一、hook方法

在方法调用前HOOK (beforeHookedMethod)

//下方参数依次是 (包名, classLoader,方法名,参数1的class,参数2的class等等)XposedHelpers.findAndHookMethod("com.app.da.ff",loadPackageParam.classLoader,"LIZ",String.class,new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
                    XposedBridge.log("before hook-------");
                    //当前实例对象
                    param.thisObject                    //参数1
                    String arg1 = (String) param.args[0];
                    //参数2
                    String arg2 = (String) param.args[1];
                    //修改参数1
                    param.args[0] = 1;

                    //设置方法返回值
                    param.setResult("修改后的返回值");
                }
            });

在方法调用后HOOK (afterHookedMethod)

//下方参数依次是 (包名, classLoader,方法名,参数1的class,参数2的class等等)XposedHelpers.findAndHookMethod("com.app.da.ff",loadPackageParam.classLoader,"LIZ",String.class,new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
                    XposedBridge.log("before hook-------");
                    //当前实例对象
                    param.thisObject                    //参数1
                    String arg1 = (String) param.args[0];
                    //参数2
                    String arg2 = (String) param.args[1];
                    //修改参数1
                    param.args[0] = 1;
                    //因为在方法调用后hook的所以此时可以拿到返回值
                    param.getResult();
              
                    //获取实力对象上面的属性V0的值(int类型)
                    Field fd = param.thisObject.getClass().getDeclaredField("V0");
                    fd.setAccessible(true);
                    //强转int类型
                    int V0 = (int) fd.get(param.thisObject);

                    //多层对象属性获取
                    //获取实力对象上的对象类型的属性, 也就是this.c.c的情况
                    Field fd = param.thisObject.getClass().getDeclaredField("c");
                    fd.setAccessible(true);
                    Object ccObject = (Object) fd.get(param.thisObject);
                    Field ccfd = ccObject.getClass().getDeclaredField("c");
                    ccfd.setAccessible(true);
                    int successNum = (int) ccfd.get(ccObject);
                }
            });

查找应用内class

//hook方法或者调用方法的时候会用到Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);

实力对象方法主动调用

//调用实例对象上面的方法,可以和param.thisObject结合使用,Map<String, String> __map = (Map<String, String>) XposedHelpers.callMethod(param.thisObject, "LIZ", url, _map);

类静态方法主动调用

Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);(Map<String, String>) XposedHelpers.callStaticMethod(clazz, "LIZ", url, _map);

获取一个类已经实例化的对象

这个我没测试过

Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
#获取到了一个数组 随便取一个用
Object[] enumConstants = clazz.getEnumConstants();

主动实例化一个对象

Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);Object classObj = XposedHelpers.newInstance(clazz,arg1,arg2);

修改类静态属性

//设置ms.bd.o.p1$a的静态属性name值为张三Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);XposedHelpers.findField(clazz, "name").set(null, "张三");

修改实例对象上属性

Class D2Class = param.thisObject.getClass();Field name = D2Class.getDeclaredField("name");name.setAccessible(true);name.set(param.thisObject, "张三");

获取 applicationContext

try {
    Class<?> ContextClass = XposedHelpers.findClass("android.content.ContextWrapper", loadPackageParam.classLoader);

    XposedHelpers.findAndHookMethod(ContextClass, "getApplicationContext", new XC_MethodHook() {
                    @Override
                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                        if (applicationContext != null) {
                            return;
                        }
                        //全局保存 为了方便后面使用
                        applicationContext = (Context) param.getResult();
                        XposedBridge.log("得到上下文");
                    }
    });} catch (Throwable t) {
    XposedBridge.log("获取上下文出错");}

hook onCreateView实现按钮主动点击

XposedHelpers.findAndHookMethod("com.find.diff.a",loadPackageParam.classLoader,"onCreateView", LayoutInflater.class,ViewGroup.class, Bundle.class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(final MethodHookParam param) throws Throwable {
                    XposedBridge.log("hook-onCreateView-------------------------------");
                    comFindDiffA = param.thisObject;
                    //hook返回值 保存起来后面用
                    inflate = (View) param.getResult();
                }});

需要运行在UI线程的方法 runOnUiThread

//comFindDiffA为 param.thisObject 可提前全局保存下来Object activityObj =(Object) XposedHelpers.callMethod(comFindDiffA, "getActivity");if(activityObj!=null){
    XposedBridge.log("--------------------------------activityObj有值");
    XposedHelpers.callMethod(activityObj, "runOnUiThread",new Runnable() {
        public void run() {
            //applicationContext 也是全局保存的
            Resources res = applicationContext.getResources();
            //找到id的game_over_next的id编号
            int idNum = res.getIdentifier("game_over_next", "id", 
            applicationContext.getPackageName());
            // inflate 是hook onCreateView得来的
            ViewGroup vg = (ViewGroup) inflate.findViewById(idNum);
            XposedBridge.log("--------------------------------runOnUiThread click");
            //主动点击触发
            vg.performClick();
        }
     });}

转载:https://www.jianshu.com/p/1c42387309af