{"id":3428,"date":"2021-01-11T17:14:51","date_gmt":"2021-01-11T09:14:51","guid":{"rendered":"http:\/\/122.152.205.50\/wordpress\/?p=3428"},"modified":"2021-01-15T08:50:25","modified_gmt":"2021-01-15T00:50:25","slug":"%e6%ad%a3%e7%a1%ae%e7%9a%84hook-activity%e5%90%af%e5%8a%a8%e7%9a%84%e6%96%b9%e5%bc%8f","status":"publish","type":"post","link":"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428","title":{"rendered":"\u6b63\u786e\u7684Hook Activity\u542f\u52a8\u7684\u65b9\u5f0f"},"content":{"rendered":"\n<p><a href=\"https:\/\/blog.csdn.net\/gdutxiaoxu\/article\/details\/81459910\">https:\/\/blog.csdn.net\/gdutxiaoxu\/article\/details\/81459910<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.jianshu.com\/p\/e8f0be9e1c15?utm_source=desktop\">https:\/\/www.jianshu.com\/p\/e8f0be9e1c15?utm_source=desktop<\/a>\uff08\u542f\u52a8\u672a\u5728\u6e05\u5355\u91cc\u6ce8\u518c\u7684activity\u7684\u65b9\u6848\uff09<\/p>\n\n\n\n<p>\u601d\u8def\uff1a<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_16 counter-hierarchy counter-decimal ez-toc-grey\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" style=\"display: none;\"><i class=\"ez-toc-glyphicon ez-toc-icon-toggle\"><\/i><\/a><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#1hook_startActivity%E6%96%B9%E6%B3%95\" title=\"1.hook startActivity\u65b9\u6cd5\">1.hook startActivity\u65b9\u6cd5<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#1%EF%BC%89hook_activity\" title=\"1\uff09hook activity\">1\uff09hook activity<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#2%EF%BC%89hook_context\" title=\"2\uff09hook context\">2\uff09hook context<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#3%EF%BC%89hook_AMS\" title=\"3\uff09hook AMS\">3\uff09hook AMS<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#2%E5%90%AF%E5%8A%A8%E6%B2%A1%E6%9C%89%E5%9C%A8%E5%BA%94%E7%94%A8%E6%B8%85%E5%8D%95xml%E6%96%87%E4%BB%B6%E9%87%8C%E6%B3%A8%E5%86%8C%E7%9A%84activity\" title=\"2.\u542f\u52a8\u6ca1\u6709\u5728\u5e94\u7528\u6e05\u5355xml\u6587\u4ef6\u91cc\u6ce8\u518c\u7684activity\">2.\u542f\u52a8\u6ca1\u6709\u5728\u5e94\u7528\u6e05\u5355xml\u6587\u4ef6\u91cc\u6ce8\u518c\u7684activity<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#1%EF%BC%89hook_ams_startActivity%EF%BC%8C%E5%B0%86intent%E5%81%B7%E6%A2%81%E6%8D%A2%E6%9F%B1%E3%80%82\" title=\"1\uff09hook ams startActivity\uff0c\u5c06intent\u5077\u6881\u6362\u67f1\u3002\">1\uff09hook ams startActivity\uff0c\u5c06intent\u5077\u6881\u6362\u67f1\u3002<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#2%EF%BC%89hook_H_Handler%E8%BF%98%E5%8E%9Fintent\" title=\"2\uff09hook H Handler,\u8fd8\u539fintent\">2\uff09hook H Handler,\u8fd8\u539fintent<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#3%E6%80%BB%E7%BB%93\" title=\"3.\u603b\u7ed3\">3.\u603b\u7ed3<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/xinyiworld.top\/wordpress_it\/?p=3428\/#4%E5%85%B3%E4%BA%8E%E6%8F%92%E4%BB%B6apk%E7%9A%84%E8%87%AA%E5%AE%9A%E4%B9%89classloader%E5%8A%A0%E8%BD%BDactivity%E7%9A%84%E5%85%BC%E5%AE%B9%E6%80%A7%E9%97%AE%E9%A2%98\" title=\"4.\u5173\u4e8e\u63d2\u4ef6apk\u7684\u81ea\u5b9a\u4e49classloader\u52a0\u8f7dactivity\u7684\u517c\u5bb9\u6027\u95ee\u9898\">4.