[原创] 记录一下tk的中间人拦截点位-Android安全-看雪安全社区

[原创] 记录一下tk的中间人拦截点位

发表于: 2025-7-11 00:28 2754

[原创] 记录一下tk的中间人拦截点位

Rocky虞

2025-7-11 00:28

2754

在xhs的中间人拦截方案中，选择 okhttp3.internal.http.RealInterceptorChain 的 proceed 方法作为中间人拦截入口，使用xposed进行拦截
图片描述

解析响应时需要进行clone后再读取

在tiktok上则需要先进行协议降级

然后再拦截 com.bytedance.retrofit2.SsHttpCall 的 getResponseWithInterceptorChain 方法
图片描述

在使用 message = responseValue.toString() 获取具体的响应内容时会发现存在多种形式的结果
需要根据具体的形式进行下一步处理
例如输出的是 "TypedByteArray[length=xxxxx"
则需要

一些BaseResponse等类型的数据则需要从responseValue中提取LJLIIIL等字段的具体内容作为响应内容

Object result = param.getResult();
Object body = XposedHelpers.callMethod(result, "body");
Object source = XposedHelpers.callMethod(body, "source");
XposedHelpers.callMethod(source, "request", Long.MAX_VALUE);
Object getBuffer = XposedHelpers.callMethod(source, "getBuffer");
Object cloneBuffer = XposedHelpers.callMethod(getBuffer, "clone");
String message = (String) XposedHelpers.callMethod(cloneBuffer, "readString", StandardCharsets.UTF_8);

Object result = param.getResult();

Object body = XposedHelpers.callMethod(result, "body");

Object source = XposedHelpers.callMethod(body, "source");

XposedHelpers.callMethod(source, "request", Long.MAX_VALUE);

Object getBuffer = XposedHelpers.callMethod(source, "getBuffer");

Object cloneBuffer = XposedHelpers.callMethod(getBuffer, "clone");

String message = (String) XposedHelpers.callMethod(cloneBuffer, "readString", StandardCharsets.UTF_8);

try {
    Class<?> targetClass = XposedHelpers.findClass("org.chromium.CronetClient", appContext.getClassLoader());
    Class<?> icronetAppProviderClass = XposedHelpers.findClass("com.bytedance.frameworks.baselib.network.http.cronet.ICronetAppProvider", appContext.getClassLoader());
    XposedHelpers.findAndHookMethod(targetClass, "tryCreateCronetEngine",
            android.content.Context.class, boolean.class, boolean.class,
            boolean.class, boolean.class, String.class,
            java.util.concurrent.Executor.class, boolean.class,
            icronetAppProviderClass,
            new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                }
 
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    param.setResult(false);
                }
            }
    );
} catch (Exception e) {
    throw new RuntimeException(e);
}

try {

Class<?> targetClass = XposedHelpers.findClass("org.chromium.CronetClient", appContext.getClassLoader());

Class<?> icronetAppProviderClass = XposedHelpers.findClass("com.bytedance.frameworks.baselib.network.http.cronet.ICronetAppProvider", appContext.getClassLoader());

XposedHelpers.findAndHookMethod(targetClass, "tryCreateCronetEngine",

android.content.Context.class, boolean.class, boolean.class,

boolean.class, boolean.class, String.class,

java.util.concurrent.Executor.class, boolean.class,

icronetAppProviderClass,

登录后可查看完整内容

传播安全知识、拓宽行业人脉——看雪讲师团队等你加入！

#基础理论 #逆向分析 #HOOK注入

收藏・2

免费・1

支持