improve ClassHunter

Author: binarynoise

ClassHunter/build.gradle.kts

@@ -24,4 +24,7 @@ android {
     }
 }
 
-dependencies {}
+dependencies {
+    implementation(libs.libsu.core)
+    implementation(projects.logger)
+}

ClassHunter/src/main/AndroidManifest.xml

@@ -2,7 +2,23 @@
 <manifest
     xmlns:android="http://schemas.android.com/apk/res/android">
 
-    <application android:label="ClassHunter">
+    <application
+        android:label="ClassHunter"
+        android:theme="@android:style/Theme.DeviceDefault.Settings"
+        >
+        <activity
+            android:name="de.binarynoise.classHunter.SetScopeActivity"
+            android:exported="true"
+            >
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <action android:name="android.intent.action.VIEW" />
+                
+                <category android:name="android.intent.category.LAUNCHER" />
+                <category android:name="android.intent.category.DEFAULT" />
+            </intent-filter>
+        </activity>
+        
         <meta-data
             android:name="xposedmodule"
             android:value="true"

ClassHunter/src/main/java/de/binarynoise/classHunter/Hook.kt

@@ -1,10 +1,13 @@
 package de.binarynoise.classHunter
 
+import java.net.URLClassLoader
 import java.security.SecureClassLoader
 import android.os.Build
 import android.util.Log
 import dalvik.system.BaseDexClassLoader
 import dalvik.system.DelegateLastClassLoader
+import dalvik.system.DexClassLoader
+import dalvik.system.InMemoryDexClassLoader
 import dalvik.system.PathClassLoader
 import de.binarynoise.ClassHunter.BuildConfig
 import de.robv.android.xposed.IXposedHookLoadPackage
@@ -36,31 +39,31 @@ class Hook : IXposedHookLoadPackage, IXposedHookZygoteInit {
         collectParents(bootClassLoader, "bootClassLoader", classLoaders)
 
         Log.i(TAG, "currently known classloaders:")
-        classLoaders.forEach {
-            Log.v(TAG, "${it.toObjectString()} - $it")
+        classLoaders.forEach { classLoader ->
+            Log.v(TAG, "${classLoader.toObjectString()} - $classLoader")
 
             BuildConfig.targetClass.forEach { className ->
                 try {
-                    val cls = Class.forName(className, false, it)
-                    Log.i(TAG, " - found class: ${cls.name} in package ${lpparam.packageName} by ${it.toObjectString()}")
+                    val cls = Class.forName(className, false, classLoader)
+                    Log.i(TAG, " - found class: ${cls.name} in package ${lpparam.packageName} by ${cls.toObjectString()}")
 
                     Log.i(TAG, " - constructors:")
                     cls.declaredConstructors.map { c -> "${c.name}(${c.parameters.joinToString(", ") { p -> p.name + " " + p.type.name }})" }
                         .sorted()
                         .forEach { c ->
-                            Log.v(TAG, "  - $it")
+                            Log.v(TAG, "  - $c")
                         }
 
                     Log.i(TAG, " - methods:")
                     cls.declaredMethods.map { m -> "${m.returnType.name} ${m.name}(${m.parameters.joinToString(", ") { p -> p.name + " " + p.type.name }})" }
                         .sorted()
                         .forEach { m ->
-                            Log.v(TAG, "  - $it")
+                            Log.v(TAG, "  - $m")
                         }
 
                     Log.i(TAG, " - fields:")
                     cls.declaredFields.map { f -> "${f.type.name} ${f.name}" }.sorted().forEach { f ->
-                        Log.v(TAG, "  - $it")
+                        Log.v(TAG, "  - $f")
                     }
                 } catch (_: Throwable) {
                 }
@@ -78,11 +81,11 @@ class Hook : IXposedHookLoadPackage, IXposedHookZygoteInit {
         val classLoaderClasses = mutableSetOf<Class<*>>(
             ClassLoader::class.java,
             SecureClassLoader::class.java,
-//            URLClassLoader::class.java,
+            URLClassLoader::class.java,
             BaseDexClassLoader::class.java,
-//            PathClassLoader::class.java,
-//            InMemoryDexClassLoader::class.java,
-//            DexClassLoader::class.java,
+            PathClassLoader::class.java,
+            InMemoryDexClassLoader::class.java,
+            DexClassLoader::class.java,
             ClassLoader.getSystemClassLoader()::class.java, // BootClassLoader
         )
 
