Hook的概念
*所谓对API的Hook, 其实就是对方法的动态替换. *
采用代理的方式, 创建一个新的对象, 其内部封装原始对象,通过这种方式,可以修改这个方法的参数以及返回值, 或是在方法中新打印一行log, 达到 方法增强 的目的.
实现方式
在运行时, 采用反射的方式, 用自己新建的代理对象把原始对象给替换掉.
代理对象本质上还是通过原始对象去干事.
对Context.startActivity的hook.
启动Activity是最常见的操作, Context.startActivity的真正实现是在ContextImpl.java中.
// ContextImpl.java
@Override
public void startActivities(Intent[] intents, Bundle options) {
warnIfCallingFromSystemProcess();
if ((intents[0].getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) == 0) {
throw new AndroidRuntimeException(
"Calling startActivities() from outside of an Activity "
+ " context requires the FLAG_ACTIVITY_NEW_TASK flag on first Intent."
+ " Is this really what you want?");
}
mMainThread.getInstrumentation().execStartActivities(
getOuterContext(), mMainThread.getApplicationThread(), null,
(Activity) null, intents, options);
}
可以看到这个API真正的实现是在ActivityThread的成员变量
Instrumentation mInstrumentation;的 execStartActivities()方法.
所以hook的思路就是实现一个Instrumentation的代理类, 在代理类中提供一个新的execStartActivities()方法的实现,
用这个代理类的对象,把ActivityThread的成员变量
Instrumentation mInstrumentation给替换掉.
@hide
public final class ActivityThread {
Instrumentation mInstrumentation;
public Instrumentation getInstrumentation() {
return mInstrumentation;
}
}
ActivityThread是一个隐藏类,我们需要用反射去获取,代码如下:
// 先获取到当前的ActivityThread对象
Class<?> activityThreadClass = Class.forName("android.app.ActivityThread");
Method currentActivityThreadMethod = activityThreadClass.getDeclaredMethod("currentActivityThread");
currentActivityThreadMethod.setAccessible(true);
Object currentActivityThread = currentActivityThreadMethod.invoke(null);
拿到这个currentActivityThread对象之后,我们需要修改它的mInstrumentation这个字段为我们的代理对象.
新建Instrumentation的代理类.
public class EvilInstrumentation extends Instrumentation {
private static final String TAG = "EvilInstrumentation";
// ActivityThread中原始的对象, 保存起来
Instrumentation mBase;
public EvilInstrumentation(Instrumentation base) {
mBase = base;
}
public ActivityResult execStartActivity(
Context who, IBinder contextThread, IBinder token, Activity target,
Intent intent, int requestCode, Bundle options) {
// Hook之前, XXX到此一游!
Log.d(TAG, "\n执行了startActivity, 参数如下: \n" + "who = [" + who + "], " +
"\ncontextThread = [" + contextThread + "], \ntoken = [" + token + "], " +
"\ntarget = [" + target + "], \nintent = [" + intent +
"], \nrequestCode = [" + requestCode + "], \noptions = [" + options + "]");
// 开始调用原始的方法, 调不调用随你,但是不调用的话, 所有的startActivity都失效了.
// 由于这个方法是隐藏的,因此需要使用反射调用;首先找到这个方法
try {
Method execStartActivity = Instrumentation.class.getDeclaredMethod(
"execStartActivity",
Context.class, IBinder.class, IBinder.class, Activity.class,
Intent.class, int.class, Bundle.class);
execStartActivity.setAccessible(true);
return (ActivityResult) execStartActivity.invoke(mBase, who,
contextThread, token, target, intent, requestCode, options);
} catch (Exception e) {
// 某该死的rom修改了 需要手动适配
throw new RuntimeException("do not support!!! pls adapt it");
}
}
}
完整的代码如下:
package com.ahking.hookdemo;
import android.app.Instrumentation;
import android.content.Intent;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
try {
initHook();
} catch (Exception e) {
e.printStackTrace();
}
}
public void launchSecondActivity(View view) {
Intent intent = new Intent(this, SecondActivity.class);
intent.setFlags(FLAG_ACTIVITY_NEW_TASK);
this.getApplicationContext().startActivity(intent);
}
private void initHook() throws Exception{
// 先获取到当前的ActivityThread对象
Class<?> activityThreadClass = Class.forName("android.app.ActivityThread");
Method currentActivityThreadMethod = activityThreadClass.getDeclaredMethod("currentActivityThread");
currentActivityThreadMethod.setAccessible(true);
Object currentActivityThread = currentActivityThreadMethod.invoke(null);
// 拿到原始的 mInstrumentation字段
Field mInstrumentationField = activityThreadClass.getDeclaredField("mInstrumentation");
mInstrumentationField.setAccessible(true);
Instrumentation mInstrumentation = (Instrumentation) mInstrumentationField.get(currentActivityThread);
// 创建代理对象, 构造时把原始对象作为参数传进去.
Instrumentation evilInstrumentation = new EvilInstrumentation(mInstrumentation);
// 偷梁换柱——用代理对象替换原始对象
mInstrumentationField.set(currentActivityThread, evilInstrumentation);
}
}
log输出如下:
com.ahking.hookdemo D/ahking: 执行了startActivity, 参数如下:
who = [android.app.Application@41e6eb20],
contextThread = [android.app.ActivityThread$ApplicationThread@41e68f50],
token = [null],
target = [null],
intent = [Intent { flg=0x10000000 cmp=com.ahking.hookdemo/.SecondActivity }],
requestCode = [-1],
options = [null]
基于这样的思路, 插件的原型就出来了.
- 在host app的AndroidManifest.xml中, 预先注册一个Activity, 比如叫PluginActivity.
