions.toArray()));
//XposedBridge.log("New Permissions "+Arrays.toString(newPerms.toArray()));
ArrayList<String> newRequestedPermissions = new ArrayList<>(origRequestedPermissions);
newRequestedPermissions.addAll(newPerms);
//XposedBridge.log("All Permissions"+Arrays.toString(newRequestedPermissions.toArray()));
//param.args[1] = true;
[U][B]setObjectField(param.args[0], "requestedPermissions", newRequestedPermissions);[/B][/U]
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
ArrayList<String> origRequestedPermissions = (ArrayList<String>) param.getObjectExtra("orig_requested_permissions");
if (origRequestedPermissions != null)
setObjectField(param.args[0], "requestedPermissions", origRequestedPermissions);
}
};
if (Build.VERSION.SDK_INT < 21) {
findAndHookMethod(clsPMS, "grantPermissionsLPw", "android.content.pm.PackageParser$Package", boolean.class, hookGrantPermissions);
} else {
findAndHookMethod(clsPMS, "grantPermissionsLPw", "android.content.pm.PackageParser$Package", boolean.class, String.class, hookGrantPermissions);
}
}
@Override
public void initZygote(StartupParam startupParam) throws Throwable {
XSharedPreferences pref = new XSharedPreferences(this.getClass().getPackage().getName(), Strings.PREF_NAME);
pref.makeWorldReadable();
newPerms = Strings.read(pref);
}
Sidenote: Code is partially forked from Appsettings module: https://github.com/rovo89/XposedAppSettings
The problem is: when I restart my phone after enabling the module, I just get a blackscreen after the bootanimation.
When I comment out the line marked fat underlined, it works, but does nothing (because this line is essential).
I have practically no idea why this isn't working.
I know that the input returned from Strings.read is valid.
My Question: What am I doing wrong?
LM13 said:
I have one app which can call java functions from scripts defined at runtime, but has not enough permissions to do most of the stuff, like toggling wifi.
So I tried to create a module hooking the Packagemanager to grant these permissions.
My code so far:
Code:
public class Hook implements IXposedHookLoadPackage, IXposedHookZygoteInit {
ArrayList<String> newPerms;
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if(!loadPackageParam.packageName.equals("android"))return;
final Class<?> clsPMS = findClass("com.android.server.pm.PackageManagerService", loadPackageParam.classLoader);
XC_MethodHook hookGrantPermissions = new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
String pkgName = (String) getObjectField(param.args[0], "packageName");
if(!(pkgName.equals(Strings.LLX)||pkgName.equals(Strings.LL)))return;
//XposedBridge.log("Package: "+pkgName);
if(newPerms == null || newPerms.isEmpty() ) return;
ArrayList<String> origRequestedPermissions = (ArrayList<String>) getObjectField(param.args[0], "requestedPermissions");
param.setObjectExtra("orig_requested_permissions", origRequestedPermissions);
//XposedBridge.log("Old Permissions "+Arrays.toString(origRequestedPermissions.toArray()));
//XposedBridge.log("New Permissions "+Arrays.toString(newPerms.toArray()));
ArrayList<String> newRequestedPermissions = new ArrayList<>(origRequestedPermissions);
newRequestedPermissions.addAll(newPerms);
//XposedBridge.log("All Permissions"+Arrays.toString(newRequestedPermissions.toArray()));
//param.args[1] = true;
[U][B]setObjectField(param.args[0], "requestedPermissions", newRequestedPermissions);[/B][/U]
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
ArrayList<String> origRequestedPermissions = (ArrayList<String>) param.getObjectExtra("orig_requested_permissions");
if (origRequestedPermissions != null)
setObjectField(param.args[0], "requestedPermissions", origRequestedPermissions);
}
};
if (Build.VERSION.SDK_INT < 21) {
findAndHookMethod(clsPMS, "grantPermissionsLPw", "android.content.pm.PackageParser$Package", boolean.class, hookGrantPermissions);
} else {
findAndHookMethod(clsPMS, "grantPermissionsLPw", "android.content.pm.PackageParser$Package", boolean.class, String.class, hookGrantPermissions);
}
}
@Override
public void initZygote(StartupParam startupParam) throws Throwable {
XSharedPreferences pref = new XSharedPreferences(this.getClass().getPackage().getName(), Strings.PREF_NAME);
pref.makeWorldReadable();
newPerms = Strings.read(pref);
}
Sidenote: Code is partially forked from Appsettings module: https://github.com/rovo89/XposedAppSettings
The problem is: when I restart my phone after enabling the module, I just get a blackscreen after the bootanimation.
