hookForceStop
调用:
frida -U -n system_server -l hook_systemServer.js
frida -U -f com.android.settings -l hook_systemServer.js
对应脚本:
hook_systemServer.js
/**
* Update: 20230920
* Usage:
* frida -U -n system_server -l hook_systemServer.js
*
* frida -U -f com.android.settings -l hook_systemServer.js
*/
/*******************************************************************************
* Const & Config
*******************************************************************************/
let CurAppPkgName = "com.wallpaper.hd.funny"
// Enable Not Call Filter
let enableNotCallFilter_Binder_execTransact = false
let enableNotCallFilter_AMS_startService = false
let enableNotCallFilter_AMS_startProcessLocked = false
let enableNotCallFilter_ActiveServices_bringUpServiceLocked = true
// let enableNotCallFilter_ActiveServices_bringUpServiceLocked = false
let enableNotCallFilter_ActiveServices_startServiceLocked = false
let enableNotCallFilter_ActiveServices_startServiceInnerLocked = false
let enableNotCallFilter_ProcessList_startProcessLocked = false
let enableNotCallFilter_ProcessList_handleProcessStartedLocked = false
let enableNotCallFilter_ContentProviderHelper_getContentProviderImpl = true
// let enableNotCallFilter_ContentProviderHelper_getContentProviderImpl = false
// let enableNotCallFilter_BroadcastQueue_processNextBroadcastLocked = false
let enableNotCallFilter_Handler_dispatchMessage = true
// let enableNotCallFilter_Handler_dispatchMessage = false
/*******************************************************************************
* Common Util
*******************************************************************************/
// convert Object(dict/list/...) to JSON string
function toJsonStr(curObj, singleLine=false, space=2){
// console.log("toJsonStr: singleLine=" + singleLine)
// var jsonStr = JSON.stringify(curObj, null, 2)
var jsonStr = JSON.stringify(curObj, null, space)
if(singleLine) {
// jsonStr = jsonStr.replace(/\\n/g, '')
jsonStr = jsonStr.replace(/\n/g, '')
}
return jsonStr
// return curObj.toString()
}
function describeJavaClass(className) {
var jClass = Java.use(className);
console.log(JSON.stringify({
_name: className,
_methods: Object.getOwnPropertyNames(jClass.__proto__).filter(m => {
// _methods: Object.getOwnPropertyDescriptor(jClass.__proto__).filter(m => {
// _methods: Object.getOwnPropertySymbols(jClass.__proto__).filter(m => {
return !m.startsWith('$') // filter out Frida related special properties
|| m == 'class' || m == 'constructor' // optional
}),
_fields: jClass.class.getFields().map(f => {
return f.toString()
})
}, null, 2))
}
// enumerate all methods declared in a Java class
function enumMethods(targetClass)
{
var hook = Java.use(targetClass);
var ownMethods = hook.class.getDeclaredMethods();
console.log("use getDeclaredMethods")
// var ownMethods = hook.class.getMethods();
// console.log("use getMethods")
hook.$dispose;
return ownMethods;
}
// enumerate all property=field declared in a Java class
function enumProperties(targetClass)
{
var hook = Java.use(targetClass);
// var ownMethods = hook.class.getFields();
// console.log("use getFields")
var ownFields = hook.class.getDeclaredFields();
console.log("use getDeclaredFields")
hook.$dispose;
return ownFields;
}
// print single java class all Functions=Methods and Fields=Properties
function printClassAllMethodsFields(javaClassName){
console.log("==========" + "Class: " + javaClassName + " ==========")
console.log("-----" + "All Properties" + "-----")
var allProperties = enumProperties(javaClassName)
allProperties.forEach(function(singleProperty) {
console.log(singleProperty)
})
console.log("-----" + "All Methods" + "-----")
// enumerate all methods in a class
var allMethods = enumMethods(javaClassName)
allMethods.forEach(function(singleMethod) {
console.log(singleMethod)
})
console.log("")
}
// generate current stack trace string
function genStackStr(ThrowableCls) {
let newThrowable = ThrowableCls.$new()
// console.log("genStackStr: newThrowable=" + newThrowable)
var stackElements = newThrowable.getStackTrace()
// console.log("genStackStr: stackElements=" + stackElements)
var stackStr = "Stack: " + stackElements[0] //method//stackElements[0].getMethodName()
for (var i = 1; i < stackElements.length; i++) {
stackStr += "\n at " + stackElements[i]
}
// stackStr = "\n\n" + stackStr
stackStr = stackStr + "\n"
// console.log("genStackStr: stackStr=" + stackStr)
return stackStr
}
// 打印当前调用堆栈信息 print call stack
function PrintStack(ThrowableCls) {
var stackStr = genStackStr(ThrowableCls)
console.log(stackStr)
// let newThrowable = ThrowableCls.$new()
// let curLog = Java.use("android.util.Log")
// let stackStr = curLog.getStackTraceString(newThrowable)
// console.log("stackStr=" + stackStr)
}
// generate Function call string
function genFunctionCallStr(funcName, funcParaDict){
var logStr = `${funcName}:`
// var logStr = funcName + ":"
var isFirst = true
for(var curParaName in funcParaDict){
let curParaValue = funcParaDict[curParaName]
var prevStr = ""
if (isFirst){
prevStr = " "
isFirst = false
} else {
prevStr = ", "
}
logStr = `${logStr}${prevStr}${curParaName}=` + curParaValue
// logStr = logStr + prevStr + curParaName + "=" + curParaValue
}
return logStr
}
// print Function call and stack trace string
function printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls, filterList=undefined){
// console.log("filterList=" + filterList)
var needPrint = true
var functionCallStr = genFunctionCallStr(funcName, funcParaDict)
var stackStr = genStackStr(ThrowableCls)
if (filterList != undefined) {
needPrint = false
for (const curFilter of filterList) {
// console.log("curFilter=" + curFilter)
if (stackStr.includes(curFilter)) {
needPrint = true
// console.log("needPrint=" + needPrint)
break
}
}
}
if (needPrint) {
var functionCallAndStackStr = `${functionCallStr}\n${stackStr}`
// var functionCallAndStackStr = functionCallStr + "\n" + stackStr
// return functionCallAndStackStr
console.log(functionCallAndStackStr)
}
}
// find loaded classes that match a pattern (async)
function findClass(pattern)
{
console.log("Finding all classes that match pattern: " + pattern + "\n");
Java.enumerateLoadedClasses({
onMatch: function(aClass) {
if (aClass.match(pattern))
console.log(aClass)
},
onComplete: function() {}
});
}
/*----------------------------------------
Android Utils
----------------------------------------*/
function printProcessRecord(curProcessRecord){
console.log("printProcessRecord: curProcessRecord=" + curProcessRecord)
console.log(" mService=" + curProcessRecord.mService.value)
console.log(" mProcLock=" + curProcessRecord.mProcLock.value)
console.log(" info=" + curProcessRecord.info.value)
console.log(" processInfo=" + curProcessRecord.processInfo.value)
console.log(" isolated=" + curProcessRecord.isolated.value)
console.log(" isSdkSandbox=" + curProcessRecord.isSdkSandbox.value)
console.log(" appZygote=" + curProcessRecord.appZygote.value)
console.log(" uid=" + curProcessRecord.uid.value)
