├── app
    ├── .gitignore
    ├── src
    │   ├── main
    │   │   ├── res
    │   │   │   ├── values
    │   │   │   │   ├── strings.xml
    │   │   │   │   ├── colors.xml
    │   │   │   │   └── styles.xml
    │   │   │   ├── mipmap-hdpi
    │   │   │   │   ├── ic_launcher.png
    │   │   │   │   └── ic_launcher_round.png
    │   │   │   ├── mipmap-mdpi
    │   │   │   │   ├── ic_launcher.png
    │   │   │   │   └── ic_launcher_round.png
    │   │   │   ├── mipmap-xhdpi
    │   │   │   │   ├── ic_launcher.png
    │   │   │   │   └── ic_launcher_round.png
    │   │   │   ├── mipmap-xxhdpi
    │   │   │   │   ├── ic_launcher.png
    │   │   │   │   └── ic_launcher_round.png
    │   │   │   ├── mipmap-xxxhdpi
    │   │   │   │   ├── ic_launcher.png
    │   │   │   │   └── ic_launcher_round.png
    │   │   │   ├── mipmap-anydpi-v26
    │   │   │   │   ├── ic_launcher.xml
    │   │   │   │   └── ic_launcher_round.xml
    │   │   │   ├── layout
    │   │   │   │   └── activity_main.xml
    │   │   │   ├── drawable-v24
    │   │   │   │   └── ic_launcher_foreground.xml
    │   │   │   └── drawable
    │   │   │   │   └── ic_launcher_background.xml
    │   │   ├── java
    │   │   │   ├── org
    │   │   │   │   └── chickenhook
    │   │   │   │   │   └── chickenbinder
    │   │   │   │   │       ├── AppListener.java
    │   │   │   │   │       ├── MainActivity.java
    │   │   │   │   │       └── MainActivityKotlin.kt
    │   │   │   └── com
    │   │   │   │   └── android
    │   │   │   │       └── server
    │   │   │   │           └── wm
    │   │   │   │               └── ActivityRecord.java
    │   │   └── AndroidManifest.xml
    │   ├── test
    │   │   └── java
    │   │   │   └── org
    │   │   │       └── chickenhook
    │   │   │           └── chickenbinder
    │   │   │               └── ExampleUnitTest.kt
    │   └── androidTest
    │   │   └── java
    │   │       └── org
    │   │           └── chickenhook
    │   │               └── chickenbinder
    │   │                   └── MainActivityTest.kt
    ├── proguard-rules.pro
    └── build.gradle
├── binderhooks
    ├── .gitignore
    ├── consumer-rules.pro
    ├── src
    │   ├── main
    │   │   ├── AndroidManifest.xml
    │   │   ├── java
    │   │   │   └── org
    │   │   │   │   └── chickenhook
    │   │   │   │       └── binderhooks
    │   │   │   │           ├── Logger.java
    │   │   │   │           ├── proxyListeners
    │   │   │   │               └── ProxyListener.java
    │   │   │   │           ├── ProxyHook.java
    │   │   │   │           ├── ParcelEditor.java
    │   │   │   │           ├── BinderListener.java
    │   │   │   │           ├── BinderHook.java
    │   │   │   │           └── ServiceHooks.java
    │   │   └── cpp
    │   │   │   └── chickenbinder.cc
    │   ├── test
    │   │   └── java
    │   │   │   └── org
    │   │   │       └── chickenhook
    │   │   │           └── binderhooks
    │   │   │               └── ExampleUnitTest.java
    │   └── androidTest
    │   │   └── java
    │   │       └── org
    │   │           └── chickenhook
    │   │               └── binderhooks
    │   │                   └── ServiceHooksTest.java
    ├── proguard-rules.pro
    ├── build.gradle
    └── CMakeLists.txt
├── settings.gradle
├── gradle
    └── wrapper
    │   ├── gradle-wrapper.jar
    │   └── gradle-wrapper.properties
├── .gitignore
├── .github
    └── FUNDING.yml
├── gradle.properties
├── gradlew.bat
├── gradlew
├── README.md
└── LICENSE


/app/.gitignore:
--------------------------------------------------------------------------------
1 | /build
2 | 


--------------------------------------------------------------------------------
/binderhooks/.gitignore:
--------------------------------------------------------------------------------
1 | /build
2 | 


--------------------------------------------------------------------------------
/binderhooks/consumer-rules.pro:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/settings.gradle:
--------------------------------------------------------------------------------
1 | rootProject.name='ChickenBinder'
2 | include ':app'
3 | include ':binderhooks'
4 | 


--------------------------------------------------------------------------------
/app/src/main/res/values/strings.xml:
--------------------------------------------------------------------------------
1 | <resources>
2 |     <string name="app_name">ChickenBinder</string>
3 | </resources>
4 | 


--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/gradle/wrapper/gradle-wrapper.jar


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-hdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-hdpi/ic_launcher.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-mdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-mdpi/ic_launcher.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-xhdpi/ic_launcher.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-xxhdpi/ic_launcher.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-hdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-hdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-mdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-mdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/binderhooks/src/main/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 | <manifest xmlns:android="http://schemas.android.com/apk/res/android"
2 |     package="org.chickenhook.binderhooks" />
3 | 


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChickenHook/BinderHook/HEAD/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/app/src/main/res/values/colors.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <resources>
3 |     <color name="colorPrimary">#6200EE</color>
4 |     <color name="colorPrimaryDark">#3700B3</color>
5 |     <color name="colorAccent">#03DAC5</color>
6 | </resources>
7 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.iml
 2 | .gradle
 3 | /local.properties
 4 | /.idea/caches
 5 | /.idea/libraries
 6 | /.idea/modules.xml
 7 | /.idea/workspace.xml
 8 | /.idea/navEditor.xml
 9 | /.idea/assetWizardSettings.xml
10 | .DS_Store
11 | /build
12 | /captures
13 | .externalNativeBuild
14 | .cxx
15 | 


--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.properties:
--------------------------------------------------------------------------------
1 | #Sat May 02 13:08:16 CEST 2020
2 | distributionBase=GRADLE_USER_HOME
3 | distributionPath=wrapper/dists
4 | zipStoreBase=GRADLE_USER_HOME
5 | zipStorePath=wrapper/dists
6 | distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-all.zip
7 | 


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
3 |     <background android:drawable="@drawable/ic_launcher_background" />
4 |     <foreground android:drawable="@drawable/ic_launcher_foreground" />
5 | </adaptive-icon>


--------------------------------------------------------------------------------
/app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
3 |     <background android:drawable="@drawable/ic_launcher_background" />
4 |     <foreground android:drawable="@drawable/ic_launcher_foreground" />
5 | </adaptive-icon>


--------------------------------------------------------------------------------
/app/src/main/res/values/styles.xml:
--------------------------------------------------------------------------------
 1 | <resources>
 2 | 
 3 |     <!-- Base application theme. -->
 4 |     <style name="AppTheme" parent="Theme.AppCompat.Light.DarkActionBar">
 5 |         <!-- Customize your theme here. -->
 6 |         <item name="colorPrimary">@color/colorPrimary</item>
 7 |         <item name="colorPrimaryDark">@color/colorPrimaryDark</item>
 8 |         <item name="colorAccent">@color/colorAccent</item>
 9 |     </style>
10 | 
11 | </resources>
12 | 


--------------------------------------------------------------------------------
/app/src/main/java/org/chickenhook/chickenbinder/AppListener.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.chickenbinder;
 2 | 
 3 | import android.content.BroadcastReceiver;
 4 | import android.content.Context;
 5 | import android.content.Intent;
 6 | import android.util.Log;
 7 | 
 8 | public class AppListener extends BroadcastReceiver {
 9 |     @Override
10 |     public void onReceive(Context context, Intent intent) {
11 |         Log.d("AppListener", "App is going to be removed!");
12 |     }
13 | }
14 | 


--------------------------------------------------------------------------------
/app/src/test/java/org/chickenhook/chickenbinder/ExampleUnitTest.kt:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.chickenbinder
 2 | 
 3 | import org.junit.Test
 4 | 
 5 | import org.junit.Assert.*
 6 | 
 7 | /**
 8 |  * Example local unit test, which will execute on the development machine (host).
 9 |  *
10 |  * See [testing documentation](http://d.android.com/tools/testing).
11 |  */
12 | class ExampleUnitTest {
13 |     @Test
14 |     fun addition_isCorrect() {
15 |         assertEquals(4, 2 + 2)
16 |     }
17 | }
18 | 


--------------------------------------------------------------------------------
/binderhooks/src/main/java/org/chickenhook/binderhooks/Logger.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.binderhooks;
 2 | 
 3 | import android.util.Log;
 4 | 
 5 | import androidx.annotation.NonNull;
 6 | 
 7 | public class Logger {
 8 | 
 9 |     public static void log(@NonNull String message) {
10 |         Log.i("BinderHook", message);
11 |     }
12 | 
13 |     public static void log(@NonNull String message, @NonNull Exception exception) {
14 |         Log.i("BinderHook", message, exception);
15 |     }
16 | }
17 | 


--------------------------------------------------------------------------------
/binderhooks/src/test/java/org/chickenhook/binderhooks/ExampleUnitTest.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.binderhooks;
 2 | 
 3 | import org.junit.Test;
 4 | 
 5 | import static org.junit.Assert.*;
 6 | 
 7 | /**
 8 |  * Example local unit test, which will execute on the development machine (host).
 9 |  *
10 |  * @see <a href="http://d.android.com/tools/testing">Testing documentation</a>
11 |  */
12 | public class ExampleUnitTest {
13 |     @Test
14 |     public void addition_isCorrect() {
15 |         assertEquals(4, 2 + 2);
16 |     }
17 | }


--------------------------------------------------------------------------------
/binderhooks/src/main/java/org/chickenhook/binderhooks/proxyListeners/ProxyListener.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.binderhooks.proxyListeners;
 2 | 
 3 | import java.lang.reflect.InvocationHandler;
 4 | import java.lang.reflect.Method;
 5 | 
 6 | /**
 7 |  * Listener for interface hooking
 8 |  */
 9 | public abstract class ProxyListener implements InvocationHandler {
10 | 
11 |     private Object obj;
12 | 
13 |     public void setObject(Object obj) {
14 |         this.obj = obj;
15 |     }
16 | 
17 |     @Override
18 |     public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
19 |         return invoke(obj, proxy, method, args);
20 |     }
21 | 
22 |     public abstract Object invoke(Object original, Object proxy, Method method, Object[] args) throws Throwable;
23 | }
24 | 


--------------------------------------------------------------------------------
/app/proguard-rules.pro:
--------------------------------------------------------------------------------
 1 | # Add project specific ProGuard rules here.
 2 | # You can control the set of applied configuration files using the
 3 | # proguardFiles setting in build.gradle.
 4 | #
 5 | # For more details, see
 6 | #   http://developer.android.com/guide/developing/tools/proguard.html
 7 | 
 8 | # If your project uses WebView with JS, uncomment the following
 9 | # and specify the fully qualified class name to the JavaScript interface
10 | # class:
11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview {
12 | #   public *;
13 | #}
14 | 
15 | # Uncomment this to preserve the line number information for
16 | # debugging stack traces.
17 | #-keepattributes SourceFile,LineNumberTable
18 | 
19 | # If you keep the line number information, uncomment this to
20 | # hide the original source file name.
21 | #-renamesourcefileattribute SourceFile
22 | 


--------------------------------------------------------------------------------
/binderhooks/proguard-rules.pro:
--------------------------------------------------------------------------------
 1 | # Add project specific ProGuard rules here.
 2 | # You can control the set of applied configuration files using the
 3 | # proguardFiles setting in build.gradle.
 4 | #
 5 | # For more details, see
 6 | #   http://developer.android.com/guide/developing/tools/proguard.html
 7 | 
 8 | # If your project uses WebView with JS, uncomment the following
 9 | # and specify the fully qualified class name to the JavaScript interface
10 | # class:
11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview {
12 | #   public *;
13 | #}
14 | 
15 | # Uncomment this to preserve the line number information for
16 | # debugging stack traces.
17 | #-keepattributes SourceFile,LineNumberTable
18 | 
19 | # If you keep the line number information, uncomment this to
20 | # hide the original source file name.
21 | #-renamesourcefileattribute SourceFile
22 | 


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
 1 | # These are supported funding model platforms
 2 | 
 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
 4 | patreon: # Replace with a single Patreon username
 5 | open_collective: # Replace with a single Open Collective username
 6 | ko_fi: # Replace with a single Ko-fi username
 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
 9 | liberapay: # Replace with a single Liberapay username
10 | issuehunt: # Replace with a single IssueHunt username
11 | otechie: # Replace with a single Otechie username
12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
13 | custom: ['https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=8UH5MBVYM3J36', 'bc1qvll2mp5ndwd4sgycu4ad2ken4clhjac7mdlcaj']
14 | 