When I comment out the line marked fat underlined, it works, but does nothing (because this line is essential).
I have practically no idea why this isn't working.
I know that the input returned from Strings.read is valid.
My Question: What am I doing wrong?
Click to expand...
Click to collapse
I am doing something similar. Maybe you can get some ideas from my PermissionGranter at:
https://github.com/GravityBox/Gravi...co/lollipop/gravitybox/PermissionGranter.java
I thought it would be better to modify the query instead of lists itself, but I'll try that out. Thanks!
Now my Hook looks like this:
Code:
XC_MethodHook hookGrantPermissions = new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
String pkgName = (String) getObjectField(param.args[0], "packageName");
if (!(pkgName.equals(Strings.LLX) || pkgName.equals(Strings.LL))) return;
Object extras = getObjectField(param.args[0], "mExtras");
Set<String> grantedPerms = (Set<String>) getObjectField(extras, "grantedPermissions");
Object settings = getObjectField(param.thisObject, "mSettings");
Object permissions = getObjectField(settings, "mPermissions");
for (String perm : newPerms) {
Object permission = callMethod(permissions, "get", perm);
if (permission == null) continue;
grantedPerms.add(perm);
int[] gpGids = (int[]) getObjectField(extras, "gids");
int[] bpGids = (int[]) getObjectField(permission, "gids");
gpGids = (int[]) callStaticMethod(param.thisObject.getClass(),
"appendInts", gpGids, bpGids);
if (BuildConfig.DEBUG) XposedBridge.log("Permission added: " + permission);
}
}
};
But checkCallingOrSelfPermsisson still fails for the added permissions...
I get the log (in fact two times) but I still don't seem to have the permissions inside of the app.
Solved it myself. If there is a shared user, it has to be used instead of normal object.
Code:
XC_MethodHook hookGrantPermissions = new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
String pkgName = (String) getObjectField(param.args[0], "packageName");
if (!(pkgName.equals(Strings.LLX) || pkgName.equals(Strings.LL))) return;
Object extras = getObjectField(param.args[0], "mExtras");
Set<String> grantedPerms = (Set<String>) getObjectField(extras, "grantedPermissions");
Object sharedUser = getObjectField(extras, "sharedUser");
if(sharedUser != null) grantedPerms = (Set<String>) getObjectField(sharedUser, "grantedPermissions");
Object settings = getObjectField(param.thisObject, "mSettings");
Object permissions = getObjectField(settings, "mPermissions");
for (String perm : newPerms) {
Object permission = callMethod(permissions, "get", perm);
if (permission == null) continue;
grantedPerms.add(perm);
int[] gpGids = (int[]) getObjectField(sharedUser!=null?sharedUser:extras, "gids");
int[] bpGids = (int[]) getObjectField(permission, "gids");
callStaticMethod(param.thisObject.getClass(),
"appendInts", gpGids, bpGids);
if (BuildConfig.DEBUG) XposedBridge.log("Permission added: " + permission);
}
}
};
@C3C076 do you know any way how to get runtime (level dangerous) permissions on Android Marshmallow?
Getting normal permissions is actually a bit easier now, but I haven't found a way for runtime permissions.
Hello. I have this code.