console.log(" userId=" + curProcessRecord.userId.value)
console.log(" processName=" + curProcessRecord.processName.value)
console.log(" sdkSandboxClientAppPackage=" + curProcessRecord.sdkSandboxClientAppPackage.value)
console.log(" sdkSandboxClientAppVolumeUuid=" + curProcessRecord.sdkSandboxClientAppVolumeUuid.value)
}
function getParcelInfo(curParcel){
var parcelDataSize = curParcel.dataSize()
var parcelDataCapacity = curParcel.dataCapacity()
// var parcelDataPosition = curParcel.dataPosition()
// var parcelInfoStr = "dataSize=" + parcelDataSize + ", dataCapacity=" + parcelDataCapacity + ", dataPositon = " + parcelDataPosition
var parcelInfoStr = "Parcel: " + curParcel + ", dataSize=" + parcelDataSize + ", dataCapacity=" + parcelDataCapacity
return parcelInfoStr
}
// try to read Parcel string
function tryReadParcelString(curParcel){
var parcelDataSize = curParcel.dataSize()
// console.log("curParcel=" + curParcel + ": parcelDataSize=" + parcelDataSize)
let StepSize = 4
var isFoundStr = false
var strDictList = []
var curStr = null
var curStepSize = 0
// var foundStr = null
// var strPos = -1
var foundStrNum = 0
for (var curPos = 0; curPos < parcelDataSize; curPos++) {
curStepSize = StepSize
curParcel.setDataPosition(curPos)
curStr = curParcel.readString()
if (curStr){
if (curStr === "") {
// empty string, continue try read other string
} else {
isFoundStr = true
foundStrNum += 1
// foundStr = curStr
// strPos = curPos
// console.log(" [" + curPos + "] string=" + curStr)
// console.log(" [" + strPos + "] string=" + foundStr)
var curStrDict = {"str": curStr, "pos": curPos}
strDictList.push(curStrDict)
var newPosition = curParcel.dataPosition()
var posDiff = newPosition - curPos
curStepSize = posDiff
// console.log(" [" + foundStrNum + "] strDict=" + toJsonStr(curStrDict, true) + ", pos: " + curPos + " -> " + newPosition +", curStepSize=" + curStepSize)
// break
}
}
curPos += curStepSize
}
// setDataPosition and readString maybe CHANGED position, so need reset position
curParcel.setDataPosition(0)
// if(isFoundStr){
// // var logStr = toJsonStr(strDictList, true, 1)
// var logStr = toJsonStr(strDictList, true, 0)
// console.log(" logStr=" + logStr)
// }
return {
"isFoundStr": isFoundStr,
"strDictList": strDictList
}
}
// print Intent info
function printIntentInfo(curIntent){
console.log("printIntentInfo: curIntent=" + curIntent)
var curComponent = curIntent.getComponent()
console.log(" Intent component=" + curComponent)
if (curComponent) {
var pkgName = curComponent.getPackageName()
var clsName = curComponent.getClassName()
var shortClsName = curComponent.getShortClassName()
var flattenedShortStr = curComponent.flattenToShortString()
var flattenedStr = curComponent.flattenToString()
console.log(" Intent Component info: pkgName=" + pkgName + ", clsName=" + clsName + ", shortClsName=" + shortClsName + ", flattenedStr=" + flattenedStr + ",flattenedShortStr=" + flattenedShortStr)
}
}
/*******************************************************************************
* Main Hook
*******************************************************************************/
function hookNativeFunc(){
// /Users/crifan/dev/dev_src/androidReverse/Android/android.googlesource.com/base-refs_heads_main/core/jni/android_util_Binder.cpp
// status_t onTransact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags = 0) override {
// var foundOnTransact = Module.findExportByName(null, "onTransact")
// let transactModuleName = "libBinder.so"
// let transactModuleName = "libbinder.so"
let transactModuleName = "libbinder_ndk.so"
var foundOnTransact = Module.findExportByName(transactModuleName, "onTransact")
console.log("foundOnTransact=" + foundOnTransact)
if (foundOnTransact) {
Interceptor.attach(foundOnTransact, {
onEnter: function(args) {
var code = args[0]
var data = args[1]
var reply = args[2]
var flags = args[3]
console.log("onTransact: code=" + code + ", data=" + data + ", reply=" + reply + ", flags=" + flags)
},
onLeave: function(retVal) {
console.log("onTransact: retval=" + retVal)
}
})
}
// var foundTransact = Module.findExportByName(null, "transact")
var foundTransact = Module.findExportByName(transactModuleName, "transact")
console.log("foundTransact=" + foundTransact)
}
function hookPrintTransactCodeValue(){
// ---------------------------------------- android.app.IActivityManager$Stub
var IActivityManagerStubClassName = "android.app.IActivityManager$Stub"
var IActivityManagerStubCls = Java.use(IActivityManagerStubClassName)
console.log("IActivityManagerStubCls=" + IActivityManagerStubCls)
// printClassAllMethodsFields(IActivityManagerStubClassName)
// console.log("IActivityManager$Stub: code_startService=" + code_startService + ", code_broadcastIntent=" + code_broadcastIntent + ", code_startInstrumentation=" + code_startInstrumentation + ", code_unbindService=" + code_unbindService)
var TRANSACTION_startService = IActivityManagerStubCls.TRANSACTION_startService.value
console.log("TRANSACTION_startService=" + TRANSACTION_startService)
var TRANSACTION_broadcastIntent = IActivityManagerStubCls.TRANSACTION_broadcastIntent.value
console.log("TRANSACTION_broadcastIntent=" + TRANSACTION_broadcastIntent)
var TRANSACTION_unbindService = IActivityManagerStubCls.TRANSACTION_unbindService.value
console.log("TRANSACTION_unbindService=" + TRANSACTION_unbindService)
var TRANSACTION_publishService = IActivityManagerStubCls.TRANSACTION_publishService.value
console.log("TRANSACTION_publishService=" + TRANSACTION_publishService)
var TRANSACTION_startInstrumentation = IActivityManagerStubCls.TRANSACTION_startInstrumentation.value
console.log("TRANSACTION_startInstrumentation=" + TRANSACTION_startInstrumentation)
var TRANSACTION_startActivity = IActivityManagerStubCls.TRANSACTION_startActivity.value
console.log("TRANSACTION_startActivity=" + TRANSACTION_startActivity)
// var TRANSACTION_startActivityAndWait = IActivityManagerStubCls.TRANSACTION_startActivityAndWait.value
// console.log("TRANSACTION_startActivityAndWait=" + TRANSACTION_startActivityAndWait)
// var TRANSACTION_startActivityAsCaller = IActivityManagerStubCls.TRANSACTION_startActivityAsCaller.value
// console.log("TRANSACTION_startActivityAsCaller=" + TRANSACTION_startActivityAsCaller)
var TRANSACTION_startActivityAsUser = IActivityManagerStubCls.TRANSACTION_startActivityAsUser.value
console.log("TRANSACTION_startActivityAsUser=" + TRANSACTION_startActivityAsUser)
var TRANSACTION_startActivityFromRecents = IActivityManagerStubCls.TRANSACTION_startActivityFromRecents.value
console.log("TRANSACTION_startActivityFromRecents=" + TRANSACTION_startActivityFromRecents)
// var TRANSACTION_startActivityIntentSender = IActivityManagerStubCls.TRANSACTION_startActivityIntentSender.value
// console.log("TRANSACTION_startActivityIntentSender=" + TRANSACTION_startActivityIntentSender)
// var TRANSACTION_startActivityWithConfig = IActivityManagerStubCls.TRANSACTION_startActivityWithConfig.value
// console.log("TRANSACTION_startActivityWithConfig=" + TRANSACTION_startActivityWithConfig)
