Implementation of android without root screenshot scheme

  • 2021-11-02 02:46:51
  • OfStack

Through the reflection of the interception screen,

public class EncoderFeeder {
   public static Bitmap screenshot() {
      String surfaceClassName;
      if (VERSION.SDK_INT <= 17) {
        surfaceClassName = "android.view.Surface";

      } else {
        surfaceClassName = "android.view.SurfaceControl";
      Class<?> classname;
      Bitmap bm = null;
      try {
        classname = Class.forName(surfaceClassName);
        Method method = classname.getDeclaredMethod("screenshot",
              new Class[] { int.class, int.class });
        bm = (Bitmap) method.invoke(
              new Object[] { Integer.valueOf(Device.x),// Resolution 
                   Integer.valueOf(Device.y) });
      } catch (Exception e) {

      return bm;

This is our reflection calls SurfaceControl. screenshot () and Surface. screenshot (), They are all screen capture methods provided by the system, However, this method is called by @ hide and cannot be called. We can call it by reflection, but when we ordinary users call it by code reflection, the method will return null, because the class SurfaceControl is also hidden by Google. We know that screencap or screenshot can be called through adb shell command to capture the screen. adb shell has the right to capture the screen, that is to say, adb shell can call Surface and SurfaceControl. How to call these two classes through adb shell? The protagonist here is app_process, and app_process can directly run an ordinary Java class. Under Summary 1:

1. Start an app_process program with the adb shell command

export CLASSPATH=/data/app/com.test.syscreen-1.apk",
"exec app_process /system/bin com.test.syscreen.Main '@@'

2. Use app_process program to start an Java program. Surface and SurfaceControl classes can be accessed in Java program, so that Root can be bypassed and screen shot can be reflected. Further analysis, Why does the app_precess program have something that ordinary users can't access, After checking for 1 time (app_process is actually Zygote process, Zygote is renamed from app_process), The processes of applications in android are hatched from Zygote processes, When the Zygote process starts, an Dalvik virtual machine instance will be created. Whenever a new application is generated by the process, Zygote will copy the virtual machine instance to it, and Java runtime will be loaded when Zygote starts, so a new application is created by Zygote, which not only has a virtual machine copied from Zygote, but also shares Java runtime with Zygote.

Related articles: