Of the four components Activity:
A term is used to explain
AMS:AMS Binder object AMN:app In order to get AMS The object of the agent ATP:ApplicationThreadProxy be used for AMS and APP signal communication ,AT Proxy object of APT:ApplicationThread APP Medium Binder object .APT Will use mh This Handler Send messages for corresponding processing AT:APT Would call AT How to get ,AT Middle feeding mh Send a message mh:App Of Handler, Used to receive processing AMS Wait for the message processing sent by the system service
Original process
startActivity The interaction process is as follows :
App:ContextTheme--->ContextWrapper--->Context--->ContextImpl:ContextImpl Internal calls Instrumention.startActivity() Incoming start Activity The name of the class ( It is used to check whether it has been registered or not, throw an exception ) Etc , The method consists of AMN obtain AMS Proxy objects and AMS communicate .
AMS Distal : Get the activity Class name , Observe whether... Has been registered in the manifest file (PMS The corresponding... Will be resolved during installation APK The manifest file is stored locally ). Then start activity Send a pause The news of ATP
Then judge whether the process has been started ( There is no need to start with zygote use socket Communication first creates a process Process.start)1. It hasn't been started ( There is no need to start with zygote use socket Communication first creates a process Process.start, Then create a ActivityThread, utilize AMN hold ATP Pass to AMS( such AMS You can talk to APP The communication ) next AMS In giving ATP Send a message AT Received to mh Send anti reflection to create Application call onCreate, Then there is the following 2 The process described in has started the steps of the situation )
2. Started (AMS Will encapsulate Activity To become a ActivityClientRecord, This object will carry cl Back mh According to this cl De reflection creates Activity.)
APP in :
ATP Received in AMS Take out the message sent ActivityClientRecord, call AT Pass this parameter in .AT Call in mh Of handlerPerformLaunchActivity.mh It's actually a handler,handleCallBack To determine which method to call corresponds to this example startActivity For the following logic
Take... Out of the callback acRecord, utilize acRecord Of classloader Object to create the corresponding reflection activity, And call onCreate Method
Notice at the beginning pause the activity Resume operation ~( utilize ATP It's also ) So far, the interaction is over
Hook spot
We can Hook What points ? Extract the essence. Where can we change the cat into a prince? ~
The first point :
Instrumention utilize AMN Get AMS agent , Send information to AMS check ( We are Instrumention Intercept this agent in , Replace with our custom object . detected startActivity When will Activity Replace it with one already registered in our host StubActivity) Okay , Now? AMS Checked , He wants to inform APP establish Activity Object . But this time is StubService Of Activity. We need to replace him. We really started it Activity.
Second points :
How do we know what actually started Activity Who is it ? In the first step, in fact, the whole process is delivered Intent, Including our acceptance of ANS The news is also Intent. Since it's the same Intent object . Here we are Intent Hands and feet (APP call AMS Put the real start Activity Save to Intent in , stay AMS notice APP Take it out when creating )
good , The first is in Instrumention Replace it with our agent, and then we will work with you AMS Interaction ( This is the last step, and the next step is to AMS Therefore, the communication is carried out here Hook) So notice ATP,AT,mh Can be restored and taken out Intent It's really started in China activity.
We are mh In the last step, modify where the reflection is created ( Same as above , At the place closest to the site Hook). take mh Replace with our mh. So we get handlerPerformLaunchActivity When the news of the , We can do our own operations
Different ClassLoader Will load different classes ,classloader If you don't have this class It can't be loaded . So we need to use the right cl To load objects . This cl It's actually a plug-in cl, That is to say dexcl. We are and AMS The corresponding can be passed in during interaction cl, Then create and take out the correct cl.
Be careful :
because Activity The default is Standard Pattern , So one of the hosts Activity It can correspond to multiple standard patterns in the plug-in Activity. An instance is created for each startup . however Android There is LaunchMode Of , Different startup modes have different effects . So how to support LaunchMode Well
原网站版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/162/202206102304171427.html
![[auto reply or remind assistant] Mom doesn't have to worry about me missing messages any more (10 Line Code Series)](/img/b3/64429247ee1b91a05d4faa1d78a1df.png)
