search

cinit / QAuxiliary

QNotified phoenix - To make OICQ great again
Other
4.14k stars 314 forks source link

[功能请求] 可以通过编程方式打开宿主内的组件 #1205

Open EatHatsuneShallots opened 3 weeks ago

EatHatsuneShallots commented 3 weeks ago

QQ(TIM) 版本 / QQ(TIM) Version

9.0.60

为什么你认为需要此功能

尽管 #1204 添加了打开宿主 Activity 的功能,但不能自定义 Intent

联系到哪些已经存在的 bug 或者功能

1204

具体功能需要 / Detailed features requirements

这个功能需要用户手动开启 通过 Hook JumpActivity 来实现 大致思路:

  1. 读取 JUMP_ACTION_CMD Extra 中的值,判断是否是 JUMP_ACTION_START_ACTIVITYJUMP_ACTION_START_SERVICEJUMP_ACTION_START_FOREGROUND_SERVICE 中的一项
  2. 读取 EXTRA_INTENT Extra 中的值
  3. 如果是 JUMP_ACTION_START_ACTIVITY 则调用 startActivity
  4. 如果是 JUMP_ACTION_START_SERVICE 则调用 startService
  5. 如果是 JUMP_ACTION_START_FOREGROUND_SERVICE 则调用 ContextCompat.startForegroundService (兼容旧版本 Android)
cinit commented 3 weeks ago

@EatHatsuneShallots 我们一般用以下语言描述你的需求。 In issue #1205 of QAuxiliary, there is a possible launch of arbitrary protected components due to a user feature request. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

EatHatsuneShallots commented 3 weeks ago

In issue #1205 of QAuxiliary, there is a possible launch of arbitrary protected components due to a user feature request. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

此功能仅供调试使用,且需要打开相应开关才会生效 如果怕用户忘关了的话,那就改成使用一次后自动关闭(