PMS服务层
和AMS, WMS等其他服务一样,包管理服务运行于SystemServer进程(SystemServer组件是由Zygote进程负责启动的,启动的时候就会调用它的main函数) /system/etc/permissions 和 /data/system/package.xml 查看 /prc/../maps ,确实加载了很多 dex
/system/framework/oat/arm64/services.odex
/system/framework/arm64/boot-framework.vdex 下面给出的是一段Frida HooK代码, 在Oneplus 5T和Lenovo Z5上调试通过 - setImmediate(function() {
- Java.perform(function(){
- console.log("start hook....");
- var PMS = Java.use("com.android.server.pm.PackageManagerService");
- console.log("PMS Found.");
- PMS.checkUidPermission.implementation = function (permName, uid) {
- if("com.qualcomm.permission.UIM_REMOTE_CLIENT" == permName) {
- console.log("permName: " + permName + " :" + uid);
- return 0; //PERMISSION_GRANTED
- }
- return this.checkUidPermission(permName, uid);
- };
- console.log("hook ok.");
- });
- });
复制代码功能就是, 对 com.qualcomm.permission.UIM_REMOTE_CLIENT 放权 Xposed写法 - private void hookPackageManagerService(XC_LoadPackage.LoadPackageParam lpparam) {
- if (!lpparam.packageName.equals("android")) {
- return;
- }
- try {
- XposedHelpers.findAndHookMethod("com.android.server.pm.PackageManagerService",
- lpparam.classLoader, "checkUidPermission", String.class, int.class,
- new XC_MethodHook() {
- @Override
- protected void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
- String permName = (String) param.args[0];
- if (permName.equals("com.qualcomm.permission.UIM_REMOTE_CLIENT")) {
- param.setResult(0);
- }
- }
- }
- );
- } catch (Exception e) {
- XposedBridge.log(e);
- }
- }
复制代码 注意:包名是 android 而是 源代码中的 com.android.server.pm
|