\u5173\u4e8e\u63d2\u4ef6apk\u7684\u81ea\u5b9a\u4e49classloader\u52a0\u8f7dactivity\u7684\u517c\u5bb9\u6027\u95ee\u9898<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"1hook_startActivity%E6%96%B9%E6%B3%95\"><\/span>1.hook startActivity\u65b9\u6cd5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u901a\u8fc7\u5206\u6790activity\u7684\u542f\u52a8\u6e90\u7801\uff0c\u53ef\u4ee5\u77e5\u9053\u542f\u52a8activity\u6709\u4e24\u79cd\u65b9\u5f0f\u3002<\/p>\n\n\n\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-\u4fee\u7b26\u9053\u4eba\u7684\u6c5f\u6e56\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"6O4Xk3XtQ7\"><a href=\"http:\/\/122.152.205.50\/wordpress\/?p=3445\">Activity\u548cContext\u542f\u52a8Activity\u7684\u533a\u522b<\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/122.152.205.50\/wordpress\/?p=3445&#038;embed=true#?secret=6O4Xk3XtQ7\" data-secret=\"6O4Xk3XtQ7\" width=\"600\" height=\"338\" title=\"\u300aActivity\u548cContext\u542f\u52a8Activity\u7684\u533a\u522b\u300b\u2014\u4fee\u7b26\u9053\u4eba\u7684\u6c5f\u6e56\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>\u6240\u4ee5\u5bf9\u5e94\u7684hook\u4e5f\u6709\u4e24\u79cd\u65b9\u5f0f<\/p>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"1%EF%BC%89hook_activity\"><\/span>1\uff09hook activity<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>hook activity \u7684 mInstrumentation<\/p>\n\n\n\n<ul><li>\u7b2c\u4e00\u6b65\uff1a\u62ff\u5230\u5f53\u524d activity \u7684 mInstrumentation<\/li><li>\u7b2c\u4e8c\u6b65\uff1a\u521b\u5efa\u4ee3\u7406\u5bf9\u8c61<\/li><li>\u7b2c\u4e09\u6b65\uff1a\u5c06\u6211\u4eec\u7684\u4ee3\u7406\u66ff\u6362\u539f activity \u7684 mInstrumentation<\/li><\/ul>\n\n\n\n<h4 id=\"mce_24\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89hook_context\"><\/span>2\uff09hook context<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ul><li>\u7b2c\u4e00\u6b65\uff1a\u62ff\u5230ActivityThread(\u901a\u8fc7\u5176\u9759\u6001\u65b9\u6cd5currentActivityThread)\uff0c\u518d\u62ff\u5230 mInstrumentation<\/li><li>\u7b2c\u4e8c\u6b65\uff1a\u521b\u5efa\u4ee3\u7406\u5bf9\u8c61<\/li><li>\u7b2c\u4e09\u6b65\uff1a\u5c06\u6211\u4eec\u7684\u4ee3\u7406\u66ff\u6362\u539f activity \u7684 mInstrumentation<\/li><\/ul>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"3%EF%BC%89hook_AMS\"><\/span>3\uff09hook AMS<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>\u4e0a\u9762 hook activity \u7684\u4e24\u79cd\u65b9\u6cd5\u5176\u5b9e\u90fd\u6709\u4e00\u5b9a\u7f3a\u9677\uff0c\u6bd4\u5982\uff0c\u7b2c\u4e00\u79cd\u65b9\u6cd5\uff0c\u53ea\u80fd hook \u4f4f\u901a\u8fc7 Activity startActivity \u7684 activity\u3002\u7b2c\u4e8c\u79cd\u65b9\u6cd5\uff0c\u53ea\u80fd hook \u4f4f\u901a\u8fc7 getApplicationContext().startActivity \u542f\u52a8\u7684 activity\u3002\u4f46\u662f\u4e8c\u8005\u90fd\u662f\u901a\u8fc7Instrumentation\u6765\u542f\u52a8activity\u7684\uff0c\u6240\u4ee5\u5206\u6790 Instrumentation\u53ef\u8ffd\u6eaf\u5230IActivityManager\uff0c\u53d1\u73b0\u6b63\u597d\u662f\u4e2a\u9759\u6001\u53d8\u91cf\uff0c\u5c31\u662fActivityManagerService\u7684\u5b9e\u4f8b\u3002<br><\/p>\n\n\n\n<ul><li>\u7b2c\u4e00\u6b65\uff0c API29\u4ee5\u540e\uff0chook android.app.ActivityTaskManager.IActivityTaskManagerSingleton;API 26 \u4ee5\u540e\uff0chook android.app.ActivityManager.IActivityManagerSingleton; API 25 \u4ee5\u524d\uff0chook android.app.ActivityManagerNative.gDefault<\/li><li>\u7b2c\u4e8c\u6b65\uff0c\u83b7\u53d6\u6211\u4eec\u7684\u4ee3\u7406\u5bf9\u8c61\uff0c\u8fd9\u91cc\u56e0\u4e3a\u662f\u63a5\u53e3\uff0c\u6240\u4ee5\u6211\u4eec\u4f7f\u7528\u52a8\u6001\u4ee3\u7406\u7684\u65b9\u5f0f<\/li><li>\u7b2c\u4e09\u6b65\uff1a\u8bbe\u7f6e\u4e3a\u6211\u4eec\u7684\u4ee3\u7406\u5bf9\u8c61<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code> \/**\n     * \u8fd9\u91cc\u5bf9AMS\u8fdb\u884chook\n     * ActivityManager(ActivityManagerNative)\u91cc\u7684IActivityManager\u662f\u4e00\u4e2a\u5355\u4f8b\uff0c\u7528\u6211\u4eec\u7684\u4ee3\u7406\u5bf9\u8c61\u66ff\u6362\u5b83!\n     *\n     * @param context\n     *\/\n    public static void hookAMS(Context context) {\n        try {\n            final Class&lt;?