当前位置:网站首页>AMS advanced - how to start an unregistered activity
AMS advanced - how to start an unregistered activity
2022-06-09 08:17:00 【Straw hat learning programming】
background :
We have combed the past Activity Start the whole process know :Activity The startup of the system mainly goes through the following stages :
- launch Activity start-up
- And AMS Establish communication node , Mainly in the Instrumentation Get in class AMS Of Binder agent , Prepare for communication .
- Switch from application process to system process (system_service) Of AMS service , from AMS Determine whether the application process is created , If not, then AMS And Zegote Process communication creates an application process .
- After the application process is created , Start the application process , Then the application process switches to AMS service ,AMS Further startup Activity The check ( Such as :Activity Whether to register, etc ).
- start-up Activity, stay ActivityThread Of Handler In the implementation of Activity Life cycle
We all know that under normal circumstances, we need to start a Activity Must be in AndroidManifest Register this in the file Activity. So is there any way to start without registering ?
By reading the source code , We know AMS One of our jobs is to serve Activity Start up management of . In this process, the to be started Activity Carry out a series of tests , Like here Activity Whether to register or not is AMS A link of inspection . It is necessary to start without registration Must cheat AMS The test of . So the plan is to pass Hook AMS and ActivityThread Medium Handler To achieve .
One 、Hook AMS
If you want to cheat AMS Start up inspection of , That must be in AMS Of StartActivity Intercept and replace before inspection Intent The target pointed to in the object Activity For registered agents Activity. such AMS During the inspection, the agent is the one to be inspected Activity. So as to cheat AMS The purpose of the inspection .
After the process of the previous section , We can go through Hook obtain AMS Communication nodes to achieve interception AMS Of startActivity Method , Replace before inspection Intent Purpose
public static void hookAms(){
try {
// obtain Singleton object
Class<?> clazz = Class.forName("android.app.ActivityManager");
Field singletonField = clazz.getDeclaredField("IActivityManagerSingleton");
singletonField.setAccessible(true);
Object singleton = singletonField.get(null);
// obtain IActivityManager object
Class<?> singletonClass = Class.forName("android.util.Singleton");
Field mInstanceField = singletonClass.getDeclaredField("mInstance");
mInstanceField.setAccessible(true);
final Object mInstance = mInstanceField.get(singleton);
Class<?> iActivityManagerClass = Class.forName("android.app.IActivityManager");
Object proxyInstance = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),
new Class[]{iActivityManagerClass}, new InvocationHandler() {
@Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
// IActivityManager When the method of , Will run here first
Log.d(TAG,"methodName="+method.getName());
if ("startActivity".equals(method.getName())) {
// Replace Intent
int index = 0;
for (int i = 0; i < args.length; i++) {
if (args[i] instanceof Intent) {
index = i;
break;
}
}
// Start the plug-in intent
Intent intent = (Intent) args[index];
Intent proxyIntent = new Intent();
// there packageName To fill in Activity Package name of the main project , That is, the application package name , instead of Activity Class
proxyIntent.setClassName("com.single.code.app.plugin",
"com.single.code.app.pluginlib.PluginProxyActivity");
// Keep the original
proxyIntent.putExtra(TARGET_INTENT, intent);
Log.e(TAG, "startActivity: proxyIntent intent ="+proxyIntent);
Log.e(TAG, "startActivity: target intent ="+intent);
args[index] = proxyIntent;
}
return method.invoke(mInstance, args);
}
});
// Replace the IActivityManager object
mInstanceField.set(singleton, proxyInstance);
} catch (Exception e) {
e.printStackTrace();
}
}Two 、Hook Handler
adopt Hook AMS To replace Intent To deceive AMS Of Activity After starting the inspection , We still need to Activity Before it is really started Intent Replace with the real goal Activity, Otherwise, it will be found that our agent is starting Activity 了 . Also by combing Activity Start the process we know ,Activity after AMS After a series of tests, it was finally ActivityThread Of Handler Start and execute the lifecycle in .
So all we have to do is Activity Start the execution lifecycle again before Intent Just replace it . and ActivityThread Of mH Attribute is a perfect Hook spot .