var TRANSACTION_registerUidObserver = IActivityManagerStubCls.TRANSACTION_registerUidObserver.value
console.log("TRANSACTION_registerUidObserver=" + TRANSACTION_registerUidObserver)
var TRANSACTION_unhandledBack = IActivityManagerStubCls.TRANSACTION_unhandledBack.value
console.log("TRANSACTION_unhandledBack=" + TRANSACTION_unhandledBack)
var TRANSACTION_registerReceiver = IActivityManagerStubCls.TRANSACTION_registerReceiver.value
console.log("TRANSACTION_registerReceiver=" + TRANSACTION_registerReceiver)
var TRANSACTION_attachApplication = IActivityManagerStubCls.TRANSACTION_attachApplication.value
console.log("TRANSACTION_attachApplication=" + TRANSACTION_attachApplication)
// var TRANSACTION_activityIdle = IActivityManagerStubCls.TRANSACTION_activityIdle.value
// console.log("TRANSACTION_activityIdle=" + TRANSACTION_activityIdle)
var TRANSACTION_stopService = IActivityManagerStubCls.TRANSACTION_stopService.value
console.log("TRANSACTION_stopService=" + TRANSACTION_stopService)
var TRANSACTION_bindService = IActivityManagerStubCls.TRANSACTION_bindService.value
console.log("TRANSACTION_bindService=" + TRANSACTION_bindService)
var TRANSACTION_noteWakeupAlarm = IActivityManagerStubCls.TRANSACTION_noteWakeupAlarm.value
console.log("TRANSACTION_noteWakeupAlarm=" + TRANSACTION_noteWakeupAlarm)
var TRANSACTION_openContentUri = IActivityManagerStubCls.TRANSACTION_openContentUri.value
console.log("TRANSACTION_openContentUri=" + TRANSACTION_openContentUri)
var TRANSACTION_finishReceiver = IActivityManagerStubCls.TRANSACTION_finishReceiver.value
console.log("TRANSACTION_finishReceiver=" + TRANSACTION_finishReceiver)
// var TRANSACTION_startNextMatchingActivity = IActivityManagerStubCls.TRANSACTION_startNextMatchingActivity.value
// console.log("TRANSACTION_startNextMatchingActivity=" + TRANSACTION_startNextMatchingActivity)
var TRANSACTION_finishActivity = IActivityManagerStubCls.TRANSACTION_finishActivity.value
console.log("TRANSACTION_finishActivity=" + TRANSACTION_finishActivity)
}
function hookForceStop() {
if(!Java.available){
console.error("Java is not available")
return
}
console.log("Java is available")
console.log("Java.androidVersion=" + Java.androidVersion)
Java.perform(function () {
const ValidTransactCodeList = [
// 24,
// 26,
// 27,
// 28,
// 29,
// 30,
// 34,
3, // f12217h = START_ACTIVITY_TRANSACTION = 2+1 = 3
8, // TRANSACTION_startActivity= 7+1 = 8
27, // serviceCode = TRANSACTION_startService = 27
// 34, // serviceCode = START_SERVICE_TRANSACTION = 33+1 = 34
29, // TRANSACTION_bindService = 29
15, // broadcastCode = TRANSACTION_broadcastIntent = 14+1 = 15
// 14, // broadcastCode = BROADCAST_INTENT_TRANSACTION = 13+1 = 14, TRANSACTION_removeAccountExplicitly = 13+1 = 14
37, // instrumentationCode = TRANSACTION_startInstrumentation = 36+1= 37
// 44, // instrumentationCode = START_INSTRUMENTATION_TRANSACTION = 43+1= 44
]
hookNativeFunc()
var ThrowableCls = Java.use("java.lang.Throwable")
console.log("ThrowableCls=" + ThrowableCls)
let curLog = Java.use("android.util.Log")
console.log("curLog=" + curLog)
let Parcel = Java.use("android.os.Parcel")
console.log("Parcel=" + Parcel)
// // com.android.server.wm.ActivityStarter
// var serverCls = Java.use("com.android.server")
// console.log("serverCls=" + serverCls)
// var wmCls = serverCls.wm
// console.log("wmCls=" + wmCls)
// var ActivityStarterCls = wmCls.ActivityStarter
// console.log("ActivityStarterCls=" + ActivityStarterCls)
// // private int executeRequest(Request request) {
// hookPrintTransactCodeValue()
// ---------------------------------------- android.os.Binder
var BinderCls = Java.use("android.os.Binder")
console.log("BinderCls=" + BinderCls)
// private boolean execTransact(int code, long dataObj, long replyObj, int flags)
var execTransactFunc = BinderCls.execTransact
console.log("execTransactFunc=" + execTransactFunc)
if (execTransactFunc) {
execTransactFunc.implementation = function (code, dataObj, replyObj, flags) {
var shouldCallOrigFunc = true
// var logStr = ""
// if (ValidTransactCodeList.includes(code)) {
var dataParcel = Parcel.obtain(dataObj)
// var replyPacel = Parcel.obtain(replyObj)
// var dataParcelStr = dataParcel.toString()
// var replyPacelStr = replyPacel.toString()
// console.log("dataParcelStr=" + dataParcelStr + ", replyPacelStr=" + replyPacelStr)
var curParcelDataSize = dataParcel.dataSize()
// console.log(" curParcelDataSize=" + curParcelDataSize)
if (curParcelDataSize > 0) {
// let interfaceTokenStartPos = 1
// let interfaceTokenStartPos = 0
// let interfaceTokenStartPos = 4
// let interfaceTokenStartPos = 8
// dataParcel.setDataPosition(interfaceTokenStartPos)
// var interfaceTokenStr = dataParcel.readString()
// console.log(" interfaceTokenStr=" + interfaceTokenStr)
// var parcelStr = tryReadParcelString(dataParcel)
// var {parcelStr, strPos} = tryReadParcelString(dataParcel)
var readResultDict = tryReadParcelString(dataParcel)
// console.log("parcelStr=" + parcelStr + ", strPos=" + strPos)
var isFoundStr = readResultDict.isFoundStr
var strDictList = readResultDict.strDictList
if (isFoundStr) {
// var foundStrLog = ""
var strDictListStr = toJsonStr(strDictList, true, 0)
// console.log("Binder.execTransact: code=" + code + ", dataObj=" + dataObj + ", replyObj=" + replyObj + ", flags=" + flags)
var execTransactCallStr = "Binder.execTransact: code=" + code + ", dataObj=" + dataObj + ", replyObj=" + replyObj + ", flags=" + flags
// console.log(execTransactCallStr)
var dataParcelInfoStr = getParcelInfo(dataParcel)
// var replyPacelInfoStr = getParcelInfo(replyPacel)
// console.log("dataParcelInfoStr=" + dataParcelInfoStr + ", replyPacelInfoStr=" + replyPacelInfoStr)
// console.log(" dataParcel: strDictListStr=" + strDictListStr + ", infoStr=" + dataParcelInfoStr)
var dataParcelCurAppStr = " dataParcel: strDictListStr=" + strDictListStr + ", infoStr=" + dataParcelInfoStr
// console.log(dataParcelCurAppStr)
// for debug: found string not empty, then not call origin transact -> try find this function is true core trigger service or not
// if (parcelStr) {
// if (parcelStr === CurAppPkgName) {
var isCurApp = false
for (var idx = 0; idx < strDictList.length; idx++) {
var curStrDict = strDictList[idx]
var curPos = curStrDict["pos"]
var curStr = curStrDict["str"]
if (curStr.includes(CurAppPkgName)) {
isCurApp = true
// console.log(" Found [" + curPos + "] current app: " + curStr)
break
}
}
if (enableNotCallFilter_Binder_execTransact){
if (isCurApp) {
shouldCallOrigFunc = false
// console.log(" shouldCallOrigFunc=" + shouldCallOrigFunc)
}
}
var shouldLogDetail = false
if (isCurApp) {
shouldLogDetail = true
// console.log("shouldLogDetail=" + shouldLogDetail)
}
if (shouldLogDetail){
// var detailedLogStr = execTransactCallStr + "\n" + dataParcelCurAppStr
var detailedLogStr = `${execTransactCallStr}\n${dataParcelCurAppStr}`
// var detailedLogStr = execTransactCallStr + "\n" + dataParcelCurAppStr
console.log(detailedLogStr)
// foundStrLog = `${execTransactCallStr}\n${dataParcelCurAppStr}`