> ActivityManagerClz;\n            final String getServiceMethodStr;\n            final String IActivityManagerSingletonFieldStr;\n            if (ifSdkOverIncluding29()) {\/\/29\u7684ams\u83b7\u53d6\u65b9\u5f0f\u662f\u901a\u8fc7ActivityTaskManager.getService()\n                ActivityManagerClz = Class.forName(\"android.app.ActivityTaskManager\");\n                getServiceMethodStr = \"getService\";\n                IActivityManagerSingletonFieldStr = \"IActivityTaskManagerSingleton\";\n            } else if (ifSdkOverIncluding26()) {\/\/26\uff0c27\uff0c28\u7684ams\u83b7\u53d6\u65b9\u5f0f\u662f\u901a\u8fc7ActivityManager.getService()\n                ActivityManagerClz = Class.forName(\"android.app.ActivityManager\");\n                getServiceMethodStr = \"getService\";\n                IActivityManagerSingletonFieldStr = \"IActivityManagerSingleton\";\n            } else {\/\/25\u5f80\u4e0b\uff0c\u662fActivityManagerNative.getDefault()\n                ActivityManagerClz = Class.forName(\"android.app.ActivityManagerNative\");\n                getServiceMethodStr = \"getDefault\";\n                IActivityManagerSingletonFieldStr = \"gDefault\";\n            }\n\n            \/\/\u8fd9\u4e2a\u5c31\u662fActivityManager\u5b9e\u4f8b\n            Object ActivityManagerObj = ReflectUtil.invokeStaticMethod(ActivityManagerClz, getServiceMethodStr);\n            \/\/\u8fd9\u4e2a\u5c31\u662f\u8fd9\u4e2a\u5c31\u662fActivityManager\u5b9e\u4f8b\u4e2d\u7684IActivityManager\u5355\u4f8b\u5bf9\u8c61\n            Object IActivityManagerSingleton = ReflectUtil.staticFieldValue(ActivityManagerClz,\n                    IActivityManagerSingletonFieldStr);\n\n            \/\/ 2.\u73b0\u5728\u521b\u5efa\u6211\u4eec\u7684IActivityManager\u5b9e\u4f8b\n            \/\/ \u7531\u4e8eIActivityManager\u662f\u4e00\u4e2a\u63a5\u53e3\uff0c\u90a3\u4e48\u5176\u5b9e\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Proxy\u7c7b\u6765\u8fdb\u884c\u4ee3\u7406\u5bf9\u8c61\u7684\u521b\u5efa\n            \/\/ \u7ed3\u679c\u88ab\u6446\u4e86\u4e00\u9053\uff0cIActivityManager\u8fd9\u73a9\u610f\u5c45\u7136\u8fd8\u662f\u4e2aAIDL\uff0c\u52a8\u6001\u751f\u6210\u7684\u7c7b\uff0c\u7f16\u8bd1\u5668\u8fd8\u4e0d\u8ba4\u8bc6\u8fd9\u4e2a\u7c7b\uff0c\u600e\u4e48\u529e\uff1f\u53cd\u5c04\u54af\n            Class&lt;?> IActivityManagerClz;\n            if (ifSdkOverIncluding29()) {\n                IActivityManagerClz = Class.forName(\"android.app.IActivityTaskManager\");\n            } else {\n                IActivityManagerClz = Class.forName(\"android.app.IActivityManager\");\n            }\n\n\n            \/\/ \u6784\u5efa\u4ee3\u7406\u7c7b\u9700\u8981\u4e24\u4e2a\u4e1c\u897f\u7528\u4e8e\u521b\u5efa\u4f2a\u88c5\u7684Intent\n            String packageName = Util.getPMName(context);\n            String clz = Util.getHostClzName(context, packageName);\n            Object proxyIActivityManager =\n                    Proxy.newProxyInstance(\n                            Thread.currentThread().getContextClassLoader(),\n                            new Class[]{IActivityManagerClz},\n                            new AMSProxyInvocation(ActivityManagerObj, packageName, clz));\n\n            \/\/3.\u62ff\u5230AMS\u5b9e\u4f8b\uff0c\u7136\u540e\u7528\u4ee3\u7406\u7684AMS\u6362\u6389\u771f\u6b63\u7684AMS\uff0c\u4ee3\u7406\u7684AMS\u5219\u662f\u7528 \u5047\u7684Intent\u9a97\u8fc7\u4e86 activity manifest\u68c0\u6d4b.