Xposed为何对京东无法生效

2020-11-06

Word count: 1.4k | Reading time≈ 6 min

前一阵子对京东的一个功能比较好奇于是就有了逆向京东的想法,我熟练的拿起了jadx对京东进行反编译居然没有混淆心中狂喜很快就找到入口点,于是又祭出了Xposed大法飞快的写了个插件Hook了Activity的onCreate方法,我迫不及待的跑了起来结果hook貌似没有生效任何Log都没有输出,反复检查后仍不得其解不过此时的我已心中暗暗猜测京东应该有一些反Xposed的机制,因为之前曾见过”酷安”和”知乎”也有这样的功能,于是又Hook了像Class.forName 和ClassLoader.loadClass这样的函数来验证一下我的想法

XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook()
{
	@Override
	protected void beforeHookedMethod(MethodHookParam param) throws Throwable
	{
		if(((String)param.args[0]).startsWith("de.robv.android.xposed"))
		{
		Log.d("Kaisar", "loadclass:" + Arrays.toString(param.args), new Throwable());
		param.setThrowable(new ClassNotFoundException());
		}
	}
});
XposedHelpers.findAndHookMethod(Class.class, "forName", String.class, new XC_MethodHook()
{
	@Override
	protected void beforeHookedMethod(MethodHookParam param) throws Throwable
	{
		if(((String)param.args[0]).startsWith("de.robv.android.xposed"))
		{
		Log.d("Kaisar", "forName:" + Arrays.toString(param.args), new Throwable());
		param.setThrowable(new ClassNotFoundException());
		}
	}
});

这是抓到的log:

2020-11-06 19:54:14.503 30297-30297/? D/Kaisar: loadclass:[de.robv.android.xposed.XposedBridge]
    java.lang.Throwable
        at com.kaisar.jdplugin.MainPlugin$1.beforeHookedMethod(MainPlugin.java:38)
        at de.robv.android.xposed.XC_MethodHook.callBeforeHookedMethod(XC_MethodHook.java:51)
        at com.swift.sandhook.xposedcompat.hookstub.HookStubManager.hookBridge(HookStubManager.java:281)
        at com.swift.sandhook.xposedcompat.hookstub.MethodHookerStubs32.stub_hook_5(MethodHookerStubs32.java:228)
        at java.lang.Runtime.nativeLoad(Native Method)
        at java.lang.Runtime.loadLibrary0(Runtime.java:1014)
        at java.lang.System.loadLibrary(System.java:1669)
        at com.jingdong.app.mall.JDApp.loadLib(JDApp.java:134)
        at com.jingdong.app.mall.JDApp.<clinit>(Unknown Source:0)
        at java.lang.reflect.Constructor.newInstance0(Native Method)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:343)
        at com.jd.chappie.loader.ChappieApplication.reflectClientApplication(Unknown Source:23)
        at com.jd.chappie.loader.ChappieApplication.attachBaseContext(Unknown Source:3)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.swift.sandhook.SandHook.callOriginMethod(SandHook.java:185)
        at com.swift.sandhook.SandHook.callOriginMethod(SandHook.java:163)
        at com.swift.sandhook.xposedcompat.hookstub.HookStubManager.hookBridge(HookStubManager.java:304)
        at com.swift.sandhook.xposedcompat.hookstub.MethodHookerStubs32.stub_hook_6(MethodHookerStubs32.java:234)
        at android.app.Application.attach(Application.java:212)
        at android.app.Instrumentation.newApplication(Instrumentation.java:1122)
        at android.app.LoadedApk.makeApplication(LoadedApk.java:1052)
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5877)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.swift.sandhook.SandHook.callOriginMethod(SandHook.java:185)
        at com.swift.sandhook.SandHook.callOriginMethod(SandHook.java:163)
        at com.swift.sandhook.xposedcompat.hookstub.HookStubManager.hookBridge(HookStubManager.java:304)
        at com.swift.sandhook.xposedcompat.hookstub.MethodHookerStubs32.stub_hook_0(MethodHookerStubs32.java:198)
        at android.app.ActivityThread.access$1100(ActivityThread.java:200)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1660)
        at android.os.Handler.dispatchMessage(Handler.java:106)
        at android.os.Looper.loop(Looper.java:193)
        at android.app.ActivityThread.main(ActivityThread.java:6762)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)