--------------------------------------------------------------------------------
/app/src/androidTest/java/org/chickenhook/chickenbinder/MainActivityTest.kt:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.chickenbinder
 2 | 
 3 | import androidx.test.espresso.Espresso.onView
 4 | import androidx.test.espresso.action.ViewActions.click
 5 | import androidx.test.espresso.matcher.ViewMatchers.withId
 6 | import androidx.test.rule.ActivityTestRule
 7 | import org.junit.Rule
 8 | import org.junit.Test
 9 | 
10 | class MainActivityTest {
11 | 
12 |     @Rule
13 |     @JvmField
14 |     val activityTestRule = ActivityTestRule(MainActivityKotlin::class.java)
15 | 
16 |     @Test
17 |     fun crashAndroidAPI29() {
18 |         onView(withId(R.id.permissionTest)).perform(click())
19 |     }
20 | 
21 | 
22 |     @Test
23 |     fun harmFulAppWarning() {
24 |         onView(withId(R.id.packageManagerTest)).perform(click())
25 |     }
26 | 
27 |     @Test
28 |     fun windowManagerTest() {
29 |         onView(withId(R.id.windowManagerTest)).perform(click())
30 |     }
31 | }


--------------------------------------------------------------------------------
/app/src/main/AndroidManifest.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <manifest xmlns:android="http://schemas.android.com/apk/res/android"
 3 |     package="org.chickenhook.chickenbinder">
 4 | 
 5 |     <application
 6 |         android:allowBackup="true"
 7 |         android:icon="@mipmap/ic_launcher"
 8 |         android:label="@string/app_name"
 9 |         android:roundIcon="@mipmap/ic_launcher_round"
10 |         android:supportsRtl="true"
11 |         android:vmSafeMode="true"
12 |         android:theme="@style/AppTheme">
13 |         <activity android:name=".MainActivity">
14 |             <intent-filter>
15 |                 <action android:name="android.intent.action.MAIN" />
16 | 
17 |                 <category android:name="android.intent.category.LAUNCHER" />
18 |             </intent-filter>
19 |         </activity>
20 |         <receiver android:name=".AppListener">
21 |             <intent-filter android:priority="999">
22 |                 <action android:name="android.intent.action.PACKAGE_REMOVED" />
23 | 
24 |                 <data android:scheme="package" />
25 |             </intent-filter>
26 |         </receiver>
27 |     </application>
28 | 
29 | </manifest>


--------------------------------------------------------------------------------
/binderhooks/src/main/java/org/chickenhook/binderhooks/ProxyHook.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.binderhooks;
 2 | 
 3 | import android.content.Context;
 4 | 
 5 | import androidx.annotation.NonNull;
 6 | import androidx.annotation.Nullable;
 7 | 
 8 | import org.chickenhook.binderhooks.proxyListeners.ProxyListener;
 9 | 
10 | import java.lang.reflect.Field;
11 | import java.lang.reflect.Proxy;
12 | 
13 | import static org.chickenhook.binderhooks.Logger.log;
14 | 
15 | public class ProxyHook {
16 | 
17 |     public static boolean addHook(@Nullable Object host, @NonNull Field field, @NonNull Class<?> type, @NonNull ProxyListener proxyListener) throws IllegalAccessException {
18 |         proxyListener.setObject(field.get(host));
19 |         Object proxy = Proxy.newProxyInstance(Context.class.getClassLoader(), new Class[]{type}, proxyListener);
20 |         try {
21 |             field.set(host, proxy);
22 |             log("ProxyHook [-] successfully added hook for <" + type + ">");
23 |             return true;
24 |         } catch (IllegalAccessException e) {
25 |             log("ProxyHook [-] error while place proxy hook", e);
26 |             return false;
27 |         }
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/gradle.properties:
--------------------------------------------------------------------------------
 1 | # Project-wide Gradle settings.
 2 | # IDE (e.g. Android Studio) users:
 3 | # Gradle settings configured through the IDE *will override*
 4 | # any settings specified in this file.
 5 | # For more details on how to configure your build environment visit
 6 | # http://www.gradle.org/docs/current/userguide/build_environment.html
 7 | # Specifies the JVM arguments used for the daemon process.
 8 | # The setting is particularly useful for tweaking memory settings.
 9 | org.gradle.jvmargs=-Xmx1536m
10 | # When configured, Gradle will run in incubating parallel mode.
11 | # This option should only be used with decoupled projects. More details, visit
12 | # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
13 | # org.gradle.parallel=true
14 | # AndroidX package structure to make it clearer which packages are bundled with the
15 | # Android operating system, and which are packaged with your app's APK
16 | # https://developer.android.com/topic/libraries/support-library/androidx-rn
17 | android.useAndroidX=true
18 | # Automatically convert third-party libraries to use AndroidX
19 | android.enableJetifier=true
20 | # Kotlin code style for this project: "official" or "obsolete":
21 | kotlin.code.style=official
22 | 


--------------------------------------------------------------------------------
/app/src/main/res/layout/activity_main.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
 3 |     xmlns:app="http://schemas.android.com/apk/res-auto"
 4 |     xmlns:tools="http://schemas.android.com/tools"
 5 |     android:layout_width="match_parent"
 6 |     android:layout_height="match_parent"
 7 |     tools:context=".MainActivityKotlin">
 8 | 
 9 | 
10 |     <Button
11 |         android:id="@+id/packageManagerTest"
12 |         android:layout_width="wrap_content"
13 |         android:layout_height="wrap_content"
14 |         android:text="PackageManagerTest" />
15 | 
16 |     <Button
17 |         android:id="@+id/permissionTest"
18 |         android:layout_width="wrap_content"
19 |         android:layout_height="wrap_content"
20 |         android:layout_below="@+id/packageManagerTest"
21 |         android:text="PermissionTest" />
22 |     <Button
23 |         android:id="@+id/activityManagerTest"
24 |         android:layout_width="wrap_content"
25 |         android:layout_height="wrap_content"
26 |         android:layout_below="@+id/permissionTest"
27 |         android:text="ActivityManagerTest" />
28 | 
29 |     <Button
30 |         android:id="@+id/windowManagerTest"
31 |         android:layout_width="wrap_content"
32 |         android:layout_height="wrap_content"
33 |         android:layout_below="@+id/activityManagerTest"
34 |         android:text="WindowManagerTest" />
35 | 
36 | </RelativeLayout>


--------------------------------------------------------------------------------
/app/build.gradle:
--------------------------------------------------------------------------------
 1 | apply plugin: 'com.android.application'
 2 | apply plugin: 'kotlin-android'
 3 | apply plugin: 'kotlin-android-extensions'
 4 | 
 5 | android {
 6 |     compileSdkVersion 29
 7 |     buildToolsVersion "29.0.3"
 8 | 
 9 |     defaultConfig {
10 |         applicationId "org.chickenhook.chickenbinder"
11 |         minSdkVersion 19
12 |         targetSdkVersion 29
13 |         versionCode 1
14 |         versionName "1.0"
15 | 
16 |         testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
17 |     }
18 | 
19 |     buildTypes {
20 |         release {
21 |             minifyEnabled false
22 |             proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
23 |         }
24 |     }
25 | 
26 | }
27 | 
28 | dependencies {
29 |     implementation fileTree(dir: 'libs', include: ['*.jar'])
30 |     implementation 'com.github.ChickenHook:RestrictionBypass:2.2'
31 |     implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
32 |     implementation 'androidx.appcompat:appcompat:1.1.0'
33 |     implementation 'androidx.core:core-ktx:1.2.0'
34 |     implementation 'androidx.constraintlayout:constraintlayout:1.1.3'
35 |     implementation project(':binderhooks')
36 |     testImplementation 'junit:junit:4.12'
37 |     androidTestImplementation 'androidx.test.ext:junit:1.1.1'
38 |     androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0'
39 |     androidTestImplementation 'androidx.test:rules:1.2.0'
40 | }
41 | 


--------------------------------------------------------------------------------
/binderhooks/build.gradle:
--------------------------------------------------------------------------------
 1 | apply plugin: 'com.android.library'
 2 | apply plugin: 'com.github.dcendents.android-maven'
 3 | group = 'com.github.ChickenHook'
 4 | 
 5 | android {
 6 |     compileSdkVersion 29
 7 |     buildToolsVersion "29.0.3"
 8 | 
 9 |     defaultConfig {
10 |         minSdkVersion 19
11 |         targetSdkVersion 29
12 |         versionCode 1
13 |         versionName "1.0"
14 | 
15 |         testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
16 |         externalNativeBuild {
17 |             cmake {
18 |                 cppFlags "-std=c++14"
19 |             }
20 |         }
21 |         ndk {
22 |             abiFilters 'arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64'
23 |         }
24 |         consumerProguardFiles 'consumer-rules.pro'
25 |     }
26 | 
27 |     buildTypes {
28 |         release {
29 |             minifyEnabled false
30 |             proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
31 |         }
32 |     }
33 |     externalNativeBuild {
34 |         cmake {
35 |             path "CMakeLists.txt"
36 |             version "3.6.0"
37 |         }
38 |     }
39 | 
40 | }
41 | 
42 | dependencies {
43 |     implementation fileTree(dir: 'libs', include: ['*.jar'])
44 |     implementation 'com.github.ChickenHook:RestrictionBypass:2.2'
45 |     implementation 'androidx.appcompat:appcompat:1.1.0'
46 |     testImplementation 'junit:junit:4.12'
47 |     androidTestImplementation 'androidx.test.ext:junit:1.1.1'
48 |     androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0'
49 | }
50 | 


--------------------------------------------------------------------------------
/binderhooks/src/main/java/org/chickenhook/binderhooks/ParcelEditor.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.binderhooks;
 2 | 
 3 | import android.os.Parcel;
 4 | 
 5 | import androidx.annotation.NonNull;
 6 | 
 7 | import static org.chickenhook.restrictionbypass.helpers.Reflection.getReflective;
 8 | 
 9 | public class ParcelEditor {
10 | 
11 |     static long getNativePtr(@NonNull Parcel parcel) throws NoSuchFieldException, IllegalAccessException {
12 |         return getReflective(parcel, "mNativePtr");
13 |     }
14 | 
15 |     public static void dump(@NonNull Parcel parcel) throws NoSuchFieldException, IllegalAccessException {
16 |         long parcel_pointer = getNativePtr(parcel);
17 |         dump(parcel_pointer, parcel.dataSize());
18 |     }
19 | 
20 |     public static native void dump(long addr, int size);
21 | 
22 |     public static byte[] read(@NonNull Parcel parcel, int offset, int size) throws NoSuchFieldException, IllegalAccessException {
23 |         long parcel_pointer = getNativePtr(parcel);
24 |         return read(parcel_pointer, offset, size);
25 |     }
26 | 
27 |     public static native byte[] read(long addr, int offset, int size);
28 | 
29 |     public static void write(@NonNull Parcel parcel, int offset, @NonNull byte[] data) throws NoSuchFieldException, IllegalAccessException {
30 |         long parcel_pointer = getNativePtr(parcel);
31 |         write(parcel_pointer, offset, data);
32 |     }
33 | 
34 |     public static native void write(long addr, int offset, @NonNull byte[] data);
35 | 
36 |     static {
37 |         System.loadLibrary("chickenbinder");
38 |     }
39 | }
40 | 


--------------------------------------------------------------------------------
/app/src/main/res/drawable-v24/ic_launcher_foreground.xml:
--------------------------------------------------------------------------------
 1 | <vector xmlns:android="http://schemas.android.com/apk/res/android"
 2 |     xmlns:aapt="http://schemas.android.com/aapt"
 3 |     android:width="108dp"
 4 |     android:height="108dp"
 5 |     android:viewportWidth="108"
 6 |     android:viewportHeight="108">
 7 |     <path android:pathData="M31,63.928c0,0 6.4,-11 12.1,-13.1c7.2,-2.6 26,-1.4 26,-1.4l38.1,38.1L107,108.928l-32,-1L31,63.928z">
 8 |         <aapt:attr name="android:fillColor">
 9 |             <gradient
10 |                 android:endX="85.84757"
11 |                 android:endY="92.4963"
12 |                 android:startX="42.9492"
13 |                 android:startY="49.59793"
14 |                 android:type="linear">
15 |                 <item
16 |                     android:color="#44000000"
17 |                     android:offset="0.0" />
18 |                 <item
19 |                     android:color="#00000000"
20 |                     android:offset="1.0" />
21 |             </gradient>
22 |         </aapt:attr>
23 |     </path>
24 |     <path
25 |         android:fillColor="#FFFFFF"
26 |         android:fillType="nonZero"
27 |         android:pathData="M65.3,45.828l3.8,-6.6c0.2,-0.4 0.1,-0.9 -0.3,-1.1c-0.4,-0.2 -0.9,-0.1 -1.1,0.3l-3.9,6.7c-6.3,-2.8 -13.4,-2.8 -19.7,0l-3.9,-6.7c-0.2,-0.4 -0.7,-0.5 -1.1,-0.3C38.8,38.328 38.7,38.828 38.9,39.228l3.8,6.6C36.2,49.428 31.7,56.028 31,63.928h46C76.3,56.028 71.8,49.428 65.3,45.828zM43.4,57.328c-0.8,0 -1.5,-0.5 -1.8,-1.2c-0.3,-0.7 -0.1,-1.5 0.4,-2.1c0.5,-0.5 1.4,-0.7 2.1,-0.4c0.7,0.3 1.2,1 1.2,1.8C45.3,56.528 44.5,57.328 43.4,57.328L43.4,57.328zM64.6,57.328c-0.8,0 -1.5,-0.5 -1.8,-1.2s-0.1,-1.5 0.4,-2.1c0.5,-0.5 1.4,-0.7 2.1,-0.4c0.7,0.3 1.2,1 1.2,1.8C66.5,56.528 65.6,57.328 64.6,57.328L64.6,57.328z"
28 |         android:strokeWidth="1"
29 |         android:strokeColor="#00000000" />
30 | </vector>