\n            \/\/\u5077\u6881\u6362\u67f1\n            Field mInstanceField = ReflectUtil.findSingletonField(\"mInstance\");\n            mInstanceField.set(IActivityManagerSingleton, proxyIActivityManager);\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code> \/**\n     * \u628aInvocationHandler\u7684\u5b9e\u73b0\u7c7b\u63d0\u53d6\u51fa\u6765\uff0c\u56e0\u4e3a\u8fd9\u91cc\u5305\u542b\u4e86\u6838\u5fc3\u6280\u672f\u903b\u8f91\uff0c\u6700\u597d\u72ec\u7acb\uff0c\u65b9\u4fbf\u7ef4\u62a4\n     *\/\n    private static class AMSProxyInvocation implements InvocationHandler {\n\n        Object amObj;\n        String packageName;\/\/\u8fd9\u4e24\u4e2aString\u662f\u7528\u6765\u6784\u5efaIntent\u7684ComponentName\u7684\n        String clz;\n\n        public AMSProxyInvocation(Object amObj, String packageName, String clz) {\n            this.amObj = amObj;\n            this.packageName = packageName;\n            this.clz = clz;\n        }\n\n        @Override\n        public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {\n            Log.e(\"GlobalActivityHook\", \"method.getName() = \" + method.getName());\n            \/\/proxy\u662f\u521b\u5efa\u51fa\u6765\u7684\u4ee3\u7406\u7c7b\uff0cmethod\u662f\u63a5\u53e3\u4e2d\u7684\u65b9\u6cd5\uff0cargs\u662f\u63a5\u53e3\u6267\u884c\u65f6\u7684\u5b9e\u53c2\n            if (method.getName().equals(\"startActivity\")) {\n                Log.d(\"GlobalActivityHook\", \"\u5168\u5c40hook \u5230\u4e86 startActivity\");\n\n                Intent currentRealIntent = null;\/\/\u4fa6\u6d4b\u5230startActivity\u52a8\u4f5c\u4e4b\u540e\uff0c\u628aintent\u5b58\u5230\u8fd9\u91cc\n                int intentIndex = -1;\n                \/\/\u904d\u5386\u53c2\u6570\uff0c\u627e\u5230Intent\n                for (int i = 0; i &lt; args.length; i++) {\n                    Object temp = args[i];\n                    if (temp instanceof Intent) {\n                        currentRealIntent = (Intent) temp;\/\/\u8fd9\u662f\u539f\u59cb\u7684Intent,\u5b58\u8d77\u6765,\u540e\u9762\u7528\u5f97\u7740\n                        intentIndex = i;\n                        break;\n                    }\n                }\n\n                \/\/\u6784\u9020\u81ea\u5df1\u7684Intent\uff0c\u8fd9\u662f\u4e3a\u4e86\u7ed5\u8fc7manifest\u68c0\u6d4b\n                Intent proxyIntent = new Intent();\n                ComponentName componentName = new ComponentName(packageName, clz);\/\/\u7528ComponentName\u91cd\u65b0\u521b\u5efa\u4e00\u4e2aintent\n                proxyIntent.setComponent(componentName);\n                proxyIntent.putExtra(TextActivity.ORIGINALLY_INTENT, currentRealIntent);\/\/\u5c06\u771f\u6b63\u7684proxy\u4f5c\u4e3a\u53c2\u6570\uff0c\u5b58\u653e\u5230extras\u4e2d\uff0c\u540e\u9762\u4f1a\u62ff\u51fa\u6765\u8fd8\u539f\n\n                args[intentIndex] = proxyIntent;\/\/\u66ff\u6362\u6389intent\n                \/\/\u54df\uff0c\u5df2\u7ecf\u6210\u529f\u7ed5\u8fc7\u4e86manifest\u6e05\u5355\u68c0\u6d4b. \u90a3\u4e48\uff0c\u6211\u4e0d\u80fd\u8001\u8ba9\u5b83\u8df3\u5230 \u4f2a\u88c5\u7684Activity\u554a\uff0c\u6211\u8981\u7ed9\u4ed6\u8fd8\u539f\u56de\u53bb\uff0c\u90a3\u4e48\uff0c\u53bb\u54ea\u91cc\u8fd8\u539f\u5462\uff1f\n                \/\/\u7ee7\u7eed\u770b\u6e90\u7801\u3002\n\n            }\n            return method.invoke(amObj, args);\n        }\n    }<\/code><\/pre>\n\n\n\n<h3 id=\"mce_30\"><span class=\"ez-toc-section\" id=\"2%E5%90%AF%E5%8A%A8%E6%B2%A1%E6%9C%89%E5%9C%A8%E5%BA%94%E7%94%A8%E6%B8%85%E5%8D%95xml%E6%96%87%E4%BB%B6%E9%87%8C%E6%B3%A8%E5%86%8C%E7%9A%84activity\"><\/span>2.