-
-
[分享]基于xposed的关机窃听的demo
-
发表于: 2014-11-13 13:30
-
上个月的geekpwn中天才少年flanker做了个关机窃听的演示,感觉很高大上。后来flanker在微博中也透露了基本思路,但是没有放出writeup,伤心,不过还是要感谢flanker的思路。为了能追逐天才少年的步伐,自己最近写了个xposed模块,实现了geekpwn中演示的部分功能,供大家拿去玩耍吧。
PS:碰巧与天才少年的ID相似,我想我们的id都来自Su27吧。哈哈
没什么好写的,说一下大致的hook流程吧
1、hook关机时的提示按钮
就是点“关机”按钮后弹出来的那个提示框中的“确定”按钮。
这是一个AlertDialog,所以hook住它的setPositiveButton函数,将参数中的onClickListener对象替换掉。
在自定义的onClickListener中实现,播放关机动画,设置屏幕超时等功能。
播放关机动画的地方有点问题,执行一次关机动画命令bootanimation只能播放大概5s钟就停了,为了播放的长一点,播放了两次,然后屏幕超时,自动熄屏。为了标明当前处在“假关机”状态,将状态写入了文件/data/local/tmp/1024.hack中,这应该是最简单的方法了吧,有人说还可以通过broadcast或者service来完成进程间通信,没有测试。
2、hook电源服务,防止屏幕亮起
hook住PowerManagerService中的setScreenStateLocked方法,阻止点亮屏幕。
3、处理电源按键
在“假关机”状态中处理电源按键,如果检测到长按,执行reboot命令重启手机,清除1024.hack中的假关机标志。
4、hook来电
hook 住CallNotifier中的handleMessage方法,如果检测到新的来电,直接调用PhoneUtils中的answerCall方法,就可以接通电话。
没了,就实现了这么点东西。其中会有不少bug,尤其是在全局的标志文件1024.hack上。不知道天才flanker是怎么实现的。我自己也是想拿来玩玩的,也并没有像把它写成真正有攻击性的木马,毕竟那也是需要深厚功力的。另外,对于TK在微博中提到的那些细节点(参考教主微博f4cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6W2K9h3u0G2i4K6u0W2j5$3!0E0i4K6u0r3x3e0b7H3x3e0f1J5y4K6f1#2x3#2)9J5c8V1u0K6P5h3N6Z5K9Y4A6B7h3W2)9K6c8Y4u0W2k6W2)9K6c8q4)9J5y4Y4c8&6M7r3g2Q4x3@1c8U0L8$3#2E0k6h3&6@1i4@1g2r3i4@1u0o6i4K6R3&6i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1@1i4@1u0m8i4@1u0m8i4@1f1#2i4K6S2r3i4@1q4m8i4@1f1#2i4K6S2q4i4@1u0n7i4@1f1$3i4K6R3K6i4@1t1K6i4@1f1@1i4@1u0m8i4K6R3$3i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1@1i4@1t1^5i4K6S2n7i4@1f1&6i4K6R3J5i4@1p5K6i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1J5i4K6R3H3i4K6W2o6i4@1f1$3i4K6R3J5i4@1p5^5i4@1f1$3i4K6S2n7i4@1p5^5i4@1f1$3i4K6R3&6i4K6V1K6i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1%4i4K6V1@1i4@1t1#2i4@1f1^5i4@1q4r3i4K6W2p5i4@1f1#2i4@1t1%4i4@1t1J5i4@1f1#2i4K6R3#2i4@1t1K6i4@1f1$3i4K6W2o6i4@1u0m8i4@1f1J5i4K6R3H3i4K6W2p5i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1$3i4K6R3K6i4@1t1K6i4@1f1%4i4K6V1@1i4@1p5^5i4@1f1^5i4@1u0p5i4@1q4o6i4@1f1$3i4K6S2q4i4@1p5#2i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6V1$3i4@1t1&6i4@1f1$3i4@1t1K6i4K6V1#2i4@1f1#2i4@1q4q4i4K6W2q4i4@1f1%4i4K6S2q4i4@1t1H3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4K6V1H3i4K6S2q4i4@1f1$3i4K6W2p5i4@1p5#2i4@1f1%4i4K6W2o6i4K6S2n7i4@1f1@1i4@1u0m8i4K6R3$3i4@1f1%4i4K6R3J5i4@1t1&6i4@1f1^5i4@1t1#2i4K6R3@1i4@1f1$3i4K6V1$3i4K6V1&6i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4@1p5#2i4@1u0p5i4@1f1#2i4K6R3K6i4K6S2r3i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1$3i4@1t1J5i4@1p5I4i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1$3i4K6V1$3i4@1t1&6i4@1f1$3i4@1t1K6i4K6V1#2i4@1f1^5i4K6R3K6i4@1u0p5i4@1f1#2i4@1q4q4i4K6W2q4i4@1f1$3i4K6V1%4i4@1t1$3i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1^5i4@1u0p5i4@1q4o6i4@1f1$3i4K6S2q4i4@1p5#2i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1^5i4@1u0r3i4K6W2n7i4@1f1$3i4K6W2p5i4@1p5#2i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6W2p5i4@1p5#2i4@1f1%4i4K6V1@1i4@1t1#2i4@1f1K6i4K6R3H3i4K6R3J5i4@1f1@1i4@1t1^5i4K6S2p5i4@1f1%4i4K6W2r3i4@1p5#2i4@1f1&6i4K6R3I4i4K6V1K6i4@1f1#2i4K6V1H3i4K6R3@1i4@1f1@1i4@1u0p5i4K6S2p5i4@1f1#2i4@1p5@1i4@1p5%4i4@1f1%4i4K6R3&6i4K6W2n7i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1@1i4@1u0n7i4K6R3H3i4@1f1@1i4@1t1&6i4K6R3^5i4@1f1$3i4K6R3K6i4@1t1K6i4@1f1$3i4@1t1K6i4K6V1#2i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1^5i4@1q4r3i4K6W2p5i4@1f1#2i4K6S2r3i4@1q4r3i4@1f1@1i4@1u0n7i4@1p5#2i4@1f1%4i4K6R3J5i4@1t1&6i4@1f1$3i4K6S2n7i4@1p5^5i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1@1i4@1t1^5i4K6S2n7i4@1f1#2i4@1t1H3i4K6S2r3i4@1f1#2i4@1u0o6i4K6W2r3i4@1f1K6i4K6R3H3i4K6R3J5
-----------------------------------
代码可以参考@monsterok牛的,我就不持续性丢人了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
同膜拜。代码要不要写的这么漂亮。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