--------------------------------------------------------------------------------
/binderhooks/CMakeLists.txt:
--------------------------------------------------------------------------------
 1 | # For more information about using CMake with Android Studio, read the
 2 | # documentation: https://d.android.com/studio/projects/add-native-code.html
 3 | 
 4 | # Sets the minimum version of CMake required to build the native library.
 5 | 
 6 | cmake_minimum_required(VERSION 3.4.1)
 7 | 
 8 | # Creates and names a library, sets it as either STATIC
 9 | # or SHARED, and provides the relative paths to its source code.
10 | # You can define multiple libraries, and CMake builds them for you.
11 | # Gradle automatically packages shared libraries with your APK.
12 | 
13 | add_library( # Sets the name of the library.
14 |         chickenbinder
15 | 
16 |         # Sets the library as a shared library.
17 |         SHARED
18 | 
19 |         # Provides a relative path to your source file(s).
20 |         src/main/cpp/chickenbinder.cc)
21 | 
22 | 
23 | # Searches for a specified prebuilt library and stores the path as a
24 | # variable. Because CMake includes system libraries in the search path by
25 | # default, you only need to specify the name of the public NDK library
26 | # you want to add. CMake verifies that the library exists before
27 | # completing its build.
28 | 
29 | find_library( # Sets the name of the path variable.
30 |         log-lib
31 | 
32 |         # Specifies the name of the NDK library that
33 |         # you want CMake to locate.
34 |         log)
35 | 
36 | # Specifies libraries CMake should link to your target library. You
37 | # can link multiple libraries, such as libraries you define in this
38 | # build script, prebuilt third-party libraries, or system libraries.
39 | 
40 | 
41 | target_link_libraries( # Specifies the target library.
42 |         chickenbinder
43 |         # Links the target library to the log library
44 |         # included in the NDK.
45 |         ${log-lib})
46 | 
47 | target_include_directories(chickenbinder PRIVATE
48 |         )


--------------------------------------------------------------------------------
/binderhooks/src/main/java/org/chickenhook/binderhooks/BinderListener.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.binderhooks;
 2 | 
 3 | import android.os.IBinder;
 4 | import android.os.IInterface;
 5 | import android.os.Parcel;
 6 | import android.os.RemoteException;
 7 | 
 8 | import androidx.annotation.NonNull;
 9 | import androidx.annotation.Nullable;
10 | 
11 | import java.io.FileDescriptor;
12 | 
13 | public abstract class BinderListener {
14 |     @Nullable
15 |     protected String getInterfaceDescriptor(@NonNull IBinder originalBinder) throws RemoteException {
16 |         return originalBinder.getInterfaceDescriptor();
17 |     }
18 | 
19 |     protected boolean pingBinder(@NonNull IBinder originalBinder) {
20 |         return originalBinder.pingBinder();
21 |     }
22 | 
23 |     protected boolean isBinderAlive(@NonNull IBinder originalBinder) {
24 |         return originalBinder.isBinderAlive();
25 |     }
26 | 
27 |     @Nullable
28 |     protected IInterface queryLocalInterface(@NonNull IBinder originalBinder, @NonNull String descriptor) {
29 |         return originalBinder.queryLocalInterface(descriptor);
30 |     }
31 | 
32 |     protected void dump(@NonNull IBinder originalBinder, @NonNull FileDescriptor fd, @Nullable String[] args) throws RemoteException {
33 |         originalBinder.dump(fd, args);
34 |     }
35 | 
36 |     protected void dumpAsync(@NonNull IBinder originalBinder, @NonNull FileDescriptor fd, @Nullable String[] args) throws RemoteException {
37 |         originalBinder.dumpAsync(fd, args);
38 |     }
39 | 
40 |     protected abstract boolean transact(@NonNull IBinder originalBinder, int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException;
41 | 
42 |     protected void linkToDeath(@NonNull IBinder originalBinder, @NonNull IBinder.DeathRecipient recipient, int flags) throws RemoteException {
43 |         originalBinder.linkToDeath(recipient, flags);
44 |     }
45 | 
46 |     protected boolean unlinkToDeath(@NonNull IBinder originalBinder, @NonNull IBinder.DeathRecipient recipient, int flags) {
47 |         return originalBinder.unlinkToDeath(recipient, flags);
48 |     }
49 | }
50 | 


--------------------------------------------------------------------------------
/app/src/main/java/com/android/server/wm/ActivityRecord.java:
--------------------------------------------------------------------------------
 1 | package com.android.server.wm;
 2 | 
 3 | import android.os.Binder;
 4 | import android.os.IBinder;
 5 | import android.os.IInterface;
 6 | import android.os.Parcel;
 7 | import android.os.RemoteException;
 8 | 
 9 | import androidx.annotation.NonNull;
10 | import androidx.annotation.Nullable;
11 | 
12 | import java.io.FileDescriptor;
13 | import java.lang.ref.WeakReference;
14 | 
15 | public class ActivityRecord {
16 | 
17 | 
18 |     public static class Token implements IBinder {
19 |         private final WeakReference<ActivityRecord> weakActivity;
20 |         private final String name;
21 | 
22 |         public Token() {
23 |             name = "com.android.chrome";
24 |             weakActivity = new WeakReference<>(new ActivityRecord());
25 |         }
26 | 
27 |         @Nullable
28 |         @Override
29 |         public String getInterfaceDescriptor() throws RemoteException {
30 |             return null;
31 |         }
32 | 
33 |         @Override
34 |         public boolean pingBinder() {
35 |             return false;
36 |         }
37 | 
38 |         @Override
39 |         public boolean isBinderAlive() {
40 |             return false;
41 |         }
42 | 
43 |         @Nullable
44 |         @Override
45 |         public IInterface queryLocalInterface(@NonNull String descriptor) {
46 |             return null;
47 |         }
48 | 
49 |         @Override
50 |         public void dump(@NonNull FileDescriptor fd, @Nullable String[] args) throws RemoteException {
51 | 
52 |         }
53 | 
54 |         @Override
55 |         public void dumpAsync(@NonNull FileDescriptor fd, @Nullable String[] args) throws RemoteException {
56 | 
57 |         }
58 | 
59 |         @Override
60 |         public boolean transact(int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException {
61 |             return false;
62 |         }
63 | 
64 |         @Override
65 |         public void linkToDeath(@NonNull DeathRecipient recipient, int flags) throws RemoteException {
66 | 
67 |         }
68 | 
69 |         @Override
70 |         public boolean unlinkToDeath(@NonNull DeathRecipient recipient, int flags) {
71 |             return false;
72 |         }
73 |     }
74 | }
75 | 


--------------------------------------------------------------------------------
/gradlew.bat:
--------------------------------------------------------------------------------
 1 | @if "%DEBUG%" == "" @echo off
 2 | @rem ##########################################################################
 3 | @rem
 4 | @rem  Gradle startup script for Windows
 5 | @rem
 6 | @rem ##########################################################################
 7 | 
 8 | @rem Set local scope for the variables with windows NT shell
 9 | if "%OS%"=="Windows_NT" setlocal
10 | 
11 | set DIRNAME=%~dp0
12 | if "%DIRNAME%" == "" set DIRNAME=.
13 | set APP_BASE_NAME=%~n0
14 | set APP_HOME=%DIRNAME%
15 | 
16 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
17 | set DEFAULT_JVM_OPTS=
18 | 
19 | @rem Find java.exe
20 | if defined JAVA_HOME goto findJavaFromJavaHome
21 | 
22 | set JAVA_EXE=java.exe
23 | %JAVA_EXE% -version >NUL 2>&1
24 | if "%ERRORLEVEL%" == "0" goto init
25 | 
26 | echo.
27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
28 | echo.
29 | echo Please set the JAVA_HOME variable in your environment to match the
30 | echo location of your Java installation.
31 | 
32 | goto fail
33 | 
34 | :findJavaFromJavaHome
35 | set JAVA_HOME=%JAVA_HOME:"=%
36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe
37 | 
38 | if exist "%JAVA_EXE%" goto init
39 | 
40 | echo.
41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
42 | echo.
43 | echo Please set the JAVA_HOME variable in your environment to match the
44 | echo location of your Java installation.
45 | 
46 | goto fail
47 | 
48 | :init
49 | @rem Get command-line arguments, handling Windows variants
50 | 
51 | if not "%OS%" == "Windows_NT" goto win9xME_args
52 | 
53 | :win9xME_args
54 | @rem Slurp the command line arguments.
55 | set CMD_LINE_ARGS=
56 | set _SKIP=2
57 | 
58 | :win9xME_args_slurp
59 | if "x%~1" == "x" goto execute
60 | 
61 | set CMD_LINE_ARGS=%*
62 | 
63 | :execute
64 | @rem Setup the command line
65 | 
66 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
67 | 
68 | @rem Execute Gradle
69 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
70 | 
71 | :end
72 | @rem End local scope for the variables with windows NT shell
73 | if "%ERRORLEVEL%"=="0" goto mainEnd
74 | 
75 | :fail
76 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
77 | rem the _cmd.exe /c_ return code!
78 | if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
79 | exit /b 1
80 | 
81 | :mainEnd
82 | if "%OS%"=="Windows_NT" endlocal
83 | 
84 | :omega
85 | 


--------------------------------------------------------------------------------
/app/src/main/java/org/chickenhook/chickenbinder/MainActivity.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.chickenbinder;
 2 | 
 3 | import android.Manifest;
 4 | import android.os.Bundle;
 5 | import android.util.Log;
 6 | import android.view.View;
 7 | import android.widget.Button;
 8 | 
 9 | import androidx.annotation.Nullable;
10 | import androidx.appcompat.app.AppCompatActivity;
11 | import androidx.core.app.ActivityCompat;
12 | 
13 | import org.chickenhook.binderhooks.ServiceHooks;
14 | import org.chickenhook.binderhooks.proxyListeners.ProxyListener;
15 | 
16 | import java.lang.reflect.InvocationTargetException;
17 | import java.lang.reflect.Method;
18 | 
19 | public class MainActivity extends AppCompatActivity {
20 | 
21 |     @Override
22 |     public void onCreate(@Nullable Bundle savedInstanceState) {
23 |         super.onCreate(savedInstanceState);
24 |         setContentView(R.layout.activity_main);
25 |         Button packageManagerTestButton = findViewById(R.id.packageManagerTest);
26 |         Button permissionTestButton = findViewById(R.id.permissionTest);
27 |         Button windowManagerTestButton = findViewById(R.id.windowManagerTest);
28 | 
29 |         permissionTestButton.setOnClickListener(new View.OnClickListener() {
30 |             @Override
31 |             public void onClick(View v) {
32 |                 ActivityCompat.requestPermissions(
33 |                         MainActivity.this,
34 |                         new String[]{
35 |                                 Manifest.permission.READ_CONTACTS
36 |                         },
37 |                         1001
38 |                 );
39 |             }
40 |         });
41 | 
42 |         try {
43 |             hook();
44 |         } catch (Exception e) {
45 |             Log.e("MainActivity", "Error while install hooks", e);
46 |         }
47 |     }
48 | 
49 |     private static final int START_FLAG_NATIVE_DEBUGGING = 1 << 1;
50 |     private static final int START_FLAG_DEBUG = 1 << 1;
51 |     private static final int START_FLAG_TRACK_ALLOCATION = 1 << 2;
52 | 
53 |     private void hook() throws InvocationTargetException, NoSuchMethodException, ClassNotFoundException, IllegalAccessException, NoSuchFieldException {
54 |         ServiceHooks.hookActivityManager(new ProxyListener() {
55 |             @Override
56 |             public Object invoke(Object orig, Object proxy, Method method, Object[] args) throws Throwable {
57 |                 if (method.getName().equals("startActivity") && args.length == 10) {
58 |                     args[args.length - 3] = ((int) args[args.length - 3]) |
59 |                             START_FLAG_DEBUG |
60 |                             START_FLAG_TRACK_ALLOCATION |
61 |                             START_FLAG_NATIVE_DEBUGGING;
62 |                 }
63 |                 return method.invoke(orig, args);
64 |             }
65 |         });
66 | 
67 | 
68 |         ServiceHooks.hookActivityTaskManager(new ProxyListener() {
69 |             @Override
70 |             public Object invoke(Object orig, Object proxy, Method method, Object[] args) throws Throwable {
71 |                 if (method.getName().equals("startActivity") && args.length == 10) {
72 |                     args[args.length - 3] = ((int) args[args.length - 3]) |
73 |                             START_FLAG_DEBUG |
74 |                             START_FLAG_TRACK_ALLOCATION |
75 |                             START_FLAG_NATIVE_DEBUGGING;
76 |                 }
77 |                 return method.invoke(orig, args);
78 |             }
79 |         });
80 |     }
81 | }
82 | 