\u542f\u52a8\u6ca1\u6709\u5728\u5e94\u7528\u6e05\u5355xml\u6587\u4ef6\u91cc\u6ce8\u518c\u7684activity<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"1%EF%BC%89hook_ams_startActivity%EF%BC%8C%E5%B0%86intent%E5%81%B7%E6%A2%81%E6%8D%A2%E6%9F%B1%E3%80%82\"><\/span>1\uff09hook ams startActivity\uff0c\u5c06intent\u5077\u6881\u6362\u67f1\u3002<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>\u5bf9\u4e8e\u63d2\u4ef6\u91cc\u7684activity\uff0c\u5373\u4f7f\u5176\u5728\u63d2\u4ef6apk\u7684\u6e05\u5355xml\u91cc\u6ce8\u518c\u8fc7\uff0c\u5728\u5bbf\u4e3bapk\u91cc\u542f\u52a8\u7684\u65f6\u5019\u4ecd\u7136\u4f1a\u62a5\u9519\uff1a<\/p>\n\n\n\n<p style=\"color:#f60a0a\" class=\"has-text-color\">android.content.ActivityNotFoundException: Unable to find explicit activity class {com.renxh.pluginapp\/com.renxh.pluginapp.PluginActivity}; have you declared this activity in your AndroidManifest.xml?<\/p>\n\n\n\n<p>\u89e3\u51b3\u601d\u8def\uff1a\u4e8b\u5148\u5728\u5bbf\u4e3bapk\u7684\u6e05\u5355\u6587\u4ef6\u91cc\u6ce8\u518c\u4e00\u4e2aStubActivity\uff08\u6697\u6869\uff0c\u5360\u4f4d\uff0c\u4e5f\u53ef\u4ee5\u52a8\u6001\u7684\u83b7\u53d6\u5bbf\u4e3bapk\u7684\u7b2c\u4e00\u4e2aactivity\uff09\uff0c\u7136\u540e\u518d\u901a\u8fc7hook ActivityManager\u7684startActivity\u7684\u65b9\u6cd5\uff0c\u521b\u5efa\u65b0\u7684intent\u6307\u5411StubActivity\uff0c\u5e76\u7ed1\u5b9a\u6709intent\uff08\u63d2\u4ef6intent\uff09\u4fe1\u606f\u3002<\/p>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"2%EF%BC%89hook_H_Handler%E8%BF%98%E5%8E%9Fintent\"><\/span>2\uff09hook H Handler,\u8fd8\u539fintent<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>\u901a\u8fc7activity\u7684\u542f\u52a8\u6d41\u7a0b\uff1a<\/p>\n\n\n\n<p class=\"has-text-color has-luminous-vivid-orange-color\"> app \u8c03\u7528 startActivity \u65b9\u6cd5 -&gt; Instrumentation \u7c7b\u901a\u8fc7 ActivityManagerNative \u6216\u8005 ActivityManager\uff08 API 26\u4ee5\u540e\uff09\u5c06\u542f\u52a8\u8bf7\u6c42\u53d1\u9001\u7ed9 AMS -&gt; AMS \u8fdb\u884c\u4e00\u7cfb\u5217\u68c0\u67e5\u5e76\u5c06\u6b64\u8bf7\u6c42\u901a\u8fc7 Binder \u6d3e\u53d1\u7ed9\u6240\u5c5e app -&gt; app \u901a\u8fc7 Binder \u6536\u5230\u8fd9\u4e2a\u542f\u52a8\u8bf7\u6c42 -&gt; ActivityThread \u4e2d\u7684\u5b9e\u73b0\u5c06\u6536\u5230\u7684\u8bf7\u6c42\u8fdb\u884c\u5c01\u88c5\u540e\u9001\u5165 Handler -&gt; \u4ece Handler \u4e2d\u53d6\u51fa\u8fd9\u4e2a\u6d88\u606f\uff0c\u5f00\u59cb app \u672c\u5730\u7684 Activity \u521d\u59cb\u5316\u548c\u542f\u52a8\u903b\u8f91\u3002 <\/p>\n\n\n\n<p>\u6240\u4ee5\u53ef\u4ee5hook ActivityThread\u7c7b\u4e2d\u7684H\u7c7bmH\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>public static void hookActivityThread_mH(Context context) {\n\n        try {\n            Class&lt;?> activityThreadClazz = Class.forName(\"android.app.ActivityThread\");\n\n            Object sCurrentActivityThread = ReflectUtil.staticFieldValue(activityThreadClazz, \"sCurrentActivityThread\");\n\n            Handler mH = (Handler) ReflectUtil.fieldValue(sCurrentActivityThread, \"mH\");\n\n            Field mCallBackField = ReflectUtil.findField(Handler.class, \"mCallback\");\n\n            Handler.Callback callback;\n            if (ifSdkOverIncluding28()) {\n                \/\/2.\u73b0\u5728\uff0c\u9020\u4e00\u4e2a\u4ee3\u7406\n                \/\/ \u4ed6\u5c31\u662f\u4e00\u4e2a\u7b80\u5355\u7684Handler\u5b50\u7c7b\n                callback = new ProxyHandlerCallback();\/\/\u4e0d\u9700\u8981\u91cd\u5199\u5168\u90e8mH\uff0c\u53ea\u9700\u8981\u5bf9mH\u7684callback\u8fdb\u884c\u91cd\u65b0\u5b9a\u4e49\n            } else {\n                callback = new ActivityThreadHandlerCallBack(context);\n            }\n\n            \/\/3.\u66ff\u6362\n            \/\/\u5c06Handler\u7684mCallback\u6210\u5458\uff0c\u66ff\u6362\u6210\u521b\u5efa\u51fa\u6765\u7684\u4ee3\u7406HandlerCallback\n            mCallBackField.set(mH, callback);\n\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n\n    }<\/code><\/pre>\n\n\n\n<p style=\"color:#f40808\" class=\"has-text-color\"><strong>\u6ce8\u610f\uff0candroid28\u4ee5\u540e\u7684Activity\u7684H Handler\uff0chook\u65b9\u5f0f\u4e0d\u4e00\u6837\u3002!!!!!!<\/strong><\/p>\n\n\n\n<p><strong>android28\u4ee5\u4e0a\u7684H Handler\u7684hook:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/**\n     * \u6ce8\u610f\uff0c\u8fd9\u91cc\u6709\u4e2a\u5751\n     * android.os.handler \u8fd9\u4e2a\u7c7b\u6709 3\u4e2a callback\uff0c\u6309\u7167\u4f18\u5148\u7ea7\uff0c\u4f9d\u6b21\u662f msg\u7684callback\uff0c\u81ea\u5df1\u6210\u5458\u53d8\u91cfmCallback\uff0c\u81ea\u5df1\u7684\u6210\u5458\u65b9\u6cd5 handleMessage()\n     *\n     * \u5176\u4e2d\uff0cmsg.callback\u4e00\u822c\u5f88\u5c11\u7528\uff0c\u4f46\u662f\u5b83\u662f\u6700\u4f18\u5148\u7684\uff0c\u5982\u679c\u6709\u4e00\u4e2aMessage.\u5b58\u5728callback\u975e\u7a7a\u6210\u5458,\u90a3\u4e48\u5b83\u662f\u5148\u6267\u884c\uff0c\u540e\u9762\u4e24\u4e2a\u5c31\u6ca1\u620f\u4e86\u3002\n     * \u5982\u679c handler\u81ea\u5df1\u7684\u6210\u5458\u53d8\u91cfmCallback\uff0c\u975e\u7a7a\uff0c\u90a3\u4e48 handlerMessage()\u65b9\u6cd5\u5c31\u6ca1\u620f\u4e86\n     * \u524d\u9762\u4e24\u4e2a\u90fd\u6267\u884c\uff0c\u90a3\u4e48handlerMessage\u624d\u4f1a\u6267\u884c\uff0c\n     * \u8fd9\u4e2a\u53eb\u8d23\u4efb\u94fe\u6a21\u5f0f\uff1f\u6839\u636e\u5b9e\u9645\u6761\u4ef6\u51b3\u5b9a\u4ee3\u7801\u5206\u652f\u3002\n     *\/\n    private static class ProxyHandlerCallback implements Handler.Callback {\n\n        private int EXECUTE_TRANSACTION = 159;\/\/\u8fd9\u4e2a\u503c\uff0c\u662fandroid.app.ActivityThread\u7684\u5185\u90e8\u7c7bH \u4e2d\u5b9a\u4e49\u7684\u5e38\u91cfEXECUTE_TRANSACTION\n\n        @Override\n        public boolean handleMessage(Message msg) {\n            boolean result = false;\/\/\u8fd4\u56de\u503c\uff0c\u8bf7\u770bHandler\u7684\u6e90\u7801\uff0cdispatchMessage\u5c31\u4f1a\u61c2\u4e86\n            \/\/Handler\u7684dispatchMessage\u67093\u4e2acallback\u4f18\u5148\u7ea7\uff0c\u9996\u5148\u662fmsg\u81ea\u5e26\u7684callback\uff0c\u5176\u6b21\u662fHandler\u7684\u6210\u5458mCallback,\u6700\u540e\u624d\u662fHandler\u7c7b\u81ea\u8eab\u7684handlerMessage\u65b9\u6cd5,\n            \/\/\u5b83\u6210\u5458mCallback.handleMessage\u7684\u8fd4\u56de\u503c\u4e3atrue\uff0c\u5219\u4e0d\u4f1a\u7ee7\u7eed\u5f80\u4e0b\u6267\u884c Handler.handlerMessage\n            \/\/\u6211\u4eec\u8fd9\u91cc\u53ea\u662f\u8981hook\uff0c\u63d2\u5165\u903b\u8f91\uff0c\u6240\u4ee5\u5fc5\u987b\u8fd4\u56defalse\uff0c\u8ba9Handler\u539f\u672c\u7684handlerMessage\u80fd\u591f\u6267\u884c.\n            if (msg.what == EXECUTE_TRANSACTION) {\/\/\u8fd9\u662f\u8df3\u8f6c\u7684\u65f6\u5019,\u8981\u5bf9intent\u8fdb\u884c\u8fd8\u539f\n                try {\n                    \/\/\u5148\u628a\u76f8\u5173@hide\u7684\u7c7b\u90fd\u5efa\u597d\n                    Class&lt;?> ClientTransactionClz = Class.forName(\"android.app.servertransaction.ClientTransaction\");\n                    Class&lt;?> LaunchActivityItemClz = Class.forName(\"android.app.servertransaction.LaunchActivityItem\");\n\n                    Field mActivityCallbacksField = ClientTransactionClz.getDeclaredField(\"mActivityCallbacks\");\/\/ClientTransaction\u7684\u6210\u5458\n                    mActivityCallbacksField.setAccessible(true);\n                    \/\/\u7c7b\u578b\u5224\u5b9a\uff0c\u597d\u4e60\u60ef\n                    if (!ClientTransactionClz.isInstance(msg.obj)) {\n                        return true;\n                    }\n                    Object mActivityCallbacksObj = mActivityCallbacksField.get(msg.obj);\/\/\u6839\u636e\u6e90\u7801\uff0c\u5728\u8fd9\u4e2a\u5206\u652f\u91cc\u9762,msg.obj\u5c31\u662f