improve Class detection

find classes with prefixes and from preloaded ClassLoaders

Author: binarynoise

ClassHunter/build.gradle.kts

@@ -27,4 +27,5 @@ android {
 dependencies {
     implementation(libs.libsu.core)
     implementation(projects.logger)
+    implementation(projects.reflection)
 }

ClassHunter/src/main/java/de/binarynoise/classHunter/Hook.kt

@@ -1,5 +1,6 @@
 package de.binarynoise.classHunter
 
+import java.io.File
 import java.net.URLClassLoader
 import java.security.SecureClassLoader
 import android.os.Build
@@ -10,15 +11,18 @@ import dalvik.system.DexClassLoader
 import dalvik.system.InMemoryDexClassLoader
 import dalvik.system.PathClassLoader
 import de.binarynoise.ClassHunter.BuildConfig
+import de.binarynoise.logger.Logger.log
+import de.binarynoise.reflection.cast
 import de.robv.android.xposed.IXposedHookLoadPackage
+import de.robv.android.xposed.IXposedHookZygoteInit
 import de.robv.android.xposed.XposedBridge
 import de.robv.android.xposed.XposedHelpers
 import de.robv.android.xposed.callbacks.XC_LoadPackage
 import de.robv.android.xposed.XC_MethodHook as MethodHook
 
 const val TAG = "Hook"
 
-class Hook : IXposedHookLoadPackage {
+class Hook : IXposedHookLoadPackage, IXposedHookZygoteInit {
 
     override fun handleLoadPackage(lpparam: XC_LoadPackage.LoadPackageParam) {
         Log.d(TAG, "handleLoadPackage: ${lpparam.packageName}")
@@ -36,14 +40,35 @@ class Hook : IXposedHookLoadPackage {
             override fun afterHookedMethod(param: MethodHookParam) {
                 with(param) {
                     val cls = result as? Class<*>? ?: return
-                    if (!cls.isAssignableFrom(ClassLoader::class.java)) return
+                    if (!ClassLoader::class.java.isAssignableFrom(cls)) return
                     Log.i(TAG, "loadClass afterHookedMethod: loaded new classLoader class: ${cls.name}")
                 }
             }
         })
 
         ////////////////////////////////////////////////////////////////////////////////////////////////////
 
+        try {
+            val SystemServerClassLoaderFactoryClass = XposedHelpers.findClass("com.android.internal.os.SystemServerClassLoaderFactory", null)
+            val sLoadedPaths: Map<String, PathClassLoader> =
+                XposedHelpers.getStaticObjectField(SystemServerClassLoaderFactoryClass, "sLoadedPaths").cast()
+            Log.v(TAG, "sLoadedPaths:")
+            sLoadedPaths.forEach { (path, loader) ->
+                Log.v(TAG, "sLoadedPaths: $path -> ${loader.toObjectString()}")
+                tryFindClass(loader, "SystemServerClassLoaderFactory", lpparam.packageName)
+            }
+        } catch (_: NoSuchMethodError) {
+        } catch (_: NoSuchMethodException) {
+        } catch (_: XposedHelpers.ClassNotFoundError) {
+        } catch (_: ClassNotFoundException) {
+        } catch (e: Exception) {
+            log("failed to hook", e)
+        }
+    }
+    
+    override fun initZygote(startupParam: IXposedHookZygoteInit.StartupParam) {
+        val packageName = File("/proc/self/cmdline").readText().replace(0.toChar(), ' ')
+        
         @Suppress("RemoveExplicitTypeArguments") //
         val classLoaderClasses = mutableSetOf<Class<out ClassLoader>>(
             ClassLoader::class.java,
@@ -61,8 +86,7 @@ class Hook : IXposedHookLoadPackage {
         }
 
         try {
-            @Suppress("UNCHECKED_CAST") // 
-            classLoaderClasses.add(Class.forName("android.app.LoadedApk\$WarningContextClassLoader", false, null) as Class<out ClassLoader>)
+            classLoaderClasses.add(Class.forName("android.app.LoadedApk\$WarningContextClassLoader", false, null).cast())
         } catch (_: Throwable) {
         }
 
@@ -88,12 +112,13 @@ class Hook : IXposedHookLoadPackage {
                                 "dalvik.system.PathClassLoader[null]",
                                 "dalvik.system.PathClassLoader[DexPathList[[],nativeLibraryDirectories=[/system/lib64, /system_ext/lib64]]]",
                                 "LspModuleClassLoader[instantiating]",
+                                """dalvik.system.PathClassLoader[DexPathList[[directory "/proc/self/task"],nativeLibraryDirectories=[/system/lib64, /system_ext/lib64]]]""",
                             )
                             if (string !in ignored) {
                                 Log.v(TAG, "ClassLoader constructor: created new classLoader: ${newClassLoader.toObjectString()} $string")
                             }
 