// // console.log("CurApp Binder.execTransact: code=" + code + ", dataObj=" + dataObj + ", replyObj=" + replyObj + ", flags=" + flags + "\n dataParcel: strDictListStr=" + strDictListStr + ", infoStr=" + dataParcelInfoStr)
// console.log("CurApp Binder.execTransact: code=" + code + ", dataObj=" + dataObj + ", replyObj=" + replyObj + ", flags=" + flags)
// console.log(" dataParcel: strDictListStr=" + strDictListStr + ", infoStr=" + dataParcelInfoStr)
// // logStr = `Binder.execTransact: code=${code}, dataObj=${dataObj}, replyObj=${replyObj}, flags=${flags}\n dataParcel: strDictListStr=${strDictListStr}, infoStr=${ dataParcelInfoStr}`
// // console.log("DetailLogStr=" + logStr)
} else {
// console.log("Simple Binder.execTransact: code=" + code + ", dataObj=" + dataObj + ", flags=" + flags)
// // logStr = `Simple: Binder.execTransact: code=${code}, dataObj=${dataObj}, flags=${flags}`
// // console.log("SimpleLogStr=" + logStr)
// foundStrLog = `Binder.execTransact: code=${code}, dataObj=${dataObj}, flags=${flags}`
var simpleLog = `Binder.execTransact: code=${code}, dataObj=${dataObj}, flags=${flags}`
// var simpleLog = "Binder.execTransact: code=" + code + ", dataObj=" + dataObj + ", flags=" + flags
console.log(simpleLog)
}
// console.log(foundStrLog)
}
// PrintStack(ThrowableCls)
} else {
console.log("Binder execTransact: code=" + code + ", 0 size data Parcel, flags=" + flags)
}
// }
if (shouldCallOrigFunc) {
// console.log(logStr)
return this.execTransact(code, dataObj, replyObj, flags)
} else {
// console.log(logStr)
console.log(" Not call Binder.execTransact")
return false
}
}
}
var IBinderClassName = "android.os.IBinder"
var IBinderCls = Java.use(IBinderClassName)
console.log("IBinderCls=" + IBinderCls)
// printClassAllMethodsFields(IBinderClassName)
var firstCallTransacton = IBinderCls.FIRST_CALL_TRANSACTION
console.log("firstCallTransacton=" + firstCallTransacton)
var firstCallTransactonValue = firstCallTransacton.value
console.log("firstCallTransactonValue=" + firstCallTransactonValue)
// public abstract boolean transact (int code, Parcel data, Parcel reply, int flags)
// var transactFunc = IBinderCls.transact
var transactFunc = BinderCls.transact
if (transactFunc) {
transactFunc.implementation = function (code, data, reply, flags) {
var transactOk = this.transact(code, data, reply, flags)
if (ValidTransactCodeList.includes(code)) {
console.log("Binder transact: code=" + code + ",data=" + data + ",reply=" + reply + ",flags=" + flags + " -> transactOk=" + transactOk)
PrintStack(ThrowableCls)
}
return transactOk
}
}
// protected boolean onTransact (int code, Parcel data, Parcel reply, int flags)
var onTransactFunc = BinderCls.onTransact
if (onTransactFunc) {
onTransactFunc.implementation = function (code, data, reply, flags) {
var transactOk = this.onTransact(code, data, reply, flags)
if (ValidTransactCodeList.includes(code)) {
console.log("Binder onTransact: code=" + code + ",data=" + data + ",reply=" + reply + ",flags=" + flags + " -> transactOk=" + transactOk)
PrintStack(ThrowableCls)
}
return transactOk
}
}
// ---------------------------------------- android.app.ContextImpl
var ContextImplClassName = "android.app.ContextImpl"
var ContextImplCls = Java.use(ContextImplClassName)
console.log("ContextImplCls=" + ContextImplCls)
// printClassAllMethodsFields(ContextImplClassName)
// public boolean bindServiceAsUser(Intent service, ServiceConnection conn, int flags, UserHandle user)
var bindServiceAsUserFunc4 = ContextImplCls.bindServiceAsUser.overload('android.content.Intent', 'android.content.ServiceConnection', 'int', 'android.os.UserHandle')
if (bindServiceAsUserFunc4) {
bindServiceAsUserFunc4.implementation = function (service, conn, flags, user) {
// console.log("ContextImpl.bindServiceAsUser 4: service=" + service + ", conn=" + conn + ", flags=" + flags + ", user=" + user)
// PrintStack(ThrowableCls)
var funcName = "ContextImpl.bindServiceAsUser 4"
var funcParaDict = {
"service": service,
"conn": conn,
"flags": flags,
"user": user,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
return this.bindServiceAsUser(service, conn, flags, user)
}
}
// public boolean bindServiceAsUser(Intent service, ServiceConnection conn, int flags, Handler handler, UserHandle user)
var bindServiceAsUserFunc5 = ContextImplCls.bindServiceAsUser.overload('android.content.Intent', 'android.content.ServiceConnection', 'int', 'android.os.Handler', 'android.os.UserHandle')
if (bindServiceAsUserFunc5) {
bindServiceAsUserFunc5.implementation = function (service, conn, flags, handler, user) {
// console.log("ContextImpl.bindServiceAsUser 5: service=" + service + ", conn=" + conn + ", flags=" + flags + ", handler=" + handler + ", user=" + user)
// PrintStack(ThrowableCls)
var funcName = "ContextImpl.bindServiceAsUser 5"
var funcParaDict = {
"service": service,
"conn": conn,
"flags": flags,
"handler": handler,
"user": user,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
return this.bindServiceAsUser(service, conn, flags, handler, user)
}
}
// ---------------------------------------- com.android.server.am.ProcessRecord
var ProcessRecordClassName = "com.android.server.am.ProcessRecord"
var ProcessRecordCls = Java.use(ProcessRecordClassName)
console.log("ProcessRecordCls=" + ProcessRecordCls)
// printClassAllMethodsFields(ProcessRecordClassName)
// ---------------------------------------- com.android.server.am.ActiveServices
var ActiveServicesClassName = "com.android.server.am.ActiveServices"
var ActiveServicesCls = Java.use(ActiveServicesClassName)
console.log("ActiveServicesCls=" + ActiveServicesCls)
// private String bringUpServiceLocked(ServiceRecord r, int intentFlags, boolean execInFg, boolean whileRestarting, boolean permissionsReviewRequired, boolean packageFrozen, boolean enqueueOomAdj)
var bringUpServiceLockedFunc = ActiveServicesCls.bringUpServiceLocked
if (bringUpServiceLockedFunc) {
bringUpServiceLockedFunc.implementation = function (r, intentFlags, execInFg, whileRestarting, permissionsReviewRequired, packageFrozen, enqueueOomAdj) {
var shouldCallOrigFunc = true
// console.log("ActiveServices.bringUpServiceLocked: r=" + r + ", intentFlags=" + intentFlags + ", execInFg=" + execInFg + ", whileRestarting=" + whileRestarting + ", permissionsReviewRequired=" + permissionsReviewRequired + ", packageFrozen=" + packageFrozen + ", enqueueOomAdj=" + enqueueOomAdj)
// PrintStack(ThrowableCls)
var funcName = "ActiveServices.bringUpServiceLocked"
var funcParaDict = {
"r": r,
"intentFlags": intentFlags,
"execInFg": execInFg,
"whileRestarting": whileRestarting,
"permissionsReviewRequired": permissionsReviewRequired,
"packageFrozen": packageFrozen,
"enqueueOomAdj": enqueueOomAdj,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_ActiveServices_bringUpServiceLocked){
var rStr = r.toString()
if (rStr.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if(shouldCallOrigFunc) {
return this.bringUpServiceLocked(r, intentFlags, execInFg, whileRestarting, permissionsReviewRequired, packageFrozen, enqueueOomAdj)
} else {
console.log(" Not call ActiveServices.bringUpServiceLocked")
return ""
}
}
}
// ComponentName startServiceLocked(IApplicationThread caller, Intent service, String resolvedType, int callingPid, int callingUid, boolean fgRequired, String callingPackage, @Nullable String callingFeatureId, final int userId)
var startServiceLockedFunc9 = ActiveServicesCls.startServiceLocked.overload('android.app.IApplicationThread', 'android.content.Intent', 'java.lang.String', 'int', 'int', 'boolean', 'java.lang.String', 'java.lang.String', 'int')
if (startServiceLockedFunc9) {
startServiceLockedFunc9.implementation = function (caller, service, resolvedType, callingPid, callingUid, fgRequired, callingPackage, callingFeatureId, userId) {
var shouldCallOrigFunc = true
var funcName = "ActiveServices.startServiceLocked 9"
var funcParaDict = {
"caller": caller,
"service": service,
"resolvedType": resolvedType,
"callingPid": callingPid,
"callingUid": callingUid,
"fgRequired": fgRequired,
"callingPackage": callingPackage,
"callingFeatureId": callingFeatureId,
"userId": userId,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_ActiveServices_startServiceLocked){
if (callingPackage.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if(shouldCallOrigFunc) {
return this.startServiceLocked(caller, service, resolvedType, callingPid, callingUid, fgRequired, callingPackage, callingFeatureId, userId)
} else {
console.log(" Not call ActiveServices.startServiceLocked 9")
return null
}
}
}
// ComponentName startServiceLocked(IApplicationThread caller, Intent service, String resolvedType, int callingPid, int callingUid, boolean fgRequired, String callingPackage, @Nullable String callingFeatureId, final int userId, boolean allowBackgroundActivityStarts, @Nullable IBinder backgroundActivityStartsToken)
var startServiceLockedFunc11 = ActiveServicesCls.startServiceLocked.overload('android.app.IApplicationThread', 'android.content.Intent', 'java.lang.String', 'int', 'int', 'boolean', 'java.lang.String', 'java.lang.String', 'int', 'boolean', 'android.os.IBinder')
if (startServiceLockedFunc11) {
startServiceLockedFunc11.implementation = function (caller, service, resolvedType, callingPid, callingUid, fgRequired, callingPackage, callingFeatureId, userId, allowBackgroundActivityStarts, backgroundActivityStartsToken) {
var shouldCallOrigFunc = true
var funcName = "ActiveServices.startServiceLocked 11"
var funcParaDict = {
"caller": caller,
"service": service,
"resolvedType": resolvedType,
"callingPid": callingPid,
"callingUid": callingUid,
"fgRequired": fgRequired,
"callingPackage": callingPackage,
"callingFeatureId": callingFeatureId,
"userId": userId,
"allowBackgroundActivityStarts": allowBackgroundActivityStarts,
"backgroundActivityStartsToken": backgroundActivityStartsToken,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_ActiveServices_startServiceLocked){
if (callingPackage.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if(shouldCallOrigFunc) {
return this.startServiceLocked(caller, service, resolvedType, callingPid, callingUid, fgRequired, callingPackage, callingFeatureId, userId, allowBackgroundActivityStarts, backgroundActivityStartsToken)
} else {
console.log(" Not call ActiveServices.startServiceLocked 11")
return null
}
}
}
// ComponentName startServiceInnerLocked(ServiceMap smap, Intent service, ServiceRecord r, boolean callerFg, boolean addToStarting, int callingUid, boolean wasStartRequested)
var startServiceInnerLockedFunc7 = ActiveServicesCls.startServiceInnerLocked.overload('com.android.server.am.ActiveServices$ServiceMap', 'android.content.Intent', 'com.android.server.am.ServiceRecord', 'boolean', 'boolean', 'int', 'boolean')
if (startServiceInnerLockedFunc7) {
startServiceInnerLockedFunc7.implementation = function (smap, service, r, callerFg, addToStarting, callingUid, wasStartRequested) {
var shouldCallOrigFunc = true
var funcName = "ActiveServices.startServiceInnerLocked 7"
var funcParaDict = {
"smap": smap,
"service": service,
"r": r,
"callerFg": callerFg,
"addToStarting": addToStarting,
"callingUid": callingUid,
"wasStartRequested": wasStartRequested,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_ActiveServices_startServiceInnerLocked){
var rStr = r.toString()
if (rStr.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if(shouldCallOrigFunc) {
return this.startServiceInnerLocked(smap, service, r, callerFg, addToStarting, callingUid, wasStartRequested)
} else {
console.log(" Not call ActiveServices.startServiceInnerLocked 7")
return null
}
}
}
// private ComponentName startServiceInnerLocked(ServiceRecord r, Intent service, int callingUid, int callingPid, boolean fgRequired, boolean callerFg, boolean allowBackgroundActivityStarts, @Nullable IBinder backgroundActivityStartsToken)
var startServiceInnerLockedFunc8 = ActiveServicesCls.startServiceInnerLocked.overload('com.android.server.am.ServiceRecord', 'android.content.Intent', 'int', 'int', 'boolean', 'boolean', 'boolean', 'android.os.IBinder')
if (startServiceInnerLockedFunc8) {
startServiceInnerLockedFunc8.implementation = function (r, service, callingUid, callingPid, fgRequired, callerFg, allowBackgroundActivityStarts, backgroundActivityStartsToken) {
var shouldCallOrigFunc = true
var funcName = "ActiveServices.startServiceInnerLocked 8"
var funcParaDict = {
"r": r,
"service": service,
"callingUid": callingUid,
"callingPid": callingPid,
"fgRequired": fgRequired,
"callerFg": callerFg,
"allowBackgroundActivityStarts": allowBackgroundActivityStarts,
"backgroundActivityStartsToken": backgroundActivityStartsToken,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_ActiveServices_startServiceInnerLocked){
var rStr = r.toString()
if (rStr.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if(shouldCallOrigFunc) {
return this.startServiceInnerLocked(r, service, callingUid, callingPid, fgRequired, callerFg, allowBackgroundActivityStarts, backgroundActivityStartsToken)
} else {
console.log(" Not call ActiveServices.startServiceInnerLocked 8")
return null
}
}
}
// ---------------------------------------- com.android.server.am.ProcessList
var ProcessListCls = Java.use("com.android.server.am.ProcessList")
console.log("ProcessListCls=" + ProcessListCls)
// boolean startProcessLocked(HostingRecord hostingRecord, String entryPoint, ProcessRecord app, int uid, int[] gids, int runtimeFlags, int zygotePolicyFlags, int mountExternal, String seInfo, String requiredAbi, String instructionSet, String invokeWith, long startUptime, long startElapsedTime)
var startProcessLockedFunc = ProcessListCls.startProcessLocked.overload('com.android.server.am.HostingRecord', 'java.lang.String', 'com.android.server.am.ProcessRecord', 'int', '[I', 'int', 'int', 'int', 'java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.String', 'long', 'long')
console.log("startProcessLockedFunc=" + startProcessLockedFunc)
if (startProcessLockedFunc) {