ClientTransaction\u7c7b\u578b,\u6240\u4ee5\uff0c\u76f4\u63a5\u7528\n                    \/\/\u62ff\u5230\u4e86ClientTransaction\u7684List&lt;ClientTransactionItem> mActivityCallbacks;\n                    List list = (List) mActivityCallbacksObj;\n\n                    if (list.size() == 0) {\n                        return false;\n                    }\n                    Object LaunchActivityItemObj = list.get(0);\/\/\u6240\u4ee5\u8fd9\u91cc\u76f4\u63a5\u5c31\u62ff\u5230\u7b2c\u4e00\u4e2a\u5c31\u597d\u4e86\n\n                    if (!LaunchActivityItemClz.isInstance(LaunchActivityItemObj)) {\n                        return true;\n                    }\n                    \/\/\u8fd9\u91cc\u5fc5\u987b\u5224\u5b9a LaunchActivityItemClz\uff0c\n                    \/\/ \u56e0\u4e3a \u6700\u521d\u7684ActivityResultItem\u4f20\u8fdb\u53bb\u4e4b\u540e\u90fd\u88ab\u8f6c\u5316\u6210\u4e86\u8fd9LaunchActivityItemClz\u7684\u5b9e\u4f8b\n\n                    Field mIntentField = LaunchActivityItemClz.getDeclaredField(\"mIntent\");\n                    mIntentField.setAccessible(true);\n                    Intent mIntent = (Intent) mIntentField.get(LaunchActivityItemObj);\n\n                    Bundle extras = mIntent.getExtras();\n                    if (extras != null) {\n                        Intent oriIntent = (Intent) extras.get(TextActivity.ORIGINALLY_INTENT);\n                        \/\/\u90a3\u4e48\u73b0\u5728\u6709\u4e86\u6700\u539f\u59cb\u7684intent\uff0c\u5e94\u8be5\u600e\u4e48\u5904\u7406\u5462\uff1f\n                        Log.d(\"1\", \"2\");\n                        mIntentField.set(LaunchActivityItemObj, oriIntent);\n                    }\n\n                    return result;\n                } catch (Exception e) {\n                    e.printStackTrace();\n                }\n            }\n            return result;\n        }\n    }<\/code><\/pre>\n\n\n\n<p><strong>android28\u4ee5\u4e0b\u7684H Handler\u7684hook:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> public static class ActivityThreadHandlerCallBack implements Handler.Callback {\n\n        private final Context mContext;\n\n        public ActivityThreadHandlerCallBack(Context context) {\n            mContext = context;\n        }\n\n        @Override\n        public boolean handleMessage(Message msg) {\n            int LAUNCH_ACTIVITY = 0;\n            try {\n                Class&lt;?> clazz = Class.forName(\"android.app.ActivityThread$H\");\n                LAUNCH_ACTIVITY = (int) ReflectUtil.staticFieldValue(clazz, \"LAUNCH_ACTIVITY\");\n            } catch (Exception e) {\n            }\n            if (msg.what == LAUNCH_ACTIVITY) {\n                handleLaunchActivity(mContext, msg);\n            }\n            return false;\n        }\n    }\n\n    private static void handleLaunchActivity(Context context, Message msg) {\n        try {\n            Object obj = msg.obj;\n\n            Intent proxyIntent = (Intent) ReflectUtil.fieldValue(obj, \"intent\");\n            \/\/\u62ff\u5230\u4e4b\u524d\u771f\u5b9e\u8981\u88ab\u542f\u52a8\u7684Intent \u7136\u540e\u628aIntent\u6362\u6389\n            Intent originallyIntent = proxyIntent.getParcelableExtra(TextActivity.ORIGINALLY_INTENT);\n            if (originallyIntent == null) {\n                return;\n            }\n            proxyIntent.setComponent(originallyIntent.getComponent());\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }<\/code><\/pre>\n\n\n\n<h3 id=\"mce_25\"><span class=\"ez-toc-section\" id=\"3%E6%80%BB%E7%BB%93\"><\/span>3.