--------------------------------------------------------------------------------
/binderhooks/src/androidTest/java/org/chickenhook/binderhooks/ServiceHooksTest.java:
--------------------------------------------------------------------------------
 1 | package org.chickenhook.binderhooks;
 2 | 
 3 | import android.app.AppOpsManager;
 4 | import android.app.NotificationManager;
 5 | import android.content.Context;
 6 | import android.os.IBinder;
 7 | import android.os.Parcel;
 8 | import android.os.RemoteException;
 9 | import android.system.Os;
10 | 
11 | import androidx.annotation.NonNull;
12 | import androidx.annotation.Nullable;
13 | import androidx.test.platform.app.InstrumentationRegistry;
14 | 
15 | import org.junit.Test;
16 | 
17 | import static junit.framework.TestCase.assertTrue;
18 | 
19 | public class ServiceHooksTest {
20 | 
21 |     @Test
22 |     public void hookContentResolver() throws Exception {
23 |         InstrumentationRegistry.getInstrumentation().getTargetContext().getContentResolver(); // let android establish a connection to the service first
24 | 
25 | 
26 |         assertTrue(ServiceHooks.hookContentResolver(new BinderListener() {
27 |             @Override
28 |             protected boolean transact(@NonNull IBinder originalBinder, int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException {
29 |                 return originalBinder.transact(code, data, reply, flags);
30 |             }
31 |         }));
32 |     }
33 | 
34 |     @Test
35 |     public void hookNotificationManager() throws Exception {
36 |         NotificationManager notificationManager = (NotificationManager) InstrumentationRegistry.getInstrumentation().getTargetContext().getSystemService(Context.NOTIFICATION_SERVICE);
37 |         notificationManager.cancelAll(); // let android establish a connection to the service first
38 | 
39 | 
40 |         assertTrue(ServiceHooks.hookNotificationManager(new BinderListener() {
41 |             @Override
42 |             protected boolean transact(@NonNull IBinder originalBinder, int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException {
43 |                 return originalBinder.transact(code, data, reply, flags);
44 |             }
45 |         }));
46 |     }
47 | 
48 |     @Test
49 |     public void hookActivityManager() throws Exception {
50 |         assertTrue(ServiceHooks.hookActivityManager(new BinderListener() {
51 |             @Override
52 |             protected boolean transact(@NonNull IBinder originalBinder, int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException {
53 |                 return originalBinder.transact(code, data, reply, flags);
54 |             }
55 |         }));
56 |     }
57 | 
58 |     @Test
59 |     public void hookAppOpsManager() throws Exception {
60 |         AppOpsManager appOpsManager = (AppOpsManager) InstrumentationRegistry.getInstrumentation().getTargetContext().getSystemService(Context.APP_OPS_SERVICE);
61 |         appOpsManager.checkPackage(Os.getuid(), InstrumentationRegistry.getInstrumentation().getContext().getPackageName());  // let android establish a connection to the service first
62 | 
63 | 
64 |         assertTrue(ServiceHooks.hookAppOpsManager(appOpsManager, new BinderListener() {
65 |             @Override
66 |             protected boolean transact(@NonNull IBinder originalBinder, int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException {
67 |                 return originalBinder.transact(code, data, reply, flags);
68 |             }
69 |         }));
70 |     }
71 | 
72 |     @Test
73 |     public void hookPackageManager() throws Exception {
74 |         assertTrue(ServiceHooks.hookPackageManager(InstrumentationRegistry.getInstrumentation().getTargetContext().getPackageManager(), new BinderListener() {
75 |             @Override
76 |             protected boolean transact(@NonNull IBinder originalBinder, int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException {
77 |                 return originalBinder.transact(code, data, reply, flags);
78 |             }
79 |         }));
80 |     }
81 | }


--------------------------------------------------------------------------------
/binderhooks/src/main/cpp/chickenbinder.cc:
--------------------------------------------------------------------------------
  1 | #include <jni.h>
  2 | #include <android/log.h>
  3 | #include <malloc.h>
  4 | #include <iostream>
  5 | #include <fstream>
  6 | #include <sstream>
  7 | #include <unistd.h>
  8 | 
  9 | ///////////////////////// HELPERS
 10 | 
 11 | void printHexBuffer2(const uint8_t *buf, int len) {
 12 |     char *str_buf = (char *) malloc(
 13 |             3 * len + 1);   // X is the number of bytes to be converted
 14 | 
 15 |     const uint8_t *pin = buf;
 16 |     const char *hex = "0123456789ABCDEF";
 17 |     char *pout = str_buf;
 18 |     int i = 0;
 19 |     for (; i < len - 1; ++i) {
 20 |         *pout++ = hex[(*pin >> 4) & 0xF];
 21 |         *pout++ = hex[(*pin++) & 0xF];
 22 |         *pout++ = ':';
 23 |     }
 24 |     *pout++ = hex[(*pin >> 4) & 0xF];
 25 |     *pout++ = hex[(*pin) & 0xF];
 26 |     *pout = 0;
 27 | 
 28 |     __android_log_print(ANDROID_LOG_DEBUG, "parcel", "%s", str_buf);
 29 |     free(str_buf);
 30 | }
 31 | 
 32 | // Log a large byte array by logging it incrementally in smaller chunks to overcome printf buffering issues
 33 | void printHexBuffer(const char *title, const uint8_t *buf, unsigned int len) {
 34 |     __android_log_print(ANDROID_LOG_DEBUG, "parcel", "%s (%d bytes):", title, len);
 35 |     const int linewidth = 50;
 36 |     int loop = 0;
 37 |     int remainingSize = len;
 38 | 
 39 |     while (len != 0) {
 40 |         if (remainingSize < linewidth) {
 41 |             printHexBuffer2(&buf[loop * linewidth], remainingSize);
 42 |             break;
 43 |         } else {
 44 |             printHexBuffer2(&buf[loop * linewidth], linewidth);
 45 |             remainingSize -= linewidth;
 46 |         }
 47 |         loop++;
 48 |     }
 49 | }
 50 | 
 51 | void printHexBuffer(const uint8_t *buf, unsigned int len) {
 52 |     printHexBuffer("HEX", buf, len);
 53 | }
 54 | 
 55 | ///////////////////////// PARCEL
 56 | 
 57 | 
 58 | uint8_t *GetData(jlong parcel_addr) {
 59 |     void **parcel = (void **) parcel_addr;
 60 | 
 61 |     /*for (int i = 0; i < 5; i++) {
 62 |     __android_log_print(ANDROID_LOG_DEBUG, "chickenbinder", "Got parcel content <%p>",
 63 |                         parcel[i]);
 64 |     }*/
 65 |     return static_cast<uint8_t *>(parcel[1]);
 66 | }
 67 | 
 68 | void JNICALL writeParcel(JNIEnv *env,
 69 |                          jclass interface,
 70 |                          jlong parcelAddr,
 71 |                          int offset,
 72 |                          jbyteArray toInsert) {
 73 |     __android_log_print(ANDROID_LOG_DEBUG, "chickenbinder", "write parcel <%p>", parcelAddr);
 74 |     uint8_t *data = GetData(parcelAddr);
 75 |     env->GetByteArrayRegion(toInsert, 0, env->GetArrayLength(toInsert),
 76 |                             reinterpret_cast<jbyte *>(data + offset));
 77 | }
 78 | 
 79 | 
 80 | jobject JNICALL readParcel(JNIEnv *env,
 81 |                            jclass interface,
 82 |                            jlong parcelAddr,
 83 |                            int offset,
 84 |                            int size) {
 85 |     __android_log_print(ANDROID_LOG_DEBUG, "chickenbinder", "read parcel <%p>", parcelAddr);
 86 |     uint8_t *data = GetData(parcelAddr);
 87 |     jbyteArray jarr = env->NewByteArray(size);
 88 |     env->SetByteArrayRegion(jarr, 0, size, reinterpret_cast<const jbyte *>(data + offset));
 89 |     return jarr;
 90 | }
 91 | 
 92 | static JNICALL void dumpParcel(
 93 |         JNIEnv *env,
 94 |         jclass interface,
 95 |         jlong parcelAddr,
 96 |         int size) {
 97 |     __android_log_print(ANDROID_LOG_DEBUG, "chickenbinder", "dump parcel <%p>", parcelAddr);
 98 |     __android_log_print(ANDROID_LOG_DEBUG, "chickenbinder",
 99 |                         "---------------------------------------------------------------------------------------------------------------------------------------------");
100 | 
101 | 
102 |     uint8_t *data = GetData(parcelAddr);
103 |     printHexBuffer(data, size);
104 |     __android_log_print(ANDROID_LOG_DEBUG, "chickenbinder",
105 |                         "---------------------------------------------------------------------------------------------------------------------------------------------");
106 | }
107 | 
108 | 
109 | 
110 | ////////// JNI STUFF
111 | 
112 | 
113 | static const JNINativeMethod gMethods[] = {
114 |         /*{"manipulateParcel", "(JII)J",               (void *) manipulateParcel},
115 |         {"readAddr",         "()Ljava/lang/String;", (void *) Java_readAddr},*/
116 |         {"dump",  "(JI)V",   (void *) &dumpParcel},
117 |         {"read",  "(JII)[B", (void *) &readParcel},
118 |         {"write", "(JI[B)V", (void *) &writeParcel},
119 | };
120 | static const char *classPathName = "org/chickenhook/binderhooks/ParcelEditor";
121 | 
122 | static int registerNativeMethods(JNIEnv *env, const char *className,
123 |                                  JNINativeMethod *gMethods, int numMethods) {
124 |     jclass clazz;
125 |     clazz = env->FindClass(className);
126 |     if (clazz == nullptr) {
127 |         __android_log_print(ANDROID_LOG_DEBUG, "registerNativeMethods",
128 |                             "Native registration unable to find class '%s'", className);
129 |         return JNI_FALSE;
130 |     }
131 |     if (env->RegisterNatives(clazz, gMethods, numMethods) < 0) {
132 |         __android_log_print(ANDROID_LOG_DEBUG, "registerNativeMethods",
133 |                             "Native registration unable to register natives...");
134 |         return JNI_FALSE;
135 |     }
136 |     return JNI_TRUE;
137 | }
138 | 
139 | jint JNI_OnLoad(JavaVM *vm, void * /*reserved*/) {
140 |     JNIEnv *env = nullptr;
141 | 
142 |     if (vm->GetEnv((void **) (&env), JNI_VERSION_1_4) != JNI_OK) {
143 |         return -1;
144 |     }
145 | 
146 | 
147 |     if (!registerNativeMethods(env, classPathName,
148 |                                (JNINativeMethod *) gMethods,
149 |                                sizeof(gMethods) / sizeof(gMethods[0]))) {
150 |         return -1;
151 |     }
152 |     return JNI_VERSION_1_4;
153 | }