public static void hookHandler(){
try {
Class<?> clazz = Class.forName("android.app.ActivityThread");
Field sCurrentActivityThreadField = clazz.getDeclaredField("sCurrentActivityThread");
sCurrentActivityThreadField.setAccessible(true);
Object activityThread = sCurrentActivityThreadField.get(null);
Field mHField = clazz.getDeclaredField("mH");
mHField.setAccessible(true);
Object mH = mHField.get(activityThread);
// new One Callback Replace the mCallback object
Class<?> handlerClass = Class.forName("android.os.Handler");
Field mCallbackField = handlerClass.getDeclaredField("mCallback");
mCallbackField.setAccessible(true);
mCallbackField.set(mH, new Handler.Callback() {
@Override
public boolean handleMessage(@NonNull Message msg) {
// take Intent Change back
Log.e(TAG, "handleMessage:"+msg);
switch (msg.what) {
case 100:
try {
// obtain ActivityClientRecord Medium intent object
Field intentField = msg.obj.getClass().getDeclaredField("intent");
intentField.setAccessible(true);
Intent proxyIntent = (Intent) intentField.get(msg.obj);
// Get the plug-in Intent
Intent intent = proxyIntent.getParcelableExtra(TARGET_INTENT);
if(intent != null){
Log.e(TAG, "handleMessage: " + intent);
// Replace it with
proxyIntent.setComponent(intent.getComponent());
}
} catch (Exception e) {
e.printStackTrace();
}
break;
case 159:
try {
Class<?> clazz = Class.forName("android.app.servertransaction.ClientTransaction");
Field mActivityCallbacksField = clazz.getDeclaredField("mActivityCallbacks");
mActivityCallbacksField.setAccessible(true);
List activityCallbacks = (List) mActivityCallbacksField.get(msg.obj);
for (int i = 0; i < activityCallbacks.size(); i++) {
if (activityCallbacks.get(i).getClass().getName()
.equals("android.app.servertransaction.LaunchActivityItem")) {
Object launchActivityItem = activityCallbacks.get(i);
Field mIntentField = launchActivityItem.getClass().getDeclaredField("mIntent");
mIntentField.setAccessible(true);
Intent proxyIntent = (Intent) mIntentField.get(launchActivityItem);
Log.e(TAG, "handleMessage: proxyIntent intent ="+proxyIntent);
// The plug-in intent
Intent intent = proxyIntent.getParcelableExtra(TARGET_INTENT);
Log.e(TAG, "handleMessage: target intent ="+intent);
if (intent != null) {
mIntentField.set(launchActivityItem, intent);
}
break;
}
}
} catch (Exception e) {
e.printStackTrace();
}
break;
}
return false;
}
});
} catch (Exception e) {
e.printStackTrace();
}
}there Hook Only aim at Android10 Let's look at the source code . therefore Android10 And above need to be adapted by themselves . Some people may wonder if this is not taking off their pants and farting ? You can go to register directly , Why do you do this . To do such a thing is to pretend 13 outside , Or is it because learning plug-in is one of the necessary knowledge of plug-in .
Here's a post GitHub Of Demo:https://github.com/279154451/SAppPlugin
Interested students can clone Come down and have a look
边栏推荐
- C语言复习9
- Apple wins judge dismisses iPhone Security Fraud Class Action
- whatweb
- Unity imitates flying birds (2) add protagonists
- Simple practice of bouncing shell with NC and Bash
- The cumulative net worth of more than 1100 products fell below 0.8. Is the performance of private placement good this year?
- 自制编译器学习3:Flex和Bison简介
- Market Research - current situation and future development trend of Brazil berry oil market in the world and China
- Research and investment strategy report on China's photovoltaic aluminum frame industry (2022 Edition)
- Twitter's latest feature lets businesses preview upcoming products and remind customers to go shopping
猜你喜欢
SQL or NoSQL, you will understand after reading this article
搞明白 left join、right join和join的区别
Out object of JSP development details you should know (I)
![Nacos startup error [db load error]load jdbc properties error](/img/e0/e511da6cd6821ffb315d118a2feae9.png)
Nacos startup error [db load error]load jdbc properties error
mysql常见面试知识点
Nacos 启动报错[db-load-error]load jdbc.properties error
Sql Or NoSql,看完这一篇你就懂了
C language review 7
【读点论文】EfficientNet: Rethinking Model Scaling for Convolutional Neural Networks网络结构要像身材一样匀称且体量和处理能力匹配
Leetcode basic programming: Search
随机推荐
Blow up the idea artifact in use recently
Specific steps for yolov5 to add attention mechanism
puzzle(105)平面逆推
Use of qflags flag class
EDA开源仿真工具verilator入门1:安装和测试
【学校实验+蓝桥杯题目】接水问题:学校里有一个水房,水房里一共装有m个龙头可供同学们打开水,每个龙头每秒钟的供水量相等,均为1。现在有n名同学准备接水,他们的初始接水顺序已经确定......
ELK+Filebeat 部署安装
China polytetrafluoroethylene (PCTFE) Industry Research Report (2022 Edition)
84.1% of the parents surveyed felt that there were more parents around who liked to coax their children with electronic products
redis核心知识点总结(超详细)
C language review 10
User name and password are encrypted in clear text during transmission cryptojs encryption (php/js encryption and decryption)
caffe安装步骤
Market Research - current situation and future development trend of global and Chinese dental zirconia disc Market
SQL or NoSQL, you will understand after reading this article
Oracle partition table paging query SQL optimization
Summary of redis core knowledge points (ultra detailed)
Elk+filebeat deployment and installation
At time_ What happens to TCP connections in wait status after SYN is received?
Market Research - current market situation and future development trend of aloe leaf powder in the world and China