Code:
public String getId() throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
String id;
try {
data.writeInterfaceToken("com.google.android.gms.ads.identifier.internal.IAdvertisingIdService");
binder.transact(1, data, reply, 0);
reply.readException();
id = reply.readString();
} finally {
reply.recycle();
data.recycle();
}
return id;
}
How i can hook " id = reply.readString();" when a don't know method name like "getId()". Thanks.
PS: Sorry for my bad English.
Now i can hook "transact" method like this:
Code:
XposedHelpers.findAndHookMethod("android.os.BinderProxy", loadPackageParam.classLoader, "transact", int.class, Parcel.class, Parcel.class, int.class, new XC_MethodHook() {
protected void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
IBinder binder = (IBinder) param.thisObject;
String interfaceBinder = binder.getInterfaceDescriptor();
if (interfaceBinder.equals("com.google.android.gms.ads.identifier.internal.IAdvertisingIdService")) {
// change result for readString
}
}
});
But i cant override "readString" result for Parcel (args[2]) object. How can i do this? Thanks.
public class MainActivity extends Activity {
EditText name, phonenumber, address;
Button insert;
RequestQueue requestQueue;
String insertUrl = "localhosti/insertCustomer.php";
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
/* CHECK INTERNET CONNECTION */
boolean mobileNwInfo = false;
ConnectivityManager conxMgr = (ConnectivityManager) getSystemService(CONNECTIVITY_SERVICE);
try { mobileNwInfo = conxMgr.getActiveNetworkInfo().isConnected(); }
catch (NullPointerException e) { mobileNwInfo = false; }
if ( mobileNwInfo == false ) {
Toast.makeText(this, "No Network, please check your connection. ", Toast.LENGTH_LONG).show();
}
/* CHECK INTERNET CONNECTION PROCEDURE DONE */
name = (EditText) findViewById(R.id.editText);
phonenumber= (EditText) findViewById(R.id.editText2);
address = (EditText) findViewById(R.id.editText3);
insert = (Button) findViewById(R.id.insert);
requestQueue = Volley.newRequestQueue(getApplicationContext());
insert.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
final ProgressDialog pd = new ProgressDialog(MainActivity.this);
pd.setMessage("Booking Service ....");
pd.show();
StringRequest request = new StringRequest(Request.Method.POST, insertUrl, new Response.Listener<String>() {
@Override
public void onResponse(String response) {
pd.hide();
System.out.println(response.toString());
name.setText("");
phonenumber.setText("");
address.setText("");
Toast.makeText(getApplicationContext(), "Service successfully booked !!", Toast.LENGTH_LONG).show();
}
}, new Response.ErrorListener() {
@Override
public void onErrorResponse(VolleyError error) {
pd.hide();
Toast.makeText(getApplicationContext(), "Error: Please try again later.", Toast.LENGTH_LONG).show();
}
}) {
@Override
protected Map<String, String> getParams() throws AuthFailureError {
Map<String, String> parameters = new HashMap<String, String>();
parameters.put("name", name.getText().toString());
parameters.put("phonenumber", phonenumber.getText().toString());
parameters.put("address", address.getText().toString());
return parameters;
}
};
requestQueue.add(request);
}
});
}
}
Click to expand...
Click to collapse
how can i fetch the data from a spinner and post it to my db along with the current data ?
Hey guys, I am having problem with deleting the childview from my expandablelistview. It deletes (I think), however, when I add a new childview, it is the exact same as the one I just deleted.
