一点简单记录。
xposed原理包括将hook的method转为Native。因此可检测如下:
for (ApplicationInfo applicationInfo : applicationInfoList) { if (applicationInfo.processName.equals("com.example.hookdetection")) { Set classes = new HashSet(); DexFile dex; try { dex = new DexFile(applicationInfo.sourceDir); Enumeration entries = dex.entries(); while(entries.hasMoreElements()) { String entry = entries.nextElement(); classes.add(entry); } dex.close(); } catch (IOException e) { Log.e("HookDetection", e.toString()); } for(String className : classes) { if(className.startsWith("com.example.hookdetection")) { try { Class clazz = HookDetection.class.forName(className); for(Method method : clazz.getDeclaredMethods()) { if(Modifier.isNative(method.getModifiers())){ Log.wtf("HookDetection", "Native function found (could be hooked by Substrate or Xposed): "
+ clazz.getCanonicalName() + "->" + method.getName()); } } } catch(ClassNotFoundException e) { Log.wtf("HookDetection", e.toString()); } } } } }
所有xposed插件中,Hook isNative. 由于Hook在先,调用在后,可绕过。