Android hook系统定位服务(Kotlin)

一段简单地对系统服务LocationManager的hook代码（kotlin），用于排除可能的隐藏的定位调用逻辑。

参考： Hook技术(五)如何Hook系统中任意服务（https://blog.csdn.net/wangwei708846696/article/details/79569170）

object LocationServiceHook {
    private const val TAG = "LocationServiceHook"
    @JvmStatic
    fun hook(){
        val serviceManager = Class.forName("android.os.ServiceManager")!!
        val getService = serviceManager.getDeclaredMethod("getService", String::class.java)!!
        val rawBinder = getService.invoke(null, Context.LOCATION_SERVICE) as IBinder

        val hookedBinder = Proxy.newProxyInstance(serviceManager.classLoader,
                arrayOf<Class<*>>(IBinder::class.java),
                LocationBinderProxyHookHandler(rawBinder)) as IBinder
        val cacheField = serviceManager.getDeclaredField("sCache")
        cacheField.isAccessible = true
        val caches = cacheField.get(null) as MutableMap<String, IBinder>
        caches[Context.LOCATION_SERVICE] = hookedBinder
        MyLog.logI(TAG, "finish hook")
    }
}

class LocationBinderProxyHookHandler(val base:IBinder):InvocationHandler{
    companion object{
        private const val TAG = "LocationBinderProxyHookHandler"
    }

    private val stub:Class<*>?
    private val iinterface:Class<*>?

    init {
        stub = try {
            Class.forName("android.location.ILocationManager\$Stub")
        }catch (throwable:Throwable){
            MyLog.logE(TAG, "android.location.ILocationManager", throwable)
            null
        }

        iinterface = try{
            Class.forName("android.location.ILocationManager")
        }catch (throwable:Throwable){
            MyLog.logE(TAG, "android.location.ILocationManager", throwable)
            null
        }
    }

    override fun invoke(proxy: Any?, method: Method?, args: Array<out Any>?): Any {
        return if("queryLocalInterface" == method!!.name){
            MyLog.logI(TAG, "queryLocalInterface")
            Proxy.newProxyInstance(proxy!!.javaClass.classLoader,
                    arrayOf<Class<*>>(IBinder::class.java, IInterface::class.java, iinterface!!),
                    LocationBinderHookHandler(base, stub!!))
        }else {
            return if(args == null){
                method.invoke(base, null)
            }else{
                method.invoke(base, *args)
            }?:Unit
        }
    }

}

class LocationBinderHookHandler(base:IBinder, stubClass:Class<*> ):InvocationHandler{
    companion object{
        private const val TAG = "LocationBinderHookHandler"
    }

    private val base:Any?

    init {
        this.base = try {
            val asInterfaceMethod = stubClass.getDeclaredMethod("asInterface", IBinder::class.java)
            //ILocationManager.Stub.asInterface(base)
            asInterfaceMethod.invoke(null, base)
        }catch (throwable:Throwable){
            MyLog.logE(TAG, "", throwable)
            null
        }
    }

    override fun invoke(proxy: Any?, method: Method?, args: Array<out Any>?): Any {
        MyLog.logI(TAG, "nethod: ${method!!.name}, args: $args", Throwable())
        return if(args == null){
            method.invoke(base, null)
        }else{
            method.invoke(base, *args)
        }?:Unit
    }
}