startProcessLockedFunc.implementation = function (hostingRecord, entryPoint, app, uid, gids, runtimeFlags, zygotePolicyFlags, mountExternal, seInfo, requiredAbi, instructionSet, invokeWith, startUptime, startElapsedTime) {
var shouldCallOrigFunc = true
console.log("ProcessList.startProcessLocked: hostingRecord=" + hostingRecord + ", entryPoint=" + entryPoint + ", app=" + app + ", uid=" + uid + ", gids=" + gids + ", runtimeFlags=" + runtimeFlags + ", zygotePolicyFlags=" + zygotePolicyFlags + ", mountExternal=" + mountExternal + ", seInfo=" + seInfo + ", requiredAbi=" + requiredAbi + ", instructionSet=" + instructionSet + ", invokeWith=" + invokeWith + ", startUptime=" + startUptime + ", startElapsedTime=" + startElapsedTime)
// PrintStack(ThrowableCls)
if(enableNotCallFilter_ProcessList_startProcessLocked){
var appStr = app.toString()
if (appStr.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if(shouldCallOrigFunc) {
return this.startProcessLocked(hostingRecord, entryPoint, app, uid, gids, runtimeFlags, zygotePolicyFlags, mountExternal, seInfo, requiredAbi, instructionSet, invokeWith, startUptime, startElapsedTime)
} else {
console.log(" Not call ProcessList.startProcessLocked")
return false
}
}
}
// boolean handleProcessStartedLocked(ProcessRecord app, int pid, boolean usingWrapper, long expectedStartSeq, boolean procAttached) {
var handleProcessStartedLockedFunc = ProcessListCls.handleProcessStartedLocked.overload('com.android.server.am.ProcessRecord', 'int', 'boolean', 'long', 'boolean')
console.log("handleProcessStartedLockedFunc=" + handleProcessStartedLockedFunc)
if (handleProcessStartedLockedFunc) {
handleProcessStartedLockedFunc.implementation = function (app, pid, usingWrapper, expectedStartSeq, procAttached) {
var shouldCallOrigFunc = true
console.log("ProcessList.handleProcessStartedLocked: app=" + app + ", pid=" + pid + ", usingWrapper=" + usingWrapper + ", expectedStartSeq=" + expectedStartSeq + ", procAttached=" + procAttached)
// printProcessRecord(app)
if(enableNotCallFilter_ProcessList_handleProcessStartedLocked){
var appStr = app.toString()
if (appStr.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if (shouldCallOrigFunc) {
PrintStack(ThrowableCls)
return this.handleProcessStartedLocked(app, pid, usingWrapper, expectedStartSeq, procAttached)
} else {
console.log(" Not call ProcessList.handleProcessStartedLocked")
// return false
return true
}
}
}
// ---------------------------------------- com.android.server.am.ContentProviderHelper
var ContentProviderHelperClassName = "com.android.server.am.ContentProviderHelper"
var ContentProviderHelperCls = Java.use(ContentProviderHelperClassName)
console.log("ContentProviderHelperCls=" + ContentProviderHelperCls)
// private ContentProviderHolder getContentProviderImpl(IApplicationThread caller, String name, IBinder token, int callingUid, String callingPackage, String callingTag, boolean stable, int userId)
var getContentProviderImplFunc = ContentProviderHelperCls.getContentProviderImpl
if (getContentProviderImplFunc) {
getContentProviderImplFunc.implementation = function (caller, name, token, callingUid, callingPackage, callingTag, stable, userId) {
var shouldCallOrigFunc = true
// console.log("ContentProviderHelper.getContentProviderImpl: caller=" + caller + ", name=" + name + ", token=" + token + ", callingUid=" + callingUid + ", callingPackage=" + callingPackage + ", callingTag=" + callingTag + ", stable=" + stable + ", userId=" + userId)
// PrintStack(ThrowableCls)
var funcName = "ContentProviderHelper.getContentProviderImpl"
var funcParaDict = {
"caller": caller,
"name": name,
"token": token,
"callingUid": callingUid,
"callingPackage": callingPackage,
"callingTag": callingTag,
"stable": stable,
"userId": userId,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_ContentProviderHelper_getContentProviderImpl){
// if(callingPackage.includes(CurAppPkgName)){
if(name.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if (shouldCallOrigFunc) {
return this.getContentProviderImpl(caller, name, token, callingUid, callingPackage, callingTag, stable, userId)
} else {
console.log(" Not call ContentProviderHelper.getContentProviderImpl")
return null
}
}
}
// ---------------------------------------- android.os.Handler
var HandlerClassName = "android.os.Handler"
var HandlerCls = Java.use(HandlerClassName)
console.log("HandlerCls=" + HandlerCls)
// public void dispatchMessage(@NonNull Message msg)
var dispatchMessageFunc = HandlerCls.dispatchMessage
if (dispatchMessageFunc) {
dispatchMessageFunc.implementation = function (msg) {
var shouldCallOrigFunc = true
var mgsStr = msg.toString()
if(mgsStr.includes(CurAppPkgName)){
// console.log("Handler.dispatchMessage: msg=" + msg)
// PrintStack(ThrowableCls)
var funcName = "Handler.dispatchMessage"
var funcParaDict = {
"msg": msg,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_Handler_dispatchMessage){
// is not : Handler.dispatchMessage: msg={ when=-927ms what=4104 obj=ApplicationExitInfo(timestamp=2023/9/19 16:55 pid=3953 realUid=10249 packageUid=10249 definingUid=10249 user=0 process=com.wallpaper.hd.funny reason=12 (DEPENDENCY DIED) subreason=0 (UNKNOWN) status=0 importance=400 pss=33MB rss=132MB description=depends on provider com.google.android.gms/.phenotype.provider.ConfigurationProvider in dying proc com.google.android.gms.persistent (adj -10000) state=empty trace=null target=com.android.server.am.AppExitInfoTracker$KillHandler }
if(!mgsStr.includes("ApplicationExitInfo")){
shouldCallOrigFunc = false
}
}
}
if (shouldCallOrigFunc) {
return this.dispatchMessage(msg)
} else {
console.log(" Not call Handler.dispatchMessage")
// return null
return
}
}
}
// ---------------------------------------- com.android.server.am.BroadcastQueue
var BroadcastQueueClassName = "com.android.server.am.BroadcastQueue"
var BroadcastQueueCls = Java.use(BroadcastQueueClassName)
console.log("BroadcastQueueCls=" + BroadcastQueueCls)
// final void processNextBroadcastLocked(boolean fromMsg, boolean skipOomAdj)
var processNextBroadcastLockedFunc = BroadcastQueueCls.processNextBroadcastLocked
if (processNextBroadcastLockedFunc) {
processNextBroadcastLockedFunc.implementation = function (fromMsg, skipOomAdj) {
var shouldCallOrigFunc = true
// console.log("BroadcastQueue.processNextBroadcastLocked: fromMsg=" + fromMsg + ", skipOomAdj=" + skipOomAdj)
// PrintStack(ThrowableCls)
var funcName = "BroadcastQueue.processNextBroadcastLocked"
var funcParaDict = {
"fromMsg": fromMsg,
"skipOomAdj": skipOomAdj,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if (shouldCallOrigFunc) {
return this.processNextBroadcastLocked(fromMsg, skipOomAdj)
} else {
console.log(" Not call BroadcastQueue.processNextBroadcastLocked")
return null
}
}
}
// ---------------------------------------- com.android.server.am.ActivityManagerService
var curJavaClassName = "com.android.server.am.ActivityManagerService"
// printClassAllMethodsFields(curJavaClassName)
var ActivityManagerServiceCls = Java.use(curJavaClassName)
console.log("ActivityManagerServiceCls=" + ActivityManagerServiceCls)