youtu.be/eJjR9FEpaaY
codes below
My activity
Code:
public class PlanSetterAct extends AppCompatActivity {
private Button nextBtn;
private EditText planName, weekNum;
private ExpandableListView weekdayList;
List<String> listDataHeader;
HashMap<String, List<String>> listDataChild;
private PlanSetterListAdapter adapter;
private int childCount = 0;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.plan_setter);
weekdayList = (ExpandableListView) findViewById(R.id.plan_setter_exercise_list);
nextBtn = (Button) findViewById(R.id.plan_next_btn);
planName = (EditText) findViewById(R.id.plan_name_edit);
weekNum = (EditText) findViewById(R.id.plan_num_edit);
prepareNextButton();
prepareExerciseList();
adapter = new PlanSetterListAdapter(this.getApplicationContext(),listDataHeader,listDataChild);
weekdayList.setAdapter(adapter);
exerciseListChildListener();
}
private void prepareNextButton(){
nextBtn.animate().setDuration(1000);
nextBtn.animate().translationXBy(-500);
nextBtn.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
if(Checker.hasText(planName) && Checker.isNum(weekNum)){
Utilities.setButtonClickColor(nextBtn, Color.GREEN);
startActivity(new Intent(PlanSetterAct.this, UserMainAct.class));
finish();
Utilities.debugLog("Moving to UserMainAct");
}else{
Utilities.setButtonClickColor(nextBtn, Color.RED);
}
}
});
}
private void prepareExerciseList() {
listDataHeader = new ArrayList<String>();
listDataChild = new HashMap<String, List<String>>();
// Adding child data
listDataHeader.add("Monday");
listDataHeader.add("Tuesday");
listDataHeader.add("Wednesday");
listDataHeader.add("Thursday");
listDataHeader.add("Friday");
listDataHeader.add("Saturday");
listDataHeader.add("Sunday");
for(int i = 0; i < listDataHeader.size(); i++) {
listDataChild.put(listDataHeader.get(i), new ArrayList<String>());
}
}
private void exerciseListChildListener(){
weekdayList.setOnItemLongClickListener(new AdapterView.OnItemLongClickListener() {
@Override
public boolean onItemLongClick(AdapterView<?> parent, View view, int position, long id) {
ExpandableListView expandableListView = (ExpandableListView) parent;
long pos = expandableListView.getExpandableListPosition(position);
int itemType = ExpandableListView.getPackedPositionType(pos);
int groupPosition = ExpandableListView.getPackedPositionGroup(pos);
int childPosition = ExpandableListView.getPackedPositionChild(pos);
List<String> parentGroup = listDataChild.get(listDataHeader.get(groupPosition));
if(itemType == ExpandableListView.PACKED_POSITION_TYPE_GROUP){
parentGroup.add(childPosition+"");
adapter.notifyDataSetChanged();
return true;
}else if(itemType == ExpandableListView.PACKED_POSITION_TYPE_CHILD){
debugLog("Parent position: " + groupPosition +" | child position: " + childPosition);
parentGroup.remove(childPosition);
adapter.notifyDataSetChanged();
return true;
}
return false;
}
});
}
}
My Adapter
Code:
public class PlanSetterListAdapter extends BaseExpandableListAdapter {
private Context context;
private List<String> listDataHeader;
private HashMap<String, List<String>> listDataChild;
public PlanSetterListAdapter(Context context, List<String> listDataHeader,
HashMap<String, List<String>> listChildData) {
this.context = context;
this.listDataHeader = listDataHeader;
this.listDataChild = listChildData;
}
@Override
public Object getChild(int groupPosition, int childPosititon) {
return this.listDataChild.get(this.listDataHeader.get(groupPosition))
.get(childPosititon);
}
@Override
public long getChildId(int groupPosition, int childPosition) {
return childPosition;
}
@Override
public View getChildView(int groupPosition, final int childPosition,
boolean isLastChild, View convertView, ViewGroup parent) {
final LayoutInflater inflater;
if (convertView == null) {
inflater= (LayoutInflater) this.context.getSystemService(Context.LAYOUT_INFLATER_SERVICE);
convertView = inflater.inflate(R.layout.add_exercise_layout, null);