@@ -107,8 +110,7 @@ class Hook : IXposedHookLoadPackage, IXposedHookZygoteInit {
                     }
                 }
             }
-            var loadNewClassloaderHook: MethodHook? = null
-            loadNewClassloaderHook = object : MethodHook() {
+            val loadNewClassloaderHook = object : MethodHook() {
                 override fun afterHookedMethod(param: MethodHookParam) {
                     if (param.thisObject !is PathClassLoader) {
                         Log.v(TAG, "Created a new ClassLoader: ${param.thisObject.toObjectString()} ${param.thisObject}")
@@ -119,9 +121,9 @@ class Hook : IXposedHookLoadPackage, IXposedHookZygoteInit {
                         Log.i(TAG, "Found a new ClassLoader class: ${cls}, created by ${cls.classLoader}")
                     }
                     try {
-                        
-                        XposedBridge.hookAllConstructors(it, loadNewClassloaderHook)
-                        XposedBridge.hookAllMethods(it, "loadClass", loadClassHook)
+                        // Will hang the device:
+                        // XposedBridge.hookAllConstructors(it, loadNewClassloaderHook) 
+                        // XposedBridge.hookAllMethods(it, "loadClass", loadClassHook)
                     } catch (_: Throwable) {
                     }
                 }
@@ -133,6 +135,8 @@ class Hook : IXposedHookLoadPackage, IXposedHookZygoteInit {
             } catch (_: Throwable) {
             }
         }
+        
+        Log.i(TAG, "Zygote looking for ${targetClassesShortName.joinToString()} in ${classLoaderClasses.size} ClassLoader classes")
     }
 }
 