--------------------------------------------------------------------------------
/binderhooks/src/main/java/org/chickenhook/binderhooks/BinderHook.java:
--------------------------------------------------------------------------------
  1 | package org.chickenhook.binderhooks;
  2 | 
  3 | import android.os.IBinder;
  4 | import android.os.IInterface;
  5 | import android.os.Parcel;
  6 | import android.os.RemoteException;
  7 | 
  8 | import androidx.annotation.NonNull;
  9 | import androidx.annotation.Nullable;
 10 | 
 11 | import java.io.FileDescriptor;
 12 | 
 13 | import static org.chickenhook.binderhooks.Logger.log;
 14 | import static org.chickenhook.restrictionbypass.helpers.Reflection.getReflective;
 15 | import static org.chickenhook.restrictionbypass.helpers.Reflection.setReflective;
 16 | 
 17 | public class BinderHook {
 18 | 
 19 |     public static boolean VERBOSE = false;
 20 | 
 21 | 
 22 |     /**
 23 |      * Add a binder hook for the given binder proxy
 24 |      *
 25 |      * @param binderProxy      to be hooked
 26 |      * @param binderListener will be called for different binder interactions
 27 |      * @return true on success
 28 |      * @throws NoSuchFieldException   if mRemote is not available
 29 |      * @throws IllegalAccessException if mRemote field cannot be accessed
 30 |      */
 31 |     public static boolean addHook(@Nullable Object binderProxy, @Nullable BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException {
 32 |         if (binderProxy == null) {
 33 |             log("Unable to addHook - given binderProxy is null");
 34 |             return false;
 35 |         }
 36 | 
 37 |         if (binderListener == null) {
 38 |             log("Unable to addHook - given onBinderListener is null");
 39 |             return false;
 40 |         }
 41 | 
 42 |         /*for (Method m : binderProxy.getClass().getMethods()) {
 43 |             if (VERBOSE) log(binderProxy.getClass().getCanonicalName() + " Found method " + m);
 44 |         }*/
 45 | 
 46 |         IBinder mRemote = getReflective(binderProxy, "mRemote");
 47 |         if (mRemote == null) {
 48 |             log("Unable to addHook - retrieved mRemote is null");
 49 |             return false;
 50 |         }
 51 | 
 52 |         IBinder fakeBinder = new FakeBinder(binderProxy.getClass().getName(), mRemote, binderListener);
 53 |         setReflective(binderProxy, "mRemote", fakeBinder);
 54 |         log("Successfully added hook for <" + binderProxy.getClass().getName() + ">");
 55 |         return true;
 56 |     }
 57 | 
 58 |     public static class FakeBinder implements IBinder {
 59 | 
 60 |         private @NonNull
 61 |         BinderListener mBinderListener;
 62 |         private @NonNull
 63 |         IBinder mOriginalBinder;
 64 |         private @NonNull
 65 |         String mName;
 66 | 
 67 |         public FakeBinder(@NonNull String name, @NonNull IBinder originalBinder, @NonNull BinderListener binderListener) {
 68 |             mName = name;
 69 |             mOriginalBinder = originalBinder;
 70 |             mBinderListener = binderListener;
 71 |         }
 72 | 
 73 | 
 74 |         @Nullable
 75 |         @Override
 76 |         public String getInterfaceDescriptor() throws RemoteException {
 77 |             return mBinderListener.getInterfaceDescriptor(mOriginalBinder);
 78 |         }
 79 | 
 80 |         @Override
 81 |         public boolean pingBinder() {
 82 |             return mBinderListener.pingBinder(mOriginalBinder);
 83 |         }
 84 | 
 85 |         @Override
 86 |         public boolean isBinderAlive() {
 87 |             return mBinderListener.isBinderAlive(mOriginalBinder);
 88 |         }
 89 | 
 90 |         @Nullable
 91 |         @Override
 92 |         public IInterface queryLocalInterface(@NonNull String descriptor) {
 93 |             return mBinderListener.queryLocalInterface(mOriginalBinder, descriptor);
 94 |         }
 95 | 
 96 |         @Override
 97 |         public void dump(@NonNull FileDescriptor fd, @Nullable String[] args) throws RemoteException {
 98 |             mBinderListener.dump(mOriginalBinder, fd, args);
 99 |         }
100 | 
101 |         @Override
102 |         public void dumpAsync(@NonNull FileDescriptor fd, @Nullable String[] args) throws RemoteException {
103 |             mBinderListener.dumpAsync(mOriginalBinder, fd, args);
104 |         }
105 | 
106 |         @Override
107 |         public boolean transact(int code, @NonNull Parcel data, @Nullable Parcel reply, int flags) throws RemoteException {
108 |             if (VERBOSE) {
109 |                 try {
110 |                     log("Got transact call code: <" + code + "> data: <" + data + "> reply: <" + reply + "> flags: <" + flags + ">");
111 |                     doStackTrace();
112 |                     ParcelEditor.dump(data);
113 |                 } catch (Exception e) {
114 |                     log("Error while dump parcel", e);
115 |                 }
116 |             }
117 |             boolean res = mBinderListener.transact(mOriginalBinder, code, data, reply, flags);
118 |             if (VERBOSE) {
119 |                 try {
120 |                     if (reply != null) {
121 |                         log("Got reply call code: <" + code + "> data: <" + data + "> reply: <" + reply + "> flags: <" + flags + ">");
122 |                         ParcelEditor.dump(reply);
123 |                     }
124 |                 } catch (Exception e) {
125 |                     log("Error while dump parcel", e);
126 |                 }
127 |             }
128 |             return res;
129 |         }
130 | 
131 |         @Override
132 |         public void linkToDeath(@NonNull DeathRecipient recipient, int flags) throws RemoteException {
133 |             mBinderListener.linkToDeath(mOriginalBinder, recipient, flags);
134 |         }
135 | 
136 |         @Override
137 |         public boolean unlinkToDeath(@NonNull DeathRecipient recipient, int flags) {
138 |             return mBinderListener.unlinkToDeath(mOriginalBinder, recipient, flags);
139 |         }
140 |     }
141 | 
142 |     static void doStackTrace() {
143 |         try {
144 |             throw new Exception("Trace");
145 |         } catch (Exception e) {
146 |             log("ProxyHook [+] trace [+] ", e);
147 |         }
148 |     }
149 | }
150 | 


--------------------------------------------------------------------------------
/gradlew:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env sh
  2 | 
  3 | ##############################################################################
  4 | ##
  5 | ##  Gradle start up script for UN*X
  6 | ##
  7 | ##############################################################################
  8 | 
  9 | # Attempt to set APP_HOME
 10 | # Resolve links: $0 may be a link
 11 | PRG="$0"
 12 | # Need this for relative symlinks.
 13 | while [ -h "$PRG" ] ; do
 14 |     ls=`ls -ld "$PRG"`
 15 |     link=`expr "$ls" : '.*-> \(.*\)$'`
 16 |     if expr "$link" : '/.*' > /dev/null; then
 17 |         PRG="$link"
 18 |     else
 19 |         PRG=`dirname "$PRG"`"/$link"
 20 |     fi
 21 | done
 22 | SAVED="`pwd`"
 23 | cd "`dirname \"$PRG\"`/" >/dev/null
 24 | APP_HOME="`pwd -P`"
 25 | cd "$SAVED" >/dev/null
 26 | 
 27 | APP_NAME="Gradle"
 28 | APP_BASE_NAME=`basename "$0"`
 29 | 
 30 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 31 | DEFAULT_JVM_OPTS=""
 32 | 
 33 | # Use the maximum available, or set MAX_FD != -1 to use that value.
 34 | MAX_FD="maximum"
 35 | 
 36 | warn () {
 37 |     echo "$*"
 38 | }
 39 | 
 40 | die () {
 41 |     echo
 42 |     echo "$*"
 43 |     echo
 44 |     exit 1
 45 | }
 46 | 
 47 | # OS specific support (must be 'true' or 'false').
 48 | cygwin=false
 49 | msys=false
 50 | darwin=false
 51 | nonstop=false
 52 | case "`uname`" in
 53 |   CYGWIN* )
 54 |     cygwin=true
 55 |     ;;
 56 |   Darwin* )
 57 |     darwin=true
 58 |     ;;
 59 |   MINGW* )
 60 |     msys=true
 61 |     ;;
 62 |   NONSTOP* )
 63 |     nonstop=true
 64 |     ;;
 65 | esac
 66 | 
 67 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 68 | 
 69 | # Determine the Java command to use to start the JVM.
 70 | if [ -n "$JAVA_HOME" ] ; then
 71 |     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
 72 |         # IBM's JDK on AIX uses strange locations for the executables
 73 |         JAVACMD="$JAVA_HOME/jre/sh/java"
 74 |     else
 75 |         JAVACMD="$JAVA_HOME/bin/java"
 76 |     fi
 77 |     if [ ! -x "$JAVACMD" ] ; then
 78 |         die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
 79 | 
 80 | Please set the JAVA_HOME variable in your environment to match the
 81 | location of your Java installation."
 82 |     fi
 83 | else
 84 |     JAVACMD="java"
 85 |     which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 86 | 
 87 | Please set the JAVA_HOME variable in your environment to match the
 88 | location of your Java installation."
 89 | fi
 90 | 
 91 | # Increase the maximum file descriptors if we can.
 92 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
 93 |     MAX_FD_LIMIT=`ulimit -H -n`
 94 |     if [ $? -eq 0 ] ; then
 95 |         if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
 96 |             MAX_FD="$MAX_FD_LIMIT"
 97 |         fi
 98 |         ulimit -n $MAX_FD
 99 |         if [ $? -ne 0 ] ; then
100 |             warn "Could not set maximum file descriptor limit: $MAX_FD"
101 |         fi
102 |     else
103 |         warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
104 |     fi
105 | fi
106 | 
107 | # For Darwin, add options to specify how the application appears in the dock
108 | if $darwin; then
109 |     GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
110 | fi
111 | 
112 | # For Cygwin, switch paths to Windows format before running java
113 | if $cygwin ; then
114 |     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
115 |     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
116 |     JAVACMD=`cygpath --unix "$JAVACMD"`
117 | 
118 |     # We build the pattern for arguments to be converted via cygpath
119 |     ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
120 |     SEP=""
121 |     for dir in $ROOTDIRSRAW ; do
122 |         ROOTDIRS="$ROOTDIRS$SEP$dir"
123 |         SEP="|"
124 |     done
125 |     OURCYGPATTERN="(^($ROOTDIRS))"
126 |     # Add a user-defined pattern to the cygpath arguments
127 |     if [ "$GRADLE_CYGPATTERN" != "" ] ; then
128 |         OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
129 |     fi
130 |     # Now convert the arguments - kludge to limit ourselves to /bin/sh
131 |     i=0
132 |     for arg in "$@" ; do
133 |         CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
134 |         CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
135 | 
136 |         if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
137 |             eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
138 |         else
139 |             eval `echo args$i`="\"$arg\""
140 |         fi
141 |         i=$((i+1))
142 |     done
143 |     case $i in
144 |         (0) set -- ;;
145 |         (1) set -- "$args0" ;;
146 |         (2) set -- "$args0" "$args1" ;;
147 |         (3) set -- "$args0" "$args1" "$args2" ;;
148 |         (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
149 |         (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
150 |         (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
151 |         (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
152 |         (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
153 |         (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
154 |     esac
155 | fi
156 | 
157 | # Escape application args
158 | save () {
159 |     for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
160 |     echo " "
161 | }
162 | APP_ARGS=$(save "$@")
163 | 
164 | # Collect all arguments for the java command, following the shell quoting and substitution rules
165 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
166 | 
167 | # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
168 | if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
169 |   cd "$(dirname "$0")"
170 | fi
171 | 
172 | exec "$JAVACMD" "$@"
173 | 


--------------------------------------------------------------------------------
/app/src/main/res/drawable/ic_launcher_background.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <vector xmlns:android="http://schemas.android.com/apk/res/android"
  3 |     android:width="108dp"
  4 |     android:height="108dp"
  5 |     android:viewportWidth="108"
  6 |     android:viewportHeight="108">
  7 |     <path
  8 |         android:fillColor="#3DDC84"
  9 |         android:pathData="M0,0h108v108h-108z" />
 10 |     <path
 11 |         android:fillColor="#00000000"
 12 |         android:pathData="M9,0L9,108"
 13 |         android:strokeWidth="0.8"
 14 |         android:strokeColor="#33FFFFFF" />
 15 |     <path
 16 |         android:fillColor="#00000000"
 17 |         android:pathData="M19,0L19,108"
 18 |         android:strokeWidth="0.8"
 19 |         android:strokeColor="#33FFFFFF" />
 20 |     <path
 21 |         android:fillColor="#00000000"
 22 |         android:pathData="M29,0L29,108"
 23 |         android:strokeWidth="0.8"
 24 |         android:strokeColor="#33FFFFFF" />
 25 |     <path
 26 |         android:fillColor="#00000000"
 27 |         android:pathData="M39,0L39,108"
 28 |         android:strokeWidth="0.8"
 29 |         android:strokeColor="#33FFFFFF" />
 30 |     <path
 31 |         android:fillColor="#00000000"
 32 |         android:pathData="M49,0L49,108"
 33 |         android:strokeWidth="0.8"
 34 |         android:strokeColor="#33FFFFFF" />
 35 |     <path
 36 |         android:fillColor="#00000000"
 37 |         android:pathData="M59,0L59,108"
 38 |         android:strokeWidth="0.8"
 39 |         android:strokeColor="#33FFFFFF" />
 40 |     <path
 41 |         android:fillColor="#00000000"
 42 |         android:pathData="M69,0L69,108"
 43 |         android:strokeWidth="0.8"
 44 |         android:strokeColor="#33FFFFFF" />
 45 |     <path
 46 |         android:fillColor="#00000000"
 47 |         android:pathData="M79,0L79,108"
 48 |         android:strokeWidth="0.8"
 49 |         android:strokeColor="#33FFFFFF" />
 50 |     <path
 51 |         android:fillColor="#00000000"
 52 |         android:pathData="M89,0L89,108"
 53 |         android:strokeWidth="0.8"
 54 |         android:strokeColor="#33FFFFFF" />
 55 |     <path
 56 |         android:fillColor="#00000000"
 57 |         android:pathData="M99,0L99,108"
 58 |         android:strokeWidth="0.8"
 59 |         android:strokeColor="#33FFFFFF" />
 60 |     <path
 61 |         android:fillColor="#00000000"
 62 |         android:pathData="M0,9L108,9"
 63 |         android:strokeWidth="0.8"
 64 |         android:strokeColor="#33FFFFFF" />
 65 |     <path
 66 |         android:fillColor="#00000000"
 67 |         android:pathData="M0,19L108,19"
 68 |         android:strokeWidth="0.8"
 69 |         android:strokeColor="#33FFFFFF" />
 70 |     <path
 71 |         android:fillColor="#00000000"
 72 |         android:pathData="M0,29L108,29"
 73 |         android:strokeWidth="0.8"
 74 |         android:strokeColor="#33FFFFFF" />
 75 |     <path
 76 |         android:fillColor="#00000000"
 77 |         android:pathData="M0,39L108,39"
 78 |         android:strokeWidth="0.8"
 79 |         android:strokeColor="#33FFFFFF" />
 80 |     <path
 81 |         android:fillColor="#00000000"
 82 |         android:pathData="M0,49L108,49"
 83 |         android:strokeWidth="0.8"
 84 |         android:strokeColor="#33FFFFFF" />
 85 |     <path
 86 |         android:fillColor="#00000000"
 87 |         android:pathData="M0,59L108,59"
 88 |         android:strokeWidth="0.8"
 89 |         android:strokeColor="#33FFFFFF" />
 90 |     <path
 91 |         android:fillColor="#00000000"
 92 |         android:pathData="M0,69L108,69"
 93 |         android:strokeWidth="0.8"
 94 |         android:strokeColor="#33FFFFFF" />
 95 |     <path
 96 |         android:fillColor="#00000000"
 97 |         android:pathData="M0,79L108,79"
 98 |         android:strokeWidth="0.8"
 99 |         android:strokeColor="#33FFFFFF" />
100 |     <path
101 |         android:fillColor="#00000000"
102 |         android:pathData="M0,89L108,89"
103 |         android:strokeWidth="0.8"
104 |         android:strokeColor="#33FFFFFF" />
105 |     <path
106 |         android:fillColor="#00000000"
107 |         android:pathData="M0,99L108,99"
108 |         android:strokeWidth="0.8"
109 |         android:strokeColor="#33FFFFFF" />
110 |     <path
111 |         android:fillColor="#00000000"
112 |         android:pathData="M19,29L89,29"
113 |         android:strokeWidth="0.8"
114 |         android:strokeColor="#33FFFFFF" />
115 |     <path
116 |         android:fillColor="#00000000"
117 |         android:pathData="M19,39L89,39"
118 |         android:strokeWidth="0.8"
119 |         android:strokeColor="#33FFFFFF" />
120 |     <path
121 |         android:fillColor="#00000000"
122 |         android:pathData="M19,49L89,49"
123 |         android:strokeWidth="0.8"
124 |         android:strokeColor="#33FFFFFF" />
125 |     <path
126 |         android:fillColor="#00000000"
127 |         android:pathData="M19,59L89,59"
128 |         android:strokeWidth="0.8"
129 |         android:strokeColor="#33FFFFFF" />
130 |     <path
131 |         android:fillColor="#00000000"
132 |         android:pathData="M19,69L89,69"
133 |         android:strokeWidth="0.8"
134 |         android:strokeColor="#33FFFFFF" />
135 |     <path
136 |         android:fillColor="#00000000"
137 |         android:pathData="M19,79L89,79"
138 |         android:strokeWidth="0.8"
139 |         android:strokeColor="#33FFFFFF" />
140 |     <path
141 |         android:fillColor="#00000000"
142 |         android:pathData="M29,19L29,89"
143 |         android:strokeWidth="0.8"
144 |         android:strokeColor="#33FFFFFF" />
145 |     <path
146 |         android:fillColor="#00000000"
147 |         android:pathData="M39,19L39,89"
148 |         android:strokeWidth="0.8"
149 |         android:strokeColor="#33FFFFFF" />
150 |     <path
151 |         android:fillColor="#00000000"
152 |         android:pathData="M49,19L49,89"
153 |         android:strokeWidth="0.8"
154 |         android:strokeColor="#33FFFFFF" />
155 |     <path
156 |         android:fillColor="#00000000"
157 |         android:pathData="M59,19L59,89"
158 |         android:strokeWidth="0.8"
159 |         android:strokeColor="#33FFFFFF" />
160 |     <path
161 |         android:fillColor="#00000000"
162 |         android:pathData="M69,19L69,89"
163 |         android:strokeWidth="0.8"
164 |         android:strokeColor="#33FFFFFF" />
165 |     <path
166 |         android:fillColor="#00000000"
167 |         android:pathData="M79,19L79,89"
168 |         android:strokeWidth="0.8"
169 |         android:strokeColor="#33FFFFFF" />
170 | </vector>
171 | 