// final ProcessRecord startProcessLocked(String processName, ApplicationInfo info, boolean knownToBeDead, int intentFlags, HostingRecord hostingRecord, int zygotePolicyFlags, boolean allowWhileBooting, boolean isolated)
var amsStartProcessLockedFunc = ActivityManagerServiceCls.startProcessLocked
if (amsStartProcessLockedFunc) {
amsStartProcessLockedFunc.implementation = function (processName, info, knownToBeDead, intentFlags, hostingRecord, zygotePolicyFlags, allowWhileBooting, isolated) {
var shouldCallOrigFunc = true
// console.log("AMS.startProcessLocked: processName=" + processName + ", info=" + info + ", knownToBeDead=" + knownToBeDead + ", intentFlags=" + intentFlags + ", hostingRecord=" + hostingRecord + ", zygotePolicyFlags=" + zygotePolicyFlags + ", allowWhileBooting=" + allowWhileBooting + ", isolated=" + isolated)
// PrintStack(ThrowableCls)
var funcName = "AMS.startProcessLocked"
var funcParaDict = {
"processName": processName,
"info": info,
"knownToBeDead": knownToBeDead,
"intentFlags": intentFlags,
"hostingRecord": hostingRecord,
"zygotePolicyFlags": zygotePolicyFlags,
"allowWhileBooting": allowWhileBooting,
"isolated": isolated,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
if(enableNotCallFilter_AMS_startProcessLocked){
if(processName.includes(CurAppPkgName)){
shouldCallOrigFunc = false
}
}
if (shouldCallOrigFunc) {
return this.startProcessLocked(processName, info, knownToBeDead, intentFlags, hostingRecord, zygotePolicyFlags, allowWhileBooting, isolated)
} else {
console.log(" Not call AMS.startProcessLocked")
return null
}
}
}
// private boolean attachApplicationLocked(@NonNull IApplicationThread thread, int pid, int callingUid, long startSeq)
var attachApplicationLockedFunc = ActivityManagerServiceCls.attachApplicationLocked
console.log("attachApplicationLockedFunc=" + attachApplicationLockedFunc)
if (attachApplicationLockedFunc) {
attachApplicationLockedFunc.implementation = function (thread, pid, callingUid, startSeq) {
// console.log("AMS.attachApplicationLocked: thread=" + thread + ", pid=" + pid + ", callingUid=" + callingUid + ", startSeq=" + startSeq)
// PrintStack(ThrowableCls)
var funcName = "AMS.attachApplicationLocked"
var funcParaDict = {
"thread": thread,
"pid": pid,
"callingUid": callingUid,
"startSeq": startSeq,
}
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
return this.attachApplicationLocked(thread, pid, callingUid, startSeq)
}
}
// public ComponentName startService(IApplicationThread caller, Intent service, String resolvedType, boolean requireForeground, String callingPackage, String callingFeatureId, int userId) throws TransactionTooLargeException {
var startServiceFunc = ActivityManagerServiceCls.startService
console.log("startServiceFunc=" + startServiceFunc)
if (startServiceFunc) {
startServiceFunc.implementation = function (caller, service, resolvedType, requireForeground, callingPackage, callingFeatureId, userId) {
var shouldCallOrigFunc = true
// console.log("AMS.startService: caller=" + caller + ", service=" + service + ", resolvedType=" + resolvedType + ", requireForeground=" + requireForeground + ", callingPackage=" + callingPackage + ", callingFeatureId=" + callingFeatureId + ", userId=" + userId)
// PrintStack(ThrowableCls)
var isCurApp = false
if (service){
// printIntentInfo(service)
var serviceStr = service.toString()
console.log("serviceStr=" + serviceStr)
// serviceStr=Intent { cmp=com.wallpaper.hd.funny/com.w.thsz.s.Service108 }
if (serviceStr.includes(CurAppPkgName)) {
isCurApp = true
}
}
if(isCurApp){
var funcName = "AMS.startService"
var funcParaDict = {
"caller": caller,
"service": service,
"resolvedType": resolvedType,
"requireForeground": requireForeground,
"callingPackage": callingPackage,
"callingFeatureId": callingFeatureId,
"userId": userId,
}
// console.log("will call printFunctionCallAndStack: funcName=" + funcName + ", funcParaDict=" + toJsonStr(funcParaDict) + ", ThrowableCls=" + ThrowableCls)
printFunctionCallAndStack(funcName, funcParaDict, ThrowableCls)
var serviceHasFileDescriptors = service.hasFileDescriptors()
console.log("serviceHasFileDescriptors=" + serviceHasFileDescriptors)
if(enableNotCallFilter_AMS_startService){
shouldCallOrigFunc = false
}
}
if (shouldCallOrigFunc) {
// return this.startService(caller, service, resolvedType, requireForeground, callingPackage, callingFeatureId, userId)
var retComponentName = this.startService(caller, service, resolvedType, requireForeground, callingPackage, callingFeatureId, userId)
if(isCurApp){
console.log("retComponentName=" + retComponentName)
}
return retComponentName
} else {
console.log(" Not call AMS.startService")
return null
}
}
}
// // !!! Note: hook ActivityManagerService.onTransact always cause Android CRUSH and REBOOT
// // public boolean onTransact(int code, Parcel data, Parcel reply, int flags)
// var amsOnTransactFunc = ActivityManagerServiceCls.onTransact
// console.log("amsOnTransactFunc=" + amsOnTransactFunc)
// if (amsOnTransactFunc) {
// amsOnTransactFunc.implementation = function (code, dataParcel, replyParcel, flags) {
// // if (ValidTransactCodeList.includes(code)) {
// // var datParcelStr = tryReadParcelString(dataParcel)
// // if (datParcelStr) {
// // console.log("AMS onTransact: code=" + code + ", dataParcel=" + dataParcel + ",datParcelStr=" + datParcelStr + ", replyParcel=" + replyParcel + ", flags=" + flags)
// // PrintStack(ThrowableCls)
// // }
// // }
// // console.log("AMS.onTransact: code=" + code + ", dataParcel=" + dataParcel + ", replyParcel=" + replyParcel + ", flags=" + flags)
// return this.onTransact(code, dataParcel, replyParcel, flags)
// }
// }
// // Note: will cause crash & reboot, so temp not hook
// // public boolean startInstrumentation(ComponentName className, String profileFile, int flags, Bundle arguments, IInstrumentationWatcher watcher, IUiAutomationConnection uiAutomationConnection, int userId, String abiOverride)
// var startInstrumentationFunc = ActivityManagerServiceCls.startInstrumentation
// console.log("startInstrumentationFunc=" + startInstrumentationFunc)
// if (startInstrumentationFunc) {
// // startInstrumentationFunc.implementation = function (className, profileFile, flags, arguments, watcher, uiAutomationConnection, userId, abiOverride) {
// startInstrumentationFunc.implementation = function (className, profileFile, flags, arguments1, watcher, uiAutomationConnection, userId, abiOverride) {
// console.log("typeof flags=" + (typeof flags) + ",typeof userId=" + (typeof userId))
// // var Integer = Java.use("java.lang.Integer")
// // var flagsInt = Integer.valueOf(flags)
// // var userIdInt = Integer.valueOf(userId)
// // console.log("typeof flagsInt=" + (typeof flagsInt) + ",typeof userIdInt=" + (typeof userIdInt))
// console.log("className=" + className + ", profileFile=" + profileFile + ", flags=" + flags + ", arguments1=" + arguments1 + ", watcher=" + watcher + ", uiAutomationConnection=" + uiAutomationConnection + ", userId=" + userId + ", abiOverride=" + abiOverride)
