VirtualXposed_12 getPackageManager().checkPermission not trans for method proxy in android 11

lpparam.context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", lpparam.context.getPackageName());

ActivityManagerStub can work

PackageManagerStub bind success but no work.

maybe context fix wrong?

can't find diff by cs.android.com about ActivityThread.sPackageManager.set(hookedPM)

Mar 24 '22 03:03 kings0527

 Log.d("checkPermission", "before createPackageContext start ");
        int ret = VirtualCore.get().getContext().getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", VirtualCore.get().getContext().getPackageName());
        Log.d("checkPermission", "before createPackageContext ret " + ret);
// ret 0
        Context context = createPackageContext(data.appInfo.packageName);

        Log.d("checkPermission", "use core context, createPackageContext start");
        ret = VirtualCore.get().getContext().getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", VirtualCore.get().getContext().getPackageName());
        Log.d("checkPermission", "use core context, createPackageContext ret " + ret);
// ret 0
        Log.d("checkPermission", "createPackageContext start ");
        ret = context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", context.getPackageName());
        Log.d("checkPermission", "createPackageContext ret " + ret);
// ret -1

android 10 will always call in PackageManagerStub proxy method android 11 never call

Mar 24 '22 06:03 kings0527

        Log.d("checkPermission", "fixContext11111 start ");
        int ret = context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", context.getPackageName());
        Log.d("checkPermission", "fixContext111111 ret " + ret);

        ContextImpl.mPackageManager.set(context, null);
        
        Log.d("checkPermission", "fixContext222222 start ");
        ret = context.getPackageManager().checkPermission("android.permission.ACCESS_NETWORK_STATE", context.getPackageName());
        Log.d("checkPermission", "fixContext2222222 ret " + ret);

android 10 will call in proxy method when set null

Mar 24 '22 07:03 kings0527

final IPackageManager pm = ActivityThread.getPackageManager(); 
final IPermissionManager permissionManager = ActivityThread.getPermissionManager();

this is android 11 source code

I think proxy method maybe not enough in the PermissionManagerStub?

Mar 24 '22 07:03 kings0527

    @Override
    public void inject() throws Throwable {
        final IInterface hookedPM = getInvocationStub().getProxyInterface();
        ActivityThread.sPermissionManager.set(hookedPM);
        BinderInvocationStub pmHookBinder = new BinderInvocationStub(getInvocationStub().getBaseInterface());
        pmHookBinder.copyMethodProxies(getInvocationStub());
        pmHookBinder.replaceService("permissionmgr");
    }

set sPermissionManager fix it

Mar 24 '22 08:03 kings0527

I m wrong I miss it Just return GRANT, but not call in

Mar 24 '22 10:03 kings0527

VirtualXposed_12 VirtualXposed_12 copied to clipboard

getPackageManager().checkPermission not trans for method proxy in android 11

VirtualXposed_12
VirtualXposed_12 copied to clipboard