--------------------------------------------------------------------------------
/app/src/main/java/org/chickenhook/chickenbinder/MainActivityKotlin.kt:
--------------------------------------------------------------------------------
  1 | package org.chickenhook.chickenbinder
  2 | 
  3 | import android.Manifest
  4 | import android.os.Binder
  5 | import android.os.Bundle
  6 | import android.os.IBinder
  7 | import android.os.Parcel
  8 | import android.text.TextUtils
  9 | import android.util.Log
 10 | import android.widget.Button
 11 | import androidx.appcompat.app.AppCompatActivity
 12 | import androidx.core.app.ActivityCompat
 13 | import org.chickenhook.binderhooks.BinderHook
 14 | import org.chickenhook.binderhooks.BinderListener
 15 | import org.chickenhook.binderhooks.Logger.log
 16 | import org.chickenhook.binderhooks.ServiceHooks
 17 | 
 18 | 
 19 | class MainActivityKotlin : AppCompatActivity() {
 20 | 
 21 | 
 22 |     override fun onCreate(savedInstanceState: Bundle?) {
 23 |         super.onCreate(savedInstanceState)
 24 |         setContentView(R.layout.activity_main)
 25 |         addHooks()
 26 |         findViewById<Button>(R.id.packageManagerTest)?.apply {
 27 |             setOnClickListener {
 28 | //                context.packageManager.getInstalledApplications(0)?.forEach { pkg ->
 29 | //                    Log.d("MainActivity", "Found package $pkg")
 30 | //                    pkg.loadIcon(context.packageManager)
 31 | //                }
 32 |                 val m = packageManager::class.java.getDeclaredMethod(
 33 |                     "setHarmfulAppWarning",
 34 |                     String::class.java,
 35 |                     CharSequence::class.java
 36 |                 )
 37 |                 m.isAccessible = true
 38 |                 m.invoke(packageManager, "com.android.chrome", "Warning this app is dangerous!")
 39 |             }
 40 |         }
 41 | 
 42 |         findViewById<Button>(R.id.permissionTest)?.apply {
 43 |             setOnClickListener {
 44 |                 ActivityCompat.requestPermissions(
 45 |                     this@MainActivityKotlin,
 46 |                     arrayOf(Manifest.permission.READ_CONTACTS),
 47 |                     1001
 48 |                 )
 49 |             }
 50 |         }
 51 | 
 52 |         findViewById<Button>(R.id.windowManagerTest)?.setOnClickListener {
 53 |             //pool.execute(WindowBruterTask())
 54 |         }
 55 |     }
 56 | 
 57 | 
 58 |     private fun addHooks() {
 59 |         BinderHook.VERBOSE = true
 60 |         Log.d("MainActivity", "Add hooks")
 61 | 
 62 | 
 63 |         ServiceHooks.hookPackageManager(packageManager, object :
 64 |             BinderListener() {
 65 | 
 66 |             val DESCRIPTOR = "android.content.pm.IPackageManager"
 67 | 
 68 |             override fun transact(
 69 |                 originalBinder: IBinder,
 70 |                 code: Int,
 71 |                 data: Parcel,
 72 |                 reply: Parcel?,
 73 |                 flags: Int
 74 |             ): Boolean {
 75 | 
 76 |                 if (code == 193) { // setHarmfulAppWarning
 77 |                     log("Manipulate setHarmfulAppWarning")
 78 |                     data.setDataPosition(0)
 79 |                     val _data = Parcel.obtain()
 80 |                     _data.writeInterfaceToken(DESCRIPTOR)
 81 |                     data.writeInterfaceToken(DESCRIPTOR)
 82 |                     val packageName = data.readString()
 83 |                     _data.writeString(packageName)
 84 | 
 85 |                     var message: CharSequence?
 86 |                     if (data.readInt() != 0) {
 87 |                         message = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(data)
 88 |                         _data.writeInt(1)
 89 |                         TextUtils.writeToParcel(message, _data, 0)
 90 |                     } else {
 91 |                         _data.writeInt(0)
 92 |                         message = null
 93 |                     }
 94 | 
 95 |                     val _flags = data.readInt()
 96 |                     _data.writeInt(1)
 97 |                     return originalBinder.transact(code, _data, reply, Binder.FLAG_ONEWAY)
 98 | 
 99 |                 }
100 | 
101 |                 if (code == 56) { // get installed packages
102 | 
103 | 
104 |                     // https://cs.android.com/android/platform/superproject/+/master:out/soong/.intermediates/frameworks/base/framework-minus-apex/android_common/xref28/srcjars.xref/frameworks/base/core/java/android/content/pm/IPackageManager.java;bpv=1;bpt=0
105 |                     // try to manipulate this call
106 |                     val _data = Parcel.obtain()
107 |                     _data.writeInterfaceToken(DESCRIPTOR)
108 |                     _data.writeInt(0)
109 |                     _data.writeInt(0) // simulate system user?
110 |                     return originalBinder.transact(code, _data, reply, flags)
111 |                 }
112 | 
113 |                 return originalBinder.transact(code, data, reply, flags)
114 |             }
115 |         })
116 | 
117 |         ServiceHooks.hookNotificationManager(object :
118 |             BinderListener() {
119 |             override fun transact(
120 |                 originalBinder: IBinder,
121 |                 code: Int,
122 |                 data: Parcel,
123 |                 reply: Parcel?,
124 |                 flags: Int
125 |             ): Boolean {
126 |                 return originalBinder.transact(code, data, reply, flags)
127 |             }
128 |         })
129 | 
130 |         ServiceHooks.hookWindowManager(object :
131 |             BinderListener() {
132 |             override fun transact(
133 |                 originalBinder: IBinder,
134 |                 code: Int,
135 |                 data: Parcel,
136 |                 reply: Parcel?,
137 |                 flags: Int
138 |             ): Boolean {
139 |                 return originalBinder.transact(code, data, reply, flags)
140 |             }
141 |         })
142 | //        ANDROID R
143 | //        Handler().postDelayed(object : Runnable {
144 | //            override fun run() {
145 | //                // session will established later todo use windowManager to determine when session was created
146 | //                ServiceHooks.hookWindowSession(object :
147 | //                    BinderListener() {
148 | //                    override fun transact(
149 | //                        originalBinder: IBinder,
150 | //                        code: Int,
151 | //                        data: Parcel,
152 | //                        reply: Parcel?,
153 | //                        flags: Int
154 | //                    ): Boolean {
155 | //
156 | //                        if (code == 1) {
157 | //                            return hookAddToDisplay(originalBinder, code, data, reply, flags)
158 | //                        }
159 | //
160 | //                        return originalBinder.transact(code, data, reply, flags)
161 | //                    }
162 | //                })
163 | //            }
164 | //
165 | //        }, 1000)
166 | 
167 |     }
168 | }
169 | 