-                            tryFindClass(newClassLoader, "constructor", lpparam.packageName)
+                            tryFindClass(newClassLoader, "constructor", packageName)
 
                         }
                     }
@@ -107,6 +132,23 @@ class Hook : IXposedHookLoadPackage {
         }
     }
 
+    // https://cs.android.com/search?q=%22--prefix%20%22%20file:Android.bp
+    // /(?<=--prefix )([\w\.]+)/
+    val prefixes = arrayOf(
+        "android.net.connectivity",
+        "android.net.http.internal",
+        "com.android.captiveportallogin",
+        "com.android.networkstack",
+        "com.android.server.nearby",
+        "com.android.server.remoteauth",
+        "gfxstream_vk",
+        "lvp",
+        "vk_cmd_enqueue",
+        "vk_cmd_enqueue_unless_primary",
+        "vk_common",
+        "wsi",
+    )
+    
     fun tryFindClass(classLoader: ClassLoader, classLoaderName: String, packageName: String) {
         BuildConfig.targetClass.forEach { className ->
             var cls: Class<*>? = null
@@ -115,12 +157,20 @@ class Hook : IXposedHookLoadPackage {
             var successClassLoader: ClassLoader? = null
             var i = 0
 
-            while (classLoader != null && i++ < 10) {
+            loop@ while (classLoader != null && i++ < 10) {
                 try {
                     cls = Class.forName(className, false, classLoader)
                     successClassLoader = classLoader
+                    break@loop
                 } catch (_: Throwable) {
-                    break
+                }
+                prefixes.forEach { prefix ->
+                    try {
+                        cls = Class.forName("$prefix.$className", false, classLoader)
+                        successClassLoader = classLoader
+                        break@loop
+                    } catch (_: Throwable) {
+                    }
                 }
                 classLoader = classLoader.parent
             }
@@ -131,29 +181,24 @@ class Hook : IXposedHookLoadPackage {
         }
     }
 
-    private fun logClass(cls: Class<*>, classLoaderName: String, classLoader: ClassLoader, packageName: String) {
+    private fun logClass(cls: Class<*>, classLoaderName: String, classLoader: ClassLoader, packageName: String, dump: Boolean = true) {
         val lines = mutableListOf<String>()
         lines.add("*".repeat(150))
 
         lines.add("found class: ${cls.name} in package $packageName by $classLoaderName: ${classLoader.toObjectString()} - $classLoader")
-        
-        lines.add(" - constructors:")
-        cls.declaredConstructors.map { c -> "${c.name}(${c.parameters.joinToString(", ") { p -> p.name + " " + p.type.name }})" }
-            .sorted()
-            .forEach { c ->
-                lines.add("   - $c")
-            }
-        
-        lines.add(" - methods:")
-        cls.declaredMethods.map { m -> "${m.returnType.name} ${m.name}(${m.parameters.joinToString(", ") { p -> p.name + " " + p.type.name }})" }
-            .sorted()
-            .forEach { m ->
-                lines.add("   - $m")
-            }
-        
-        lines.add(" - fields:")
-        cls.declaredFields.map { f -> "${f.type.name} ${f.name}" }.sorted().forEach { f ->
-            lines.add("   - $f")
+        if (dump) {
+            lines.add(" - constructors:")
+            cls.declaredConstructors.map { c -> "${c.name}(${c.parameters.joinToString(", ") { p -> p.name + " " + p.type.name }})" }
+                .sorted()
+                .forEach { c -> lines.add("   - $c") }
+            
+            lines.add(" - methods:")
+            cls.declaredMethods.map { m -> "${m.returnType.name} ${m.name}(${m.parameters.joinToString(", ") { p -> p.name + " " + p.type.name }})" }
+                .sorted()
+                .forEach { m -> lines.add("   - $m") }
+            
+            lines.add(" - fields:")
+            cls.declaredFields.map { f -> "${f.type.name} ${f.name}" }.sorted().forEach { f -> lines.add("   - $f") }
         }
 
         lines.forEach {
@@ -164,5 +209,5 @@ class Hook : IXposedHookLoadPackage {
 
 fun Any?.toObjectString(): String {
     if (this == null) return "null"
-    return this::class.simpleName + "@" + Integer.toHexString(hashCode())
+    return this::class.simpleName + "@" + Integer.toHexString(hashCode()).padStart(8, '0')
 }