search

realsua / VirtualXposed_12

A simple app to use Xposed in virtual environment. (Android 12 support)
GNU General Public License v3.0
50 stars 8 forks source link

getPackageManager().checkPermission not trans for method proxy in android 11 #10

Open kings0527 opened 2 years ago

kings0527 commented 2 years ago

lpparam.context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", lpparam.context.getPackageName());

ActivityManagerStub can work

PackageManagerStub bind success but no work.

maybe context fix wrong?

can't find diff by cs.android.com about ActivityThread.sPackageManager.set(hookedPM)

kings0527 commented 2 years ago 
 Log.d("checkPermission", "before createPackageContext start ");
        int ret = VirtualCore.get().getContext().getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", VirtualCore.get().getContext().getPackageName());
        Log.d("checkPermission", "before createPackageContext ret " + ret);
// ret 0
        Context context = createPackageContext(data.appInfo.packageName);

        Log.d("checkPermission", "use core context, createPackageContext start");
        ret = VirtualCore.get().getContext().getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", VirtualCore.get().getContext().getPackageName());
        Log.d("checkPermission", "use core context, createPackageContext ret " + ret);
// ret 0
        Log.d("checkPermission", "createPackageContext start ");
        ret = context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", context.getPackageName());
        Log.d("checkPermission", "createPackageContext ret " + ret);
// ret -1

android 10 will always call in PackageManagerStub proxy method android 11 never call

kings0527 commented 2 years ago 
        Log.d("checkPermission", "fixContext11111 start ");
        int ret = context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", context.getPackageName());
        Log.d("checkPermission", "fixContext111111 ret " + ret);

        ContextImpl.mPackageManager.set(context, null);

        Log.d("checkPermission", "fixContext222222 start ");
        ret = context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", context.getPackageName());
        Log.d("checkPermission", "fixContext2222222 ret " + ret);

android 10 will call in proxy method when set null

kings0527 commented 2 years ago 
final IPackageManager pm = ActivityThread.getPackageManager(); 
final IPermissionManager permissionManager = ActivityThread.getPermissionManager();

this is android 11 source code

I think proxy method maybe not enough in the PermissionManagerStub?

kings0527 commented 2 years ago 
    @Override
    public void inject() throws Throwable {
        final IInterface hookedPM = getInvocationStub().getProxyInterface();
        ActivityThread.sPermissionManager.set(hookedPM);
        BinderInvocationStub pmHookBinder = new BinderInvocationStub(getInvocationStub().getBaseInterface());
        pmHookBinder.copyMethodProxies(getInvocationStub());
        pmHookBinder.replaceService("permissionmgr");
    }

set sPermissionManager fix it

kings0527 commented 2 years ago

I m wrong I miss it Just return GRANT, but not call in