--------------------------------------------------------------------------------
/binderhooks/src/main/java/org/chickenhook/binderhooks/ServiceHooks.java:
--------------------------------------------------------------------------------
  1 | package org.chickenhook.binderhooks;
  2 | 
  3 | import android.app.ActivityManager;
  4 | import android.app.AppOpsManager;
  5 | import android.app.NotificationManager;
  6 | import android.content.ContentResolver;
  7 | import android.content.pm.PackageManager;
  8 | 
  9 | import androidx.annotation.NonNull;
 10 | 
 11 | import org.chickenhook.binderhooks.proxyListeners.ProxyListener;
 12 | 
 13 | import java.lang.reflect.Field;
 14 | import java.lang.reflect.InvocationTargetException;
 15 | import java.lang.reflect.Method;
 16 | 
 17 | import static org.chickenhook.binderhooks.Logger.log;
 18 | import static org.chickenhook.restrictionbypass.helpers.Reflection.getReflective;
 19 | 
 20 | public class ServiceHooks {
 21 |     public static boolean hookContentResolver(@NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException {
 22 |         Object sContentService = getReflective(null, ContentResolver.class, "sContentService");
 23 |         return BinderHook.addHook(sContentService, binderListener);
 24 |     }
 25 | 
 26 |     public static boolean hookContentResolver(@NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException {
 27 |         Field f = ContentResolver.class.getDeclaredField("sContentService");
 28 |         f.setAccessible(true);
 29 |         return ProxyHook.addHook(null, f, f.getType() , proxyListener);
 30 |     }
 31 | 
 32 |     public static boolean hookNotificationManager(@NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException {
 33 |         Object sService = getReflective(null, NotificationManager.class, "sService");
 34 |         return BinderHook.addHook(sService, binderListener);
 35 |     }
 36 | 
 37 |     public static boolean hookNotificationManager(@NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException {
 38 |         Field f = NotificationManager.class.getDeclaredField("sService");
 39 |         f.setAccessible(true);
 40 |         return ProxyHook.addHook(null, f,f.getType(), proxyListener);
 41 |     }
 42 | 
 43 |     public static boolean hookActivityManager(@NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException, NoSuchMethodException, InvocationTargetException {
 44 |         Object IActivityManagerSingleton = getReflective(null, ActivityManager.class, "IActivityManagerSingleton");
 45 |         if (IActivityManagerSingleton == null) {
 46 |             log("Unable to install ActivityManager hook - IActivityManagerSingleton was null");
 47 |             return false;
 48 |         }
 49 |         Method getMethod = IActivityManagerSingleton.getClass().getMethod("get");
 50 |         getMethod.setAccessible(true);
 51 |         return BinderHook.addHook(getMethod.invoke(IActivityManagerSingleton), binderListener);
 52 |     }
 53 | 
 54 |     public static boolean hookActivityManager(@NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException, NoSuchMethodException, InvocationTargetException, ClassNotFoundException {
 55 |         Object IActivityManagerSingleton = getReflective(null, ActivityManager.class, "IActivityManagerSingleton");
 56 |         if (IActivityManagerSingleton == null) {
 57 |             log("Unable to install ActivityManager hook - IActivityManagerSingleton was null");
 58 |             return false;
 59 |         }
 60 |         Field instanceField = Class.forName("android.util.Singleton").getDeclaredField("mInstance");
 61 |         instanceField.setAccessible(true);
 62 |         return ProxyHook.addHook(IActivityManagerSingleton, instanceField,Class.forName("android.app.IActivityManager"), proxyListener);
 63 |     }
 64 | 
 65 |     public static boolean hookAppOpsManager(@NonNull AppOpsManager appOpsManager, @NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException {
 66 |         Object mService = getReflective(appOpsManager, "mService");
 67 |         return BinderHook.addHook(mService, binderListener);
 68 |     }
 69 | 
 70 |     public static boolean hookAppOpsManager(@NonNull AppOpsManager appOpsManager, @NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
 71 |         Field f = appOpsManager.getClass().getDeclaredField("mService");
 72 |         f.setAccessible(true);
 73 |         return ProxyHook.addHook(appOpsManager, f,f.getType(), proxyListener);
 74 |     }
 75 | 
 76 | 
 77 |     public static boolean hookPackageManager(@NonNull PackageManager packageManager, @NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException {
 78 |         Object mPM = getReflective(packageManager, "mPM");
 79 |         return BinderHook.addHook(mPM, binderListener);
 80 |     }
 81 | 
 82 |     public static boolean hookPackageManager(@NonNull PackageManager packageManager, @NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException {
 83 |         Field f = packageManager.getClass().getDeclaredField("mPM");
 84 |         f.setAccessible(true);
 85 |         return ProxyHook.addHook(packageManager, f,f.getType(), proxyListener);
 86 |     }
 87 | 
 88 |     public static boolean hookActivityTaskManager(@NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException {
 89 |         Object IActivityTaskManagerSingleton = getReflective(null, Class.forName("android.app.ActivityTaskManager"), "IActivityTaskManagerSingleton");
 90 |         if (IActivityTaskManagerSingleton == null) {
 91 |             log("Unable to install ActivityTaskManager hook - IActivityManagerSingleton was null");
 92 |             return false;
 93 |         }
 94 |         Method getMethod = IActivityTaskManagerSingleton.getClass().getMethod("get");
 95 |         getMethod.setAccessible(true);
 96 |         return BinderHook.addHook(getMethod.invoke(IActivityTaskManagerSingleton), binderListener);
 97 |     }
 98 | 
 99 | 
100 |     public static boolean hookActivityTaskManager(@NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException, NoSuchMethodException, InvocationTargetException, ClassNotFoundException {
101 |         Object IActivityTaskManagerSingleton = getReflective(null, Class.forName("android.app.ActivityTaskManager"), "IActivityTaskManagerSingleton");
102 |         if (IActivityTaskManagerSingleton == null) {
103 |             log("Unable to install ActivityManager hook - IActivityManagerSingleton was null");
104 |             return false;
105 |         }
106 |         Field instanceField = Class.forName("android.util.Singleton").getDeclaredField("mInstance");
107 |         instanceField.setAccessible(true);
108 |         return ProxyHook.addHook(IActivityTaskManagerSingleton, instanceField,Class.forName("android.app.IActivityTaskManager"), proxyListener);
109 |     }
110 | 
111 |     public static boolean hookWindowManager(@NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException {
112 |         Object sWindowManagerService = getReflective(null, Class.forName("android.view.WindowManagerGlobal"), "sWindowManagerService");
113 |         return BinderHook.addHook(sWindowManagerService, binderListener);
114 |     }
115 | 
116 |     public static boolean hookWindowManager(@NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException {
117 |         Field f = Class.forName("android.view.WindowManagerGlobal").getDeclaredField("sWindowManagerService");
118 |         f.setAccessible(true);
119 |         return ProxyHook.addHook(null, f,Class.forName("android.view.WindowManager"), proxyListener);
120 |     }
121 | 
122 |     public static boolean hookWindowSession(@NonNull BinderListener binderListener) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException {
123 |         Object sWindowSession = getReflective(null, Class.forName("android.view.IWindowManagerGlobal"), "sWindowSession");
124 |         return BinderHook.addHook(sWindowSession, binderListener);
125 |     }
126 | 
127 |     public static boolean hookWindowSession(@NonNull ProxyListener proxyListener) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException {
128 |         Field f = Class.forName("android.view.WindowManagerGlobal").getDeclaredField("sWindowSession");
129 |         f.setAccessible(true);
130 |         return ProxyHook.addHook(null, f,Class.forName("android.view.IWindowSession"), proxyListener);
131 |     }
132 | }
133 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # BinderHook
  2 | Library intended to hook Binder interface and manipulate events
  3 | 
  4 | # Table of Contents
  5 | * [Description](#description)
  6 | * [Integration](#integration)
  7 | * [Usage](#usage)
  8 |     * [Android Services](#android-services)
  9 |     * [Interface Hooking](#interface-hooking)
 10 |     * [Verbose mode](#verbose-mode)
 11 |     * [Parcel](#parcel)
 12 |     * [Parcel](#parcel)
 13 | * [Troubleshooting](#troubleshooting)
 14 | * [Other projects](#other-projects)
 15 | 
 16 | # <a name="description"/> Description
 17 | 
 18 | This library helps to hook binder communication between your App process and system services of Android.
 19 | 
 20 | # <a name="integration"/> Integration
 21 | Just include the maven repository
 22 | 
 23 | 1) In your root build.gradle:
 24 | ```groovy
 25 | allprojects {
 26 |         repositories {
 27 |             [..]
 28 |             jcenter()
 29 |             maven { url "https://jitpack.io" }
 30 |         }
 31 |    }
 32 | ```
 33 | 2) In your library/build.gradle add:
 34 | ```groovy
 35 |    dependencies {
 36 |         implementation 'com.github.ChickenHook:BinderHook:3.0'
 37 |         implementation 'com.github.ChickenHook:RestrictionBypass:2.2'
 38 |    }
 39 | ```
 40 | # <a name="usage"/> Usage
 41 | 
 42 | This chapter showcases how to use this hooking library. Also please have a look at [MainActivity.kt](app/src/main/java/org/chickenhook/chickenbinder/MainActivity.kt), [MainActivityTest.kt](androidTest/src/main/java/org/chickenhook/chickenbinder/MainActivityTest.kt) and [ServiceHooksTest.java](binderhooks/src/androidTest/java/org/chickenhook/binderhooks/ServiceHooksTest.java)
 43 | 
 44 | ## <a name="android-services"/>  Android Services
 45 | 
 46 | ### Package Manager
 47 | 
 48 | Please check [AIDL Implementation](https://cs.android.com/android/platform/superproject/+/master:out/soong/.intermediates/frameworks/base/framework-minus-apex/android_common/xref28/srcjars.xref/frameworks/base/core/java/android/content/pm/IPackageManager.java;bpv=1;bpt=0)
 49 | in order to learn parcel encode / decode instructions
 50 | 
 51 | 
 52 | ```kt
 53 |         ServiceHooks.hookPackageManager(packageManager, object :
 54 |             OnBinderListener() {
 55 | 
 56 |             val DESCRIPTOR = "android.content.pm.IPackageManager"
 57 | 
 58 |             override fun transact(
 59 |                 originalBinder: IBinder,
 60 |                 code: Int,
 61 |                 data: Parcel,
 62 |                 reply: Parcel?,
 63 |                 flags: Int
 64 |             ): Boolean {
 65 | 
 66 |                 if (code == 193) { // setHarmfulAppWarning
 67 |                     log("Manipulate setHarmfulAppWarning")
 68 |                     data.setDataPosition(0)
 69 |                     val _data = Parcel.obtain()
 70 |                     _data.writeInterfaceToken(DESCRIPTOR)
 71 |                     data.writeInterfaceToken(DESCRIPTOR)
 72 |                     val packageName = data.readString()
 73 |                     _data.writeString(packageName)
 74 | 
 75 |                     var message: CharSequence?
 76 |                     if (data.readInt() != 0) {
 77 |                         message = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(data)
 78 |                         _data.writeInt(1)
 79 |                         TextUtils.writeToParcel(message, _data, 0)
 80 |                     } else {
 81 |                         _data.writeInt(0)
 82 |                         message = null
 83 |                     }
 84 | 
 85 |                     val _flags = data.readInt()
 86 |                     _data.writeInt(1)
 87 |                     return originalBinder.transact(code, _data, reply, Binder.FLAG_ONEWAY)
 88 | 
 89 |                 }
 90 | 
 91 |                 if (code == 56) { // get installed packages
 92 | 
 93 | 
 94 |                     // try to manipulate this call
 95 |                     val _data = Parcel.obtain()
 96 |                     _data.writeInterfaceToken(DESCRIPTOR)
 97 |                     _data.writeInt(0)
 98 |                     _data.writeInt(0) // simulate system user?
 99 |                     return originalBinder.transact(code, _data, reply, flags)
100 |                 }
101 | 
102 |                 return originalBinder.transact(code, data, reply, flags)
103 |             }
104 |         })
105 | ```
106 | 
107 | ### ActivityManager
108 | 
109 | Please check [AIDL Implementation](https://cs.android.com/android/platform/superproject/+/master:out/soong/.intermediates/frameworks/base/framework-minus-apex/android_common/xref28/srcjars.xref/frameworks/base/core/java/android/app/IActivityManager.java;bpv=1;bpt=0)
110 | in order to learn parcel encode / decode instructions
111 | 
112 | ```kt
113 |         ServiceHooks.hookActivityManager(object :
114 |             OnBinderListener() {
115 |             val DESCRIPTOR = "android.app.IActivityManager"
116 |             override fun transact(
117 |                 originalBinder: IBinder,
118 |                 code: Int,
119 |                 data: Parcel,
120 |                 reply: Parcel?,
121 |                 flags: Int
122 |             ): Boolean {
123 |                 if (code == 6) {// start activity
124 |                     return startActivityHook(
125 |                         originalBinder,
126 |                         code,
127 |                         data,
128 |                         reply,
129 |                         flags,
130 |                         DESCRIPTOR
131 |                     )
132 |                 }
133 |                 return originalBinder.transact(code, data, reply, flags)
134 |             }
135 |         })
136 | ```
137 | 
138 | ### ActivityTaskManager
139 | 
140 | Please check [AIDL Implementation](https://cs.android.com/android/platform/superproject/+/master:out/soong/.intermediates/frameworks/base/framework-minus-apex/android_common/xref28/srcjars.xref/frameworks/base/core/java/android/app/IActivityManager.java;bpv=1;bpt=0)
141 | in order to learn parcel encode / decode instructions
142 | 
143 | ```kt
144 | if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q)
145 |             ServiceHooks.hookActivityTaskManager(object :
146 |                 OnBinderListener() {
147 |                 val DESCRIPTOR = "android.app.IActivityTaskManager"
148 | 
149 |                 override fun transact(
150 |                     originalBinder: IBinder,
151 |                     code: Int,
152 |                     data: Parcel,
153 |                     reply: Parcel?,
154 |                     flags: Int
155 |                 ): Boolean {
156 | 
157 |                     if (code == 1) { // start activity
158 |                         return startActivityHook(
159 |                             originalBinder,
160 |                             code,
161 |                             data,
162 |                             reply,
163 |                             flags,
164 |                             DESCRIPTOR
165 |                         )
166 |                     }
167 | 
168 |                     return originalBinder.transact(code, data, reply, flags)
169 |                 }
170 |             })
171 | ```
172 | 
173 | ### WindowManager
174 | 
175 | Please check [AIDL Implementation](https://cs.android.com/android/platform/superproject/+/master:out/soong/.intermediates/frameworks/base/framework-minus-apex/android_common/xref28/srcjars.xref/frameworks/base/core/java/android/view/IWindowManager.java;bpv=1;bpt=0)
176 | in order to learn parcel encode / decode instructions
177 | 
178 | ```
179 |         ServiceHooks.hookWindowManager(object :
180 |             OnBinderListener() {
181 |             override fun transact(
182 |                 originalBinder: IBinder,
183 |                 code: Int,
184 |                 data: Parcel,
185 |                 reply: Parcel?,
186 |                 flags: Int
187 |             ): Boolean {
188 |                 return originalBinder.transact(code, data, reply, flags)
189 |             }
190 |         })
191 | ```
192 | 
193 | ### Other services
194 | 
195 | A lot of other service hooks are also present. However some are missing and will come in future releases.
196 | 
197 | |Service Name|ImplementationStatus|
198 | |---|---|
199 | |ContentResolver|OK|
200 | |NotificationManager|OK|
201 | |ActivityManager|OK|
202 | |AppOpsManager|OK|
203 | |PackageManager|OK|
204 | |WindowManager|OK|
205 | |ActivityTaskManager|OK|
206 | |AlarmManager|WIP|
207 | |WallpaperManager|WIP|
208 | |RoleService|WIP|
209 | |CameraService|WIP|
210 | |PrintService|WIP|
211 | |TrustService|WIP|
212 | |UsageStatsService|WIP|
213 | |...|Feel free to submit feature requests if you need more services|
214 | 
215 | ## <a name="interface-hooking"/> Interface Hooking
216 | If you just wanna change some args and not manipulate Parcel directly you can use ProxyListener:
217 | 
218 | ```
219 |         ServiceHooks.hookActivityManager(new ProxyListener() {
220 |             @Override