- 通过在host app中, hook startActivity(intent)方法, 当host app要启动plugin app中的某个Activity时(需要明确指出要启动页面的完整包名和类名), 在hook了的startActivity中, 把要启动的页面修改为PluginActivity, 这样AMS就不会报错了.
- AMS回调host app进程中的ActivityThread的 handleLaunchActivity(),
这个方法负责创建Activity的对象, 然后依次调用它的onCreate(), onStart()和onResume().
public final class ActivityThread {
private void handleLaunchActivity(ActivityClientRecord r, Intent customIntent) {
Activity a = performLaunchActivity(r, customIntent);
}
private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {
ComponentName component = r.intent.getComponent();
Activity activity = null;
try {
java.lang.ClassLoader cl = r.packageInfo.getClassLoader();
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
} catch (Exception e) {
if (!mInstrumentation.onException(activity, e)) {
throw new RuntimeException(
"Unable to instantiate activity " + component
+ ": " + e.toString(), e);
}
}
mInstrumentation.callActivityOnCreate(activity, r.state);
}
这行代码很关键, 通过Instrumentation创建具体Activity的对象, 这里component.getClassName()的值必然是AMS传进来的PluginActivity.
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
我们可以hook Instrumentation.newActivity()这个方法, 当发现传进来的参数是PluginActivity时, 并不去创建PluginActivity的对象, 而修改成去创建 plugin app中的Activity的对象, 进而调用这个对象的onCreate(), onStart()和onResume().
如何去创建出 plugin app中的Activity的对象呢? 这就要通过DexClassLoader类.
Instrumentation的原始方法:
public class Instrumentation {
public Activity newActivity(Class<?> clazz, Context context,
IBinder token, Application application, Intent intent, ActivityInfo info,
CharSequence title, Activity parent, String id,
Object lastNonConfigurationInstance) throws InstantiationException,
IllegalAccessException {
Activity activity = (Activity)clazz.newInstance();
ActivityThread aThread = null;
activity.attach(context, aThread, this, token, 0, application, intent,
info, title, parent, id,
(Activity.NonConfigurationInstances)lastNonConfigurationInstance,
new Configuration(), null, null);
return activity;
}
}
可以看到在原始方法中, 是通过ClassLoader的newInstance()方法, 去创建Activity的对象.
用DexClassLoader类, 可以加载一个apk文件中的classes.dex.
例如这段代码:
DexClassLoader classloader = new DexClassLoader("apkPath",
optimizedDexOutputPath.getAbsolutePath(),
null, context.getClassLoader());
Class<?> clazz = classloader.loadClass("com.plugindemo.test");
Object obj = clazz.newInstance();
Class[] param = new Class[2];
param[0] = Integer.TYPE;
param[1] = Integer.TYPE;
Method method = clazz.getMethod("add", param);
method.invoke(obj, 1, 2);
我们可以用DexClassLoader这个类把插件apk中的classes.dex加载进来, 然后调用它的loadClass(“完整的类名”)方法把要启动的Activity类加载进来, 再调用Class类的newInstance()创建出插件中Activity的对象, 进而再通过调用mInstrumentation.callActivityOnCreate(activity, r.state);启动这个Activity.
这样就完成了对插件中页面的启动工作, 在host app中要做的, 就是要明确指定好要启动页面的完整包名和类名.
用hook机制解决的一个实际问题.
来launcher这边的公司后, 同事碰到这样一个棘手问题, 一直没法解决.
在mediaV广告模拟点击后, 出现sdk中使用deeplink打开别的app页面, 比如京东. 导致这个功能一直无法上线.
我使用上面的代码, 对startActivity() API进行hook, 把京东这样的intent给过滤掉, 这样就完美解决了这个棘手问题.
public ActivityResult execStartActivity(
Context who, IBinder contextThread, IBinder token, Activity target,
Intent intent, int requestCode, Bundle options) {
String intentInfo = intent.toString().toLowerCase();
if (sMockClick > 0 && (intentInfo.contains("akactivity") || intentInfo.contains("jdmobile"))) {
sMockClick--;
Log.i(TAG, "ignore it triggered by mediav");
return null;
}
try {
Method execStartActivity = Instrumentation.class.getDeclaredMethod(
"execStartActivity",
Context.class, IBinder.class, IBinder.class, Activity.class,
Intent.class, int.class, Bundle.class);
execStartActivity.setAccessible(true);
return (ActivityResult) execStartActivity.invoke(mBase, who,
contextThread, token, target, intent, requestCode, options);
} catch (Exception e) {
throw new RuntimeException("3rd party rom modify this maybe, by ahking");
}
}
所以说, 有些知识平时多积累一些, 在一些关键时刻就能派上用场, 像activity的启动流程, hook的实现, 当初学的时候看似无用, 学不学看似对实际的开发并没有任何的意思, 但如果当初不学, 今天这样的问题, 打死也想不到可以用这样的方式去解决.
-------DONE.-------------
refer to:
Android插件化原理解析——Hook机制之动态代理
http://weishu.me/2016/01/28/understand-plugin-framework-proxy-hook/?nsukey=r%2BreMOlnWhDVfOrGukrJH1b%2FDJ9hDbJ0u4hfr6EQY2YIT4RCeJwqR20Lv0rQPVcPyLN4eX%2BgjW3k9fluG6CRgaUj1GyMa1GlVxN1F7%2FU%2FhiikosDgBCklABQCWbrFuXXHL0Q9QnQGDLOcL3demC82ZPcSTFjQrhrm8fEYqxTTxyn9JRzzsfCpZ3CG%2Bn6Z46s
http://zjmdp.github.io/2014/07/22/a-plugin-framework-for-android/
/home/wangxin/src/github/hookDemo (demo代码的位置)
