1、Hook普通方法、打印参数和修改返回值
Hook函数
Hook代码
function hookTest1(){var utils = Java.use("com.zj.wuaipojie.Demo");utils.a.implementation = function(str){// a = "test";var retval = this.a(str);console.log(str , retval);return retval;}
}function main(){Java.perform(function(){hookTest1();});
}
setImmediate(main);2、Hook重载参数
Hook的函数:
Hook代码
// .overload()
// .overload('自定义参数')
// .overload('int')
function hookTest2(){var utils = Java.use("com.zj.wuaipojie.Demo");//overload定义重载函数Inner,根据函数的参数类型填utils.Inner.overload('com.zj.wuaipojie.Demo$Animal','java.lang.String').implementation = function(a,b){b = "aaaaaaaaaa";//将修改后的参数传给原方法this.Inner(a,b);console.log(a);console.log(b);}
}function main(){Java.perform(function(){hookTest2();});
}
setImmediate(main);3、Hook构造函数
方法
代码
function hookTest3(){var utils = Java.use("com.zj.wuaipojie.Demo");//修改类的构造函数的实现,$init表示构造函数utils.$init.overload('java.lang.String').implementation = function(str){console.log(str);str = "52";this.$init(str);}
}function main(){Java.perform(function(){hookTest3();});
}
setImmediate(main);
4、hook静态变量的值
方法
代码
function hookTest4(){Java.perform(function(){//静态字段的修改var utils = Java.use("com.zj.wuaipojie.Demo");//修改类的静态字段"flag"的值utils.staticField.value = "我是被修改的静态变量";console.log(utils.staticField.value);//非静态字段的修改//使用`Java.choose()`枚举类的所有实例});}function main(){Java.perform(function(){hookTest4();});
}
setImmediate(main);5、hook动态变量的值
方法
代码
function hookTest5(){//performJava.perform(function(){//使用`Java.choose()`枚举类的所有实例Java.choose("com.zj.wuaipojie.Demo", {//onMatch循环匹配内存中com.zj.wuaipojie.Demo类中的实例传给objonMatch: function(obj){//修改实例的非静态字段"_privateInt"的值为"123456",并修改非静态字段"privateInt"的值为9999。// obj._privateInt.value = "123456"; //字段名与函数名相同 前面加个下划线obj.privateInt.value = 9999;console.log(obj.privateInt.value);},onComplete: function(){}});});}function main(){Java.perform(function(){hookTest5();});
}
setImmediate(main);6、Hook内部类
方法
代码
function hookTest6(){Java.perform(function(){//内部类var innerClass = Java.use("com.zj.wuaipojie.Demo$InnerClass");console.log(innerClass);innerClass.$init.implementation = function(){console.log("eeeeeeee");}});
}function main(){Java.perform(function(){hookTest6();});
}
setImmediate(main);7、枚举所有的类与类的所有方法
function hookTest7(){Java.perform(function(){//枚举所有的类与类的所有方法,异步枚举Java.enumerateLoadedClasses({onMatch: function(name,handle){//过滤类名if(name.indexOf("com.zj.wuaipojie.Demo") !=-1){console.log(name);var clazz =Java.use(name);console.log(clazz);var methods = clazz.class.getDeclaredMethods();console.log(methods);}},onComplete: function(){}})})
}
function main(){Java.perform(function(){hookTest7();});
}
setImmediate(main);8、枚举所有方法
function hookTest8(){Java.perform(function(){var Demo = Java.use("com.zj.wuaipojie.Demo");//getDeclaredMethods枚举所有方法var methods =Demo.class.getDeclaredMethods();for(var j=0; j < methods.length; j++){var methodName = methods[j].getName();console.log(methodName);for(var k=0; k<Demo[methodName].overloads.length;k++){Demo[methodName].overloads[k].implementation = function(){for(var i=0;i<arguments.length;i++){console.log(arguments[i]);}return this[methodName].apply(this,arguments);}}}})
}
function main(){Java.perform(function(){hookTest8();});
}
setImmediate(main);方法输出
9、静态方法的主动调用
function hookTest9(){Java.perform(function(){var en=Java.use("com.zj.wuaipojie.Encode"); var ret = en.encode("addafd")console.log(ret);})
}
function main(){Java.perform(function(){hookTest9();});
}
setImmediate(main);10、动态方法的主动调用
//return ret;
function hookTest10(){Java.perform(function () {var ret = null;Java.choose("com.zj.wuaipojie.Demo",{ //要hook的类onMatch:function(instance){ret=instance.privateFunc("aaaaaaa"); //要hook的方法console.log("result: " + ret);},onComplete:function(){console.log("result: " + ret);}});})
}
function main(){Java.perform(function(){hookTest10();});
}
setImmediate(main);