221 |             public Object invoke(Object orig, Object proxy, Method method, Object[] args) throws Throwable {
222 |                 if (method.getName().equals("startActivity") && args.length == 10) {
223 |                     args[args.length - 3] = ((int) args[args.length - 3]) |
224 |                             START_FLAG_DEBUG |
225 |                             START_FLAG_TRACK_ALLOCATION |
226 |                             START_FLAG_NATIVE_DEBUGGING;
227 |                 }
228 |                 return method.invoke(orig, args);
229 |             }
230 |         });
231 | ```
232 | 
233 | ## <a name="verbose-mode"/> Enable VERBOSE mode
234 | 
235 | By adding these lines of code you can enable the verbose mode
236 | 
237 | ```kt
238 |         ProxyHook.VERBOSE = true
239 | ```
240 | 
241 | This will create output like:
242 | 
243 | ```
244 | 2020-05-03 22:03:40.309 25785-25785/org.chickenhook.chickenbinder I/BinderHook: ProxyHook [+] trace [+]
245 |     java.lang.Exception: Trace
246 |         at org.chickenhook.binderhooks.ProxyHook.doStackTrace(ProxyHook.java:128)
247 |         at org.chickenhook.binderhooks.ProxyHook$FakeBinder.transact(ProxyHook.java:111)
248 |         at android.content.pm.IPackageManager$Stub$Proxy.setHarmfulAppWarning(IPackageManager.java:8654)
249 |         at android.app.ApplicationPackageManager.setHarmfulAppWarning(ApplicationPackageManager.java:3234)
250 |         at java.lang.reflect.Method.invoke(Native Method)
251 |         at org.chickenhook.chickenbinder.MainActivity$onCreate$$inlined$apply$lambda$1.onClick(MainActivity.kt:40)
252 |         at android.view.View.performClick(View.java:7356)
253 |         at android.view.View.performClickInternal(View.java:7333)
254 |         at android.view.View.access$3600(View.java:807)
255 |         at android.view.View$PerformClick.run(View.java:28200)
256 |         at android.os.Handler.handleCallback(Handler.java:907)
257 |         at android.os.Handler.dispatchMessage(Handler.java:99)
258 |         at android.os.Looper.loop(Looper.java:223)
259 |         at android.app.ActivityThread.main(ActivityThread.java:7476)
260 |         at java.lang.reflect.Method.invoke(Native Method)
261 |         at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:549)
262 |         at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:939)
263 | ```
264 | 
265 | and
266 | 
267 | ```
268 | 2020-05-07 10:44:55.603 4911-4911/org.chickenhook.chickenbinder D/chickenbinder: dump parcel <0x7444767700>
269 | 2020-05-07 10:44:55.603 4911-4911/org.chickenhook.chickenbinder D/chickenbinder: ---------------------------------------------------------------------------------------------------------------------------------------------
270 | 2020-05-07 10:44:55.603 4911-4911/org.chickenhook.chickenbinder D/parcel: HEX (76 bytes):
271 | 2020-05-07 10:44:55.603 4911-4911/org.chickenhook.chickenbinder D/parcel: 04:00:00:C2:FF:FF:FF:FF:1C:00:00:00:61:00:6E:00:64:00:72:00:6F:00:69:00:64:00:2E:00:61:00:70:00:70:00:2E:00:49:00:41:00:63:00:74:00:69:00:76:00:69:00
272 | 2020-05-07 10:44:55.603 4911-4911/org.chickenhook.chickenbinder D/parcel: 74:00:79:00:4D:00:61:00:6E:00:61:00:67:00:65:00:72:00:00:00:00:00:61:13:00:00
273 | 2020-05-07 10:44:55.603 4911-4911/org.chickenhook.chickenbinder D/chickenbinder: ---------------------------------------------------------------------------------------------------------------------------------------------
274 | ```
275 | 
276 | for any transaction that went through your installed binder hook.
277 | 
278 | ## <a name="parcel"/> Parcel
279 | 
280 | In order to work with existing parcels and be able to modify also restricted content like flattened Binder objects (aka writeStrongBinder, readStrongBinder) we added some low level edit functions.
281 | 
282 | ### dump
283 | 
284 | This function dumps the content of the parcel as hexdump to logcat
285 | 
286 | ```
287 |                     ParcelEditor.dump(parcel);
288 | ```
289 | 
290 | ### write
291 | 
292 | Write a bunch of bites at the given offset
293 | 
294 | ```Java
295 |                     byte[] bytes = new byte[]{
296 |                             1, 2, 3
297 |                     };
298 |                     ParcelEditor.write(parcel, 0, bytes);
299 | ```
300 | 
301 | ### read
302 | 
303 | Read a bunch of bytes from the given offset
304 | 
305 | ```Java
306 |                     byte[] content = ParcelEditor.read(parcel, 0, parcel.dataSize());
307 | ```
308 | 
309 | 
310 | ## <a name="troubleshooting"/> Troubleshooting
311 | 
312 | Please create a bug report if you find any issues. This chapter will be updated then.
313 | 
314 | 
315 | ## <a name="other-projects"/> Other Projects
316 | 
317 | | Project | Description |
318 | |---------|-------------|
319 | | [ChickenHook](https://github.com/ChickenHook/ChickenHook) | A linux / android / MacOS hooking framework  |
320 | | [BinderHook](https://github.com/ChickenHook/BinderHook) | Library intended to hook Binder interface and manipulate events |
321 | | [RestrictionBypass](https://github.com/ChickenHook/RestrictionBypass) |  Android API restriction bypass for all Android Versions |
322 | | [AndroidManifestBypass](https://github.com/ChickenHook/AndroidManifestBypass) |  Android API restriction bypass for all Android Versions |
323 | | .. | |
324 | 
325 | ## Sponsor
326 | 
327 | If you're happy with my library please order me a cup of coffee ;) Thanks.
328 | 
329 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 2, June 1991
  3 | 
  4 |  Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
  5 |  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  6 |  Everyone is permitted to copy and distribute verbatim copies
  7 |  of this license document, but changing it is not allowed.
  8 | 
  9 |                             Preamble
 10 | 
 11 |   The licenses for most software are designed to take away your
 12 | freedom to share and change it.  By contrast, the GNU General Public
 13 | License is intended to guarantee your freedom to share and change free
 14 | software--to make sure the software is free for all its users.  This
 15 | General Public License applies to most of the Free Software
 16 | Foundation's software and to any other program whose authors commit to
 17 | using it.  (Some other Free Software Foundation software is covered by
 18 | the GNU Lesser General Public License instead.)  You can apply it to
 19 | your programs, too.
 20 | 
 21 |   When we speak of free software, we are referring to freedom, not
 22 | price.  Our General Public Licenses are designed to make sure that you
 23 | have the freedom to distribute copies of free software (and charge for
 24 | this service if you wish), that you receive source code or can get it
 25 | if you want it, that you can change the software or use pieces of it
 26 | in new free programs; and that you know you can do these things.
 27 | 
 28 |   To protect your rights, we need to make restrictions that forbid
 29 | anyone to deny you these rights or to ask you to surrender the rights.
 30 | These restrictions translate to certain responsibilities for you if you
 31 | distribute copies of the software, or if you modify it.
 32 | 
 33 |   For example, if you distribute copies of such a program, whether
 34 | gratis or for a fee, you must give the recipients all the rights that
 35 | you have.  You must make sure that they, too, receive or can get the
 36 | source code.  And you must show them these terms so they know their
 37 | rights.
 38 | 
 39 |   We protect your rights with two steps: (1) copyright the software, and
 40 | (2) offer you this license which gives you legal permission to copy,
 41 | distribute and/or modify the software.
 42 | 
 43 |   Also, for each author's protection and ours, we want to make certain
 44 | that everyone understands that there is no warranty for this free
 45 | software.  If the software is modified by someone else and passed on, we
 46 | want its recipients to know that what they have is not the original, so
 47 | that any problems introduced by others will not reflect on the original
 48 | authors' reputations.
 49 | 
 50 |   Finally, any free program is threatened constantly by software
 51 | patents.  We wish to avoid the danger that redistributors of a free
 52 | program will individually obtain patent licenses, in effect making the
 53 | program proprietary.  To prevent this, we have made it clear that any
 54 | patent must be licensed for everyone's free use or not licensed at all.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                     GNU GENERAL PUBLIC LICENSE
 60 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 61 | 
 62 |   0. This License applies to any program or other work which contains
 63 | a notice placed by the copyright holder saying it may be distributed
 64 | under the terms of this General Public License.  The "Program", below,
 65 | refers to any such program or work, and a "work based on the Program"
 66 | means either the Program or any derivative work under copyright law:
 67 | that is to say, a work containing the Program or a portion of it,
 68 | either verbatim or with modifications and/or translated into another
 69 | language.  (Hereinafter, translation is included without limitation in
 70 | the term "modification".)  Each licensee is addressed as "you".
 71 | 
 72 | Activities other than copying, distribution and modification are not
 73 | covered by this License; they are outside its scope.  The act of
 74 | running the Program is not restricted, and the output from the Program
 75 | is covered only if its contents constitute a work based on the
 76 | Program (independent of having been made by running the Program).
 77 | Whether that is true depends on what the Program does.
 78 | 
 79 |   1. You may copy and distribute verbatim copies of the Program's
 80 | source code as you receive it, in any medium, provided that you
 81 | conspicuously and appropriately publish on each copy an appropriate
 82 | copyright notice and disclaimer of warranty; keep intact all the
 83 | notices that refer to this License and to the absence of any warranty;
 84 | and give any other recipients of the Program a copy of this License
 85 | along with the Program.
 86 | 
 87 | You may charge a fee for the physical act of transferring a copy, and
 88 | you may at your option offer warranty protection in exchange for a fee.
 89 | 
 90 |   2. You may modify your copy or copies of the Program or any portion
 91 | of it, thus forming a work based on the Program, and copy and
 92 | distribute such modifications or work under the terms of Section 1
 93 | above, provided that you also meet all of these conditions:
 94 | 
 95 |     a) You must cause the modified files to carry prominent notices
 96 |     stating that you changed the files and the date of any change.
 97 | 
 98 |     b) You must cause any work that you distribute or publish, that in
 99 |     whole or in part contains or is derived from the Program or any
100 |     part thereof, to be licensed as a whole at no charge to all third
101 |     parties under the terms of this License.
102 | 
103 |     c) If the modified program normally reads commands interactively
104 |     when run, you must cause it, when started running for such
105 |     interactive use in the most ordinary way, to print or display an
106 |     announcement including an appropriate copyright notice and a
107 |     notice that there is no warranty (or else, saying that you provide
108 |     a warranty) and that users may redistribute the program under
109 |     these conditions, and telling the user how to view a copy of this
110 |     License.  (Exception: if the Program itself is interactive but
111 |     does not normally print such an announcement, your work based on
112 |     the Program is not required to print an announcement.)
113 | 
114 | These requirements apply to the modified work as a whole.  If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works.  But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 | 
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 | 
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 | 
134 |   3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 | 
138 |     a) Accompany it with the complete corresponding machine-readable
139 |     source code, which must be distributed under the terms of Sections
140 |     1 and 2 above on a medium customarily used for software interchange; or,
141 | 
142 |     b) Accompany it with a written offer, valid for at least three
143 |     years, to give any third party, for a charge no more than your
144 |     cost of physically performing source distribution, a complete
145 |     machine-readable copy of the corresponding source code, to be
146 |     distributed under the terms of Sections 1 and 2 above on a medium
147 |     customarily used for software interchange; or,
148 | 
149 |     c) Accompany it with the information you received as to the offer
150 |     to distribute corresponding source code.  (This alternative is
151 |     allowed only for noncommercial distribution and only if you
152 |     received the program in object code or executable form with such
153 |     an offer, in accord with Subsection b above.)
154 | 
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it.  For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable.  However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 | 
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 | 
172 |   4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License.  Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 | 
180 |   5. You are not required to accept this License, since you have not
181 | signed it.  However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works.  These actions are
183 | prohibited by law if you do not accept this License.  Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 | 
189 |   6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions.  You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 | 
197 |   7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License.  If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all.  For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 | 
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 | 
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices.  Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 | 
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 | 
229 |   8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded.  In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 | 
237 |   9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time.  Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 | 
242 | Each version is given a distinguishing version number.  If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation.  If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 | 
250 |   10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission.  For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this.  Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 | 
258 |                             NO WARRANTY
259 | 
260 |   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 | 
270 |   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 | 
280 |                      END OF TERMS AND CONDITIONS
281 | 
282 |             How to Apply These Terms to Your New Programs
283 | 
284 |   If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 | 
288 |   To do so, attach the following notices to the program.  It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 | 
293 |     <one line to give the program's name and a brief idea of what it does.>
294 |     Copyright (C) <year>  <name of author>
295 | 
296 |     This program is free software; you can redistribute it and/or modify
297 |     it under the terms of the GNU General Public License as published by
298 |     the Free Software Foundation; either version 2 of the License, or
299 |     (at your option) any later version.
300 | 
301 |     This program is distributed in the hope that it will be useful,
302 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
303 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
304 |     GNU General Public License for more details.
305 | 
306 |     You should have received a copy of the GNU General Public License along
307 |     with this program; if not, write to the Free Software Foundation, Inc.,
308 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 | 
310 | Also add information on how to contact you by electronic and paper mail.
311 | 
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 | 
315 |     Gnomovision version 69, Copyright (C) year name of author
316 |     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 |     This is free software, and you are welcome to redistribute it
318 |     under certain conditions; type `show c' for details.
319 | 
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License.  Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 | 
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary.  Here is a sample; alter the names:
328 | 
329 |   Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 |   `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 | 
332 |   <signature of Ty Coon>, 1 April 1989
333 |   Ty Coon, President of Vice
334 | 
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs.  If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library.  If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 | 


--------------------------------------------------------------------------------