ClassHunter/src/main/java/de/binarynoise/classHunter/SetScopeActivity.kt

@@ -0,0 +1,99 @@
+package de.binarynoise.classHunter
+
+import kotlin.concurrent.thread
+import android.annotation.SuppressLint
+import android.app.Activity
+import android.os.Bundle
+import android.widget.Button
+import android.widget.LinearLayout
+import android.widget.TextView
+import com.topjohnwu.superuser.Shell
+import de.binarynoise.ClassHunter.BuildConfig
+import de.binarynoise.ClassHunter.R
+import de.binarynoise.logger.Logger
+
+class SetScopeActivity : Activity() {
+    
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        setContentView(R.layout.set_scope_activity)
+        
+        val setScopeButton = findViewById<Button>(R.id.set_scope_button)
+        val rebootButton = findViewById<Button>(R.id.reboot_button)
+        val list = findViewById<LinearLayout>(R.id.log)
+        
+        setScopeButton.setOnClickListener {
+            thread {
+                try {
+                    log(list, "requesting root...")
+                    Shell.enableVerboseLogging = BuildConfig.DEBUG
+                    Shell.getShell()
+                    log(list, "got root")
+                    
+                    val lsposedDB = """/data/adb/lspd/config/modules_config.db"""
+                    
+                    log(list, Shell.cmd("/system/bin/id").exec().out.joinToString())
+                    
+                    val mid: Int =
+                        Shell.cmd("""sqlite3 $lsposedDB "SELECT mid FROM modules WHERE module_pkg_name = '${BuildConfig.APPLICATION_ID}';"""")
+                            .exec()
+                            .let { result ->
+                                check(result.isSuccess) { "Error:\n${result.err.joinToString("\n")}" }
+                                result.out.single().toInt()
+                            }
+                    log(list, "my mid: $mid")
+                    
+                    log(list, "querying packages...")
+                    val packages: MutableList<String> = Shell.cmd("pm list packages").exec().let { result ->
+                        check(result.isSuccess) { "Error:\n${result.err.joinToString("\n")}" }
+                        result.out.asSequence().map { it.substringAfter(":") }.toMutableList()
+                    }
+                    packages += "system"
+                    
+                    log(list, "packages: ${packages.size}")
+                    
+                    log(list, "clearing scope...")
+                    Shell.cmd("""sqlite3 $lsposedDB "delete from scope where mid=$mid";""").exec().let { result ->
+                        check(result.isSuccess) { "Error:\n${result.err.joinToString("\n")}" }
+                    }
+                    
+                    log(list, "setting scope...")
+                    Shell.cmd("""sqlite3 $lsposedDB "INSERT INTO scope (mid, app_pkg_name, user_id) VALUES ${packages.joinToString { "($mid, '$it', 0)" }};"""")
+                        .exec()
+                        .let { result ->
+                            check(result.isSuccess) { "Error:\n${result.err.joinToString("\n")}" }
+                        }
+                    log(list, "done")
+                } catch (t: Throwable) {
+                    log(list, "Failed", t)
+                }
+            }
+        }
+        
+        rebootButton.setOnClickListener {
+            thread {
+                try {
+                    log(list, "rebooting...")
+                    Shell.cmd("svc power reboot").exec()
+                } catch (t: Throwable) {
+                    log(list, "Failed", t)
+                }
+            }
+        }
+    }
+    
+    @Suppress("NOTHING_TO_INLINE")
+    @SuppressLint("SetTextI18n")
+    private inline fun log(list: LinearLayout, message: String, throwable: Throwable? = null) {
+        if (throwable == null) Logger.log(message) else Logger.log(message, throwable)
+        runOnUiThread {
+            list.addView(TextView(this).apply {
+                if (throwable == null) {
+                    text = message
+                } else {
+                    text = message + "\n" + throwable.message
+                }
+            })
+        }
+    }
+}

ClassHunter/src/main/res/layout/set_scope_activity.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:orientation="vertical"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    android:padding="12dp"
+    tools:context="de.binarynoise.classHunter.SetScopeActivity"
+    >
+    
+    <Button
+        android:text="Set Scope"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:id="@+id/set_scope_button"
+        style="@android:style/Widget.DeviceDefault.Button"
+        android:textAllCaps="false"
+        />
+    
+    <Button
+        android:text="Reboot"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:id="@+id/reboot_button"
+        style="@android:style/Widget.DeviceDefault.Button"
+        android:textAllCaps="false"
+        />
+    
+    <ScrollView
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        >
+        
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="vertical"
+            android:id="@+id/log"
+            />
+    </ScrollView>
+
+
+</LinearLayout>

gradle/libs.versions.toml

@@ -5,6 +5,7 @@ androidTools = "31.9.0"
 androidxAnnotation = "1.9.1"
 collection = "1.5.0"
 collectionKtx = "1.5.0"
+libsu = "6.0.0"
 githubApi = "1.321"
 hiddenapibypass = "5.0"
 jebrainsAnnotations = "26.0.2"
@@ -24,6 +25,7 @@ jebtrains-annotations = { module = "org.jetbrains:annotations", version.ref = "j
 kotlin-bom = { module = "org.jetbrains.kotlin:kotlin-bom", version.ref = "kotlin" }
 kotlin-gradlePlugin = { module = "org.jetbrains.kotlin:kotlin-gradle-plugin" }
 kotlin-stdlib-jdk8 = { module = "org.jetbrains.kotlin:kotlin-stdlib-jdk8" }
+libsu-core = { module = "com.github.topjohnwu.libsu:core", version.ref = "libsu" }
 xposed-api = { module = "de.robv.android.xposed:api", version.ref = "xposed" }
 
 [plugins]

settings.gradle.kts

@@ -30,7 +30,7 @@ dependencyResolutionManagement {
             }
         }
         mavenCentral()
-//        maven("https://jitpack.io")
+        maven("https://jitpack.io")
 //        gradlePluginPortal()
     }
 }