天网恢恢疏而不漏,结果还真的发现在京东一个so中加载了XposedBridge这个类,京东再怎么说也是购物支付软件反Xposed这点技术肯定还是要做的,没关系既然Xposed hook不了的东西那就自己动手hook一下吧,于是在Application的attachBaseContext方法之前手动Hook了ActivityThread的mH变量中的一些关键函数并且输出一些log

XposedHelpers.findAndHookMethod("com.jd.chappie.loader.ChappieApplication", lpparam.classLoader, "attachBaseContext", Context.class, new XC_MethodHook()
{
    @Override
    protected void beforeHookedMethod(MethodHookParam param) throws Throwable
    {
        Log.d("Kaisar", "attachBaseContext before:" + getClass().getName());
        try
        {
            Class<?> ActivityThread = Class.forName("android.app.ActivityThread");
            Object currentActivityThread = ActivityThread.getMethod("currentActivityThread").invoke(null);
            Field mH = ActivityThread.getDeclaredField("mH");
            mH.setAccessible(true);
            Handler handler = (Handler)mH.get(currentActivityThread);
            Field mCallback = Handler.class.getDeclaredField("mCallback");
            mCallback.setAccessible(true);
            mCallback.set(handler, new Handler.Callback()
            {
                @Override
                public boolean handleMessage(@NonNull Message msg)
                {
                    Log.d("Kaisar", "handler:" + msg);
                    return false;
                }
            });
        }
        catch(Exception e)
        {
            Log.e("Kaisar", "hook handler failed", e);
        }
    }

    @Override
    protected void afterHookedMethod(MethodHookParam param) throws Throwable
    {
        Log.d("Kaisar", "attachBaseContext after:" + getClass().getName());
    }
});

不过奇怪的事情发生了hook还是没有发生任何作用,按道理来说不通过Xposed hook, 京东是不太容易知道hook了哪些函数,但是竟然没有任何log输出很奇怪,于是我又在attachBaseContext之前启动了一个线程延迟十秒以确保attchBaseContext流程走完检查hook点并输出日志但是更奇怪的是线程延迟了10秒竟还是没有任何输出

@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
{
    Log.d("Kaisar", "attachBaseContext before:" + getClass().getName());
    try
    {
        Class<?> ActivityThread = Class.forName("android.app.ActivityThread");
        Object currentActivityThread = ActivityThread.getMethod("currentActivityThread").invoke(null);
        Field mH = ActivityThread.getDeclaredField("mH");
        mH.setAccessible(true);
        Handler handler = (Handler)mH.get(currentActivityThread);
        Field mCallback = Handler.class.getDeclaredField("mCallback");
        mCallback.setAccessible(true);
        mCallback.set(handler, new Handler.Callback()
        {
            @Override
            public boolean handleMessage(@NonNull Message msg)
            {
                Log.d("Kaisar", "handler:" + msg);
                return false;
            }
        });
        Log.d("Kaisar", "hook handler ok");
        Object o = mCallback.get(handler);
        Log.d("Kaisar", "check handler:" + mCallback.get(handler));
        new Thread(new Runnable()
        {
            @Override
            public void run()
            {
                try
                {
                    Log.d("Kaisar", "wait delay check handle");
                    SystemClock.sleep(5000);
                    Log.d("Kaisar", "delay check handler:" + mCallback.get(handler));
                }
                catch(Throwable e)
                {
                    Log.e("Kaisar", "delay check failed", e);
                }
            }
        }).start();
    }
    catch(Exception e)
    {
        Log.e("Kaisar", "hook handler failed", e);
    }
}

难道说京东竟然可以检测到我开了线程并把我的线程给停掉了? 事情好像没有那么简单了于是上Xposed开发群里问问大佬看看有没有遇到过结果还真有!

大佬说:狗东把log给吃了… (划重点此题必考) 于是我把打log的地方换成了写文件果然log有了 WTF 就这么简单? 这你敢信? 我以为用了什么宇宙无敌黑科技结果就这搞了我几个小时? 卒…

Donate

Copyright： Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.