}
final LinearLayout txtListChild = (LinearLayout) convertView.findViewById(R.id.plan_setter_add_exercise);
final LinearLayout addExerciseLayout = (LinearLayout) txtListChild.getChildAt(0);
Button okBtn = (Button) addExerciseLayout.getChildAt(1);
//init and gone from xml
okBtn.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
TextView errorView = (TextView) txtListChild.getChildAt(1);
TextView finalView = (TextView) txtListChild.getChildAt(2);
LinearLayout exerciseAddLayout = (LinearLayout) addExerciseLayout.getChildAt(0);
EditText exerciseNameEdit = ((EditText)exerciseAddLayout.getChildAt(0));
EditText exerciseLbsEdit = (EditText)exerciseAddLayout.getChildAt(2);
EditText exerciseRepsEdit = (EditText) exerciseAddLayout.getChildAt(4);
if(hasText(exerciseNameEdit) && isNum(exerciseLbsEdit) && isNum(exerciseRepsEdit)){
String exerciseNameStr = exerciseNameEdit.getText().toString();
String exerciseWeightStr = exerciseLbsEdit.getText().toString()+"lbs";
String exerciseRepsStr = exerciseLbsEdit.getText().toString()+"x";
finalView.setText(exerciseNameStr + " at " + exerciseWeightStr + " for " +exerciseRepsStr);
finalView.setTextSize(20);
//display
setVisibleAndAnimate(context,finalView);
addExerciseLayout.setVisibility(View.GONE);
errorView.setVisibility(View.GONE);
}else{
setVisibleAndAnimate(context,errorView);
}
}
});
return convertView;
}
@Override
public int getChildrenCount(int groupPosition) {
return this.listDataChild.get(this.listDataHeader.get(groupPosition))
.size();
}
@Override
public Object getGroup(int groupPosition) {
return this.listDataHeader.get(groupPosition);
}
@Override
public int getGroupCount() {
return this.listDataHeader.size();
}
@Override
public long getGroupId(int groupPosition) {
return groupPosition;
}
@Override
public View getGroupView(int groupPosition, boolean isExpanded,
View convertView, ViewGroup parent) {
String headerTitle = (String) getGroup(groupPosition);
if (convertView == null) {
LayoutInflater infalInflater = (LayoutInflater) this.context
.getSystemService(Context.LAYOUT_INFLATER_SERVICE);
convertView = infalInflater.inflate(R.layout.expandable_list_parent, null);
}
TextView lblListHeader = (TextView) convertView
.findViewById(R.id.lblListHeader);
lblListHeader.setTypeface(null, Typeface.BOLD);
lblListHeader.setText(headerTitle);
return convertView;
}
@Override
public boolean hasStableIds() {
return false;
}
@Override
public boolean isChildSelectable(int groupPosition, int childPosition) {
return true;
}
}
I am on pie so obviously its EdXposed running.
I want to hook a method which is like
Code:
public void setSensorBrightness(int var1) {
Log.d(TAG, "setSensorBrightness: " + var1);
AODCommonSettingsUtils.setBrightnessSettingValue(var1);
this.mSensorBrightness = var1;
}
this original method is located in class "com.samsung.android.app.aodservice.manager.BrightnessManager" and a package name is "com.samsung.android.app.aodservice"
I use reflection as suggested in tutorial otherwise it throws no class found exception.
My code is
Code:
@Override
public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable
{
if (!lpparam.packageName.equals("com.samsung.android.app.aodservice"))
return;
XposedHelpers.findAndHookMethod(
"com.samsung.android.app.aodservice.manager.BrightnessManager",
lpparam.classLoader,
"setSensorBrightness",
"int",
new MethodHook());
}
protected static class MethodHook extends XC_MethodHook
{
@Override
protected void beforeHookedMethod(MethodHookParam param)
throws Throwable
{
int x =3;
param.args[0]=x;
Log.d("Brightness_hack :", "works");
}
@Override
public boolean equals(Object o)
{
if (o instanceof MethodHook)
{
return true;
}
return super.equals(o);
}
@Override
public int hashCode()
{
return ~MethodHook.class.hashCode() ^ 0xdeadbeef;
}
}
Now my problem is its tooooooo slow hooks in like 15-20 mins and returns no result.
Am I missing something???