// PrintStack(ThrowableCls)
// // return this.startInstrumentation(className, profileFile, flags, arguments, watcher, uiAutomationConnection, userId, abiOverride)
// return this.startInstrumentation(className, profileFile, flags, arguments1, watcher, uiAutomationConnection, userId, abiOverride)
// // return this.startInstrumentation(className, profileFile, flagsInt, arguments1, watcher, uiAutomationConnection, userIdInt, abiOverride)
// }
// }
// // public final void com.android.server.am.ActivityManagerService.finishForceStopPackageLocked(java.lang.String,int)
// // private void finishForceStopPackageLocked(final String packageName, int uid) {
// var finishForceStopPackageLockedFunc = ActivityManagerServiceCls.finishForceStopPackageLocked
// console.log("finishForceStopPackageLockedFunc=" + finishForceStopPackageLockedFunc)
// if (finishForceStopPackageLockedFunc) {
// finishForceStopPackageLockedFunc.implementation = function (packageName, uid) {
// PrintStack(ThrowableCls)
// return this.finishForceStopPackageLocked(packageName, uid)
// }
// }
// public void com.android.server.am.ActivityManagerService.forceStopPackage(java.lang.String,int)
// public void forceStopPackage(final String packageName, int userId) {
var amsForceStopPackageFunc = ActivityManagerServiceCls.forceStopPackage
console.log("amsForceStopPackageFunc=" + amsForceStopPackageFunc)
if (amsForceStopPackageFunc) {
amsForceStopPackageFunc.implementation = function (packageName, userId) {
PrintStack(ThrowableCls)
return this.forceStopPackage(packageName, userId)
}
}
// public final void com.android.server.am.ActivityManagerService.forceStopPackageLocked(java.lang.String,int,java.lang.String)
// private void forceStopPackageLocked(final String packageName, int uid, String reason) {
var forceStopPackageLockedFunc3 = ActivityManagerServiceCls.forceStopPackageLocked.overload('java.lang.String', 'int', 'java.lang.String')
console.log("forceStopPackageLockedFunc3=" + forceStopPackageLockedFunc3)
if (forceStopPackageLockedFunc3) {
forceStopPackageLockedFunc3.implementation = function (packageName, uid, reason) {
PrintStack(ThrowableCls)
return this.forceStopPackageLocked(packageName, uid, reason)
}
}
// public final boolean com.android.server.am.ActivityManagerService.forceStopPackageLocked(java.lang.String,int,boolean,boolean,boolean,boolean,boolean,int,java.lang.String)
// final boolean forceStopPackageLocked(String packageName, int appId, boolean callerWillRestart, boolean purgeCache, boolean doit, boolean evenPersistent, boolean uninstalling, int userId, String reason) {
var forceStopPackageLockedFunc9 = ActivityManagerServiceCls.forceStopPackageLocked.overload('java.lang.String', 'int', 'boolean', 'boolean', 'boolean', 'boolean', 'boolean', 'int', 'java.lang.String')
console.log("forceStopPackageLockedFunc9=" + forceStopPackageLockedFunc9)
if (forceStopPackageLockedFunc9) {
forceStopPackageLockedFunc9.implementation = function (packageName, appId, callerWillRestart, purgeCache, doit, evenPersistent, uninstalling, userId, reason) {
PrintStack(ThrowableCls)
return this.forceStopPackageLocked(packageName, appId, callerWillRestart, purgeCache, doit, evenPersistent, uninstalling, userId, reason)
}
}
// ---------------------------------------- android.app.ActivityManager
var ActivityManagerCls = Java.use("android.app.ActivityManager")
console.log("ActivityManagerCls=" + ActivityManagerCls)
// public void android.app.ActivityManager.forceStopPackage(java.lang.String)
// public void forceStopPackage(String packageName) {
var amForceStopPackageFunc = ActivityManagerCls.forceStopPackage
console.log("amForceStopPackageFunc=" + amForceStopPackageFunc)
if (amForceStopPackageFunc) {
amForceStopPackageFunc.implementation = function (packageName) {
PrintStack(ThrowableCls)
return this.forceStopPackage(packageName)
}
}
// // ---------------------------------------- com.android.server.wm.ActivityStarter
// var ActivityStarterCls = Java.use("com.android.server.wm.ActivityStarter")
// console.log("ActivityStarterCls=" + ActivityStarterCls)
// var executeRequestFunc = ActivityStarterCls.executeRequest
// // var executeRequestFunc = ActivityStarterCls._executeRequest
// console.log("executeRequestFunc=" + executeRequestFunc)
// if (executeRequestFunc) {
// executeRequestFunc.implementation = function (request) {
// // 打印当前调用堆栈信息
// let newThrowable = Throwable.$new()
// console.log("newThrowable=" + newThrowable)
// let stackStr = curLog.getStackTraceString(newThrowable)
// console.log("stackStr=" + stackStr)
// return this.executeRequest(request)
// }
// }
// // public void android.app.ActivityManager.forceStopPackageAsUser(java.lang.String,int)
// // public void forceStopPackageAsUser(String packageName, int userId) {
// var forceStopPackageAsUserFunc = ActivityManagerCls.forceStopPackageAsUser
// console.log("forceStopPackageAsUserFunc=" + forceStopPackageAsUserFunc)
// if (forceStopPackageAsUserFunc) {
// forceStopPackageAsUserFunc.implementation = function (packageName, userId) {
// PrintStack(ThrowableCls)
// return this.forceStopPackageAsUser(packageName, userId)
// }
// }
// // ---------------------------------------- com.android.server.pm.Settings
// var SettingsCls = Java.use("com.android.server.pm.Settings")
// console.log("SettingsCls=" + SettingsCls)
// /* static @NonNull PackageSetting createNewSetting(
// String pkgName,
// PackageSetting originalPkg,
// PackageSetting disabledPkg,
// String realPkgName,
// SharedUserSetting sharedUser,
// File codePath,
// String legacyNativeLibraryPath,
// String primaryCpuAbi,
// String secondaryCpuAbi,
// long versionCode,
// int pkgFlags,
// int pkgPrivateFlags,
// UserHandle installUser,
// boolean allowInstall,
// boolean instantApp,
// boolean virtualPreload,
// UserManagerService userManager,
// String[] usesSdkLibraries,
// long[] usesSdkLibrariesVersions,
// String[] usesStaticLibraries,
// long[] usesStaticLibrariesVersions,
// Set<String> mimeGroupNames,
// @NonNull UUID domainSetId
// ) {
// */
// var createNewSettingFunc = SettingsCls.createNewSetting
// console.log("createNewSettingFunc=" + createNewSettingFunc)
// if (createNewSettingFunc) {
// createNewSettingFunc.implementation = function (pkgName, originalPkg, disabledPkg, realPkgName, sharedUser, codePath, legacyNativeLibraryPath, primaryCpuAbi, secondaryCpuAbi, versionCode, pkgFlags, pkgPrivateFlags, installUser, allowInstall, instantApp, virtualPreload, userManager, usesSdkLibraries, usesStaticLibraries, usesStaticLibrariesVersions, mimeGroupNames, domainSetId) {
// PrintStack(ThrowableCls)
// return this.createNewSetting(pkgName, originalPkg, disabledPkg, realPkgName, sharedUser, codePath, legacyNativeLibraryPath, primaryCpuAbi, secondaryCpuAbi, versionCode, pkgFlags, pkgPrivateFlags, installUser, allowInstall, instantApp, virtualPreload, userManager, usesSdkLibraries, usesStaticLibraries, usesStaticLibrariesVersions, mimeGroupNames, domainSetId)
// }
// }
})
}
setImmediate(hookForceStop)