\u603b\u7ed3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>hook actiivty\u7684\u542f\u52a8<\/p>\n\n\n\n<ol><li>hook ams<\/li><li>hook ActivityThread\u7684H Handler<\/li><li>hook\u7684\u65f6\u5019\uff0c\u8981\u6ce8\u610f\u5404\u4e2aandroid\u7248\u672c\u7684\u517c\u5bb9\u5904\u7406\u3002<\/li><li><\/li><\/ol>\n\n\n\n<h3 id=\"mce_1\"><span class=\"ez-toc-section\" id=\"4%E5%85%B3%E4%BA%8E%E6%8F%92%E4%BB%B6apk%E7%9A%84%E8%87%AA%E5%AE%9A%E4%B9%89classloader%E5%8A%A0%E8%BD%BDactivity%E7%9A%84%E5%85%BC%E5%AE%B9%E6%80%A7%E9%97%AE%E9%A2%98\"><\/span>4.\u5173\u4e8e\u63d2\u4ef6apk\u7684\u81ea\u5b9a\u4e49classloader\u52a0\u8f7dactivity\u7684\u517c\u5bb9\u6027\u95ee\u9898<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u5728\u4e0b\u9762\u7684\u6587\u7ae0\u4e2d\uff0c\u6211\u63d0\u5230\u4e86\u81ea\u5b9a\u4e49classloader\u52a0\u8f7dactivity\u7684\u517c\u5bb9\u6027\u95ee\u9898<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-\u4fee\u7b26\u9053\u4eba\u7684\u6c5f\u6e56\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"OVbFpof29V\"><a href=\"http:\/\/122.152.205.50\/wordpress\/?p=3566\">android\u81ea\u5b9a\u4e49\u7c7b\u52a0\u8f7d\u5668<\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/122.152.205.50\/wordpress\/?p=3566&#038;embed=true#?secret=OVbFpof29V\" data-secret=\"OVbFpof29V\" width=\"600\" height=\"338\" title=\"\u300aandroid\u81ea\u5b9a\u4e49\u7c7b\u52a0\u8f7d\u5668\u300b\u2014\u4fee\u7b26\u9053\u4eba\u7684\u6c5f\u6e56\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>\u7cfb\u7edf\u521b\u5efa\u63d2\u4ef6activity\u65f6\uff0c\u7528\u7684\u662f\u5e94\u7528\u7684classloader\u53bb\u52a0\u8f7d\uff0c\u81ea\u7136\u5c31\u4f1a\u62a5\u627e\u4e0d\u5230\uff0c\u4e8e\u662fhook\u6389ActivityThread\u7684Instrumentation\u7684newActivity\u65b9\u6cd5\uff0c\u5c06\u5e94\u7528\u7684classloader\u66ff\u6362\u6210\u81ea\u5b9a\u4e49\u7684classloader\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> @Override\n    public Activity newActivity(ClassLoader cl, String className, Intent intent)\n            throws InstantiationException, IllegalAccessException, ClassNotFoundException {\n       return instrumentation.newActivity(PluginHelper.pluginClassLoader, className, intent);\n    }<\/code><\/pre>\n\n\n\n<p>\u53d1\u73b0\u63d2\u4ef6Activity\u7684\u751f\u547d\u5468\u671f\u65b9\u6cd5onResume\u4e5f\u8d70\u4e86\uff0c\u4f46\u662fActivity\u5374\u5e76\u6ca1\u6709\u663e\u793a\uff0c\u4e0d\u77e5\u9053\u662f\u4e3a\u4f55\uff1f\u6c42\u8def\u8fc7\u7684\u9ad8\u624b\u89e3\u7b54\u3002\/\/TODO<\/p>\n\n\n\n<p>\u5982\u679c\u628a\u8fd9\u4e2a\u63d2\u4ef6\u7684activity\u66ff\u6362\u6210app\u5e94\u7528\u5185\u6ca1\u6709\u6ce8\u518c\u7684activity\uff0c\u8fd9\u4e2aactivity\u4f1a\u6b63\u5e38\u663e\u793a\u3002<\/p>\n\n\n\n<p>\u5f85\u7eed......<\/p>\n<button class=\"simplefavorite-button\" data-postid=\"3428\" data-siteid=\"1\" data-groupid=\"1\" data-favoritecount=\"0\" style=\"\">\u6536\u85cf <i class=\"sf-icon-star-empty\"><\/i><\/button>","protected":false},"excerpt":{"rendered":"<p>https:\/\/blog.csdn.net\/gdutxiaoxu\/article\/details\/8 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[114],"tags":[],"_links":{"self":[{"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=\/wp\/v2\/posts\/3428"}],"collection":[{"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3428"}],"version-history":[{"count":68,"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=\/wp\/v2\/posts\/3428\/revisions"}],"predecessor-version":[{"id":3594,"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=\/wp\/v2\/posts\/3428\/revisions\/3594"}],"wp:attachment":[{"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3428"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/xinyiworld.top\/wordpress_it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}