最近公司要折騰系統(tǒng)通話錄音癌压,先寫個錄音Demo試試水谣旁。結(jié)果在運行代碼的時候提示錄音權(quán)限不足,一看原來這個是只能系統(tǒng)調(diào)用的權(quán)限類型娇未。
recorder.setAudioSource(MediaRecorder.AudioSource.VOICE_CALL);
java.lang.RuntimeException: start failed.
at android.media.MediaRecorder.start(Native Method)
at com.dimowner.audiorecorder.audio.recorder.AudioRecorder.startRecording(AudioRecorder.java:81)
at com.dimowner.audiorecorder.app.AppRecorderImpl.startRecording(AppRecorderImpl.java:229)
沒辦法了上Xposed吧媚狰,然后自己寫了個插件Hook權(quán)限檢驗代碼稿饰,但是用IXposedHookLoadPackage死活抓不到系統(tǒng)Service實力渠牲。研究了下源碼才知道IXposedHookLoadPackage是在加載App的時候才調(diào)用茉兰,根本走不到系統(tǒng)Service的進程中沧踏,果斷換IXposedHookZygoteInit歌逢。具體代碼如下
public class MainHook implements IXposedHookZygoteInit {
@Override
public void initZygote(StartupParam startupParam) throws Throwable {
XposedHelpers.findAndHookMethod("android.app.ActivityThread", null, "systemMain", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
System.out.println("gscgsc beforeHookedMethod");
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
System.out.println("gscgsc afterHookedMethod");
final Class<?> clazz;
clazz = XposedHelpers.findClass("com.android.server.am.ActivityManagerService$PermissionController", Thread.currentThread().getContextClassLoader());
System.out.println("gscgsc" + "clazz " + clazz.toString());
XposedHelpers.findAndHookMethod(clazz, "checkPermission", String.class, int.class, int.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
System.out.println("gscgsc afterHookedMethod ActivityManagerService" + param.method.getName());
param.setResult(true);
}
});
}
});
}
}
加載完插件后記得重啟手機,因為這個是hook android系統(tǒng)啟動時的systemMain方法翘狱。同理這段代碼修改下目標可以hook其他系統(tǒng)Service
