内容简介:Hook技术的核心实际上是动态分析技术,动态分析是指在程序运行时对程序进行调试的技术。众所周知,Android系统的代码和回调是按照一定的顺序执行的,这里举一个简单的例子,如图所示。对象A调用类对象B,对象B处理后将数据回调给对象A。接下来看看采用Hook的调用流程,如下图:上图中的Hook可以是一个方法或者一个对象,它就想一个钩子一样,始终连着AB,在AB之间互传信息的时候,hook会在中间做一些处理,比如修改方法的参数和返回值等,就这样hook起到了欺上瞒下的作用,我们把hook的这种行为称之为劫持。同
Hook技术的核心实际上是动态分析技术,动态分析是指在程序运行时对程序进行调试的技术。众所周知,Android系统的代码和回调是按照一定的顺序执行的,这里举一个简单的例子,如图所示。
对象A调用类对象B,对象B处理后将数据回调给对象A。接下来看看采用Hook的调用流程,如下图:
上图中的Hook可以是一个方法或者一个对象,它就想一个钩子一样,始终连着AB,在AB之间互传信息的时候,hook会在中间做一些处理,比如修改方法的参数和返回值等,就这样hook起到了欺上瞒下的作用,我们把hook的这种行为称之为劫持。同理,大家知道,系统进程和应该进程之间是相互独立的,应用进程要想直接去修改系统进程,这个是很难实现的,有了hook技术,就可以在进程之间进行行为更改了。如图所示:
可见,hook将自己融入到它所劫持的对象B所在的进程中,成为系统进程的一部分,这样我们就可以通过hook来更改对象B的行为了,对象B就称为hook点。
二、Hook Instrumentation
上面讲了Hook可以劫持对象,被劫持的对象叫hook点,用代理对象来替代这个Hook点,这样我们就可以在代理上实现自己想做的操作。这里我们用Hook startActivity来举例。Activity的插件化中需要解决的一个问题就是启动一个没有在AndroidManifest中注册的Activity,如果按照正常的启动流程是会报crash的。这里先简要介绍一下Activity的启动,具体的启动方式讲解还需移步专门的文献。
2.1 Activity的Hook点
启动Activity时应用进程会发消息给AMS,请求AMS创建Activity,AMS在SystemServer系统进程中,其与应用进程是隔离的,AMS管理所有APP的启动,所以我们无法在系统进程下做hook操作,应该在应用进程中。为了绕过AMS的验证,我们需要添加一个在Manifest中注册过的Activity,这个Activity称为 占坑 ,这样可以达到欺上瞒下的效果,当AMS验证通过后再用插件Activity替换占坑去实现相应的功能。 核心功能两点:
- 替换插件Activity为占坑Activity
- 绕过AMS验证后需要还原插件Activity
启动Activity的时候会调用Activity的startActivity()如下:
@Override public void startActivity(Intent intent) { this.startActivity(intent, null); } 复制代码
接着又调用了startActivity()
@Override public void startActivity(Intent intent, @Nullable Bundle options) { if (options != null) { startActivityForResult(intent, -1, options); } else { // Note we want to go through this call for compatibility with // applications that may have overridden the method. startActivityForResult(intent, -1); } } 复制代码
查看startActivityForResult方法
public void startActivityForResult(@RequiresPermission Intent intent, int requestCode, @Nullable Bundle options) { if (mParent == null) { options = transferSpringboardActivityOptions(options); Instrumentation.ActivityResult ar = mInstrumentation.execStartActivity( this, mMainThread.getApplicationThread(), mToken, this, intent, requestCode, options); if (ar != null) { mMainThread.sendActivityResult( mToken, mEmbeddedID, requestCode, ar.getResultCode(), ar.getResultData()); } if (requestCode >= 0) { // If this start is requesting a result, we can avoid making // the activity visible until the result is received. Setting // this code during onCreate(Bundle savedInstanceState) or onResume() will keep the // activity hidden during this time, to avoid flickering. // This can only be done when a result is requested because // that guarantees we will get information back when the // activity is finished, no matter what happens to it. mStartedActivity = true; } cancelInputsAndStartExitTransition(options); // TODO Consider clearing/flushing other event sources and events for child windows. } else { if (options != null) { mParent.startActivityFromChild(this, intent, requestCode, options); } else { // Note we want to go through this method for compatibility with // existing applications that may have overridden it. mParent.startActivityFromChild(this, intent, requestCode); } } } 复制代码
上述方法中调用mInstrumentation的execStartActivity方法来启动Activity,这个mInstrumentation是Activity的成员变量,我们就选择Instrumentation为Hook点,用代理的Instrumentation去替换原始的Instrumentation来完成Hook,如下是代理类:
public class InstrumentationProxy extends Instrumentation { private Instrumentation mInstrumentation; private PackageManager mPackageManager; public InstrumentationProxy(Instrumentation instrumentation, PackageManager packageManager) { this.mInstrumentation = instrumentation; this.mPackageManager = packageManager; } public ActivityResult execStartActivity( Context who, IBinder contextThread, IBinder token, Activity target, Intent intent, int requestCode, Bundle options) { List<ResolveInfo> resolveInfo = mPackageManager.queryIntentActivities(intent, PackageManager.MATCH_ALL); //判断启动的插件Activity是否在AndroidManifest.xml中注册过 if (null == resolveInfo || resolveInfo.size() == 0) { //保存目标插件 intent.putExtra(HookHelper.REQUEST_TARGET_INTENT_NAME, intent.getComponent().getClassName()); //设置为占坑Activity intent.setClassName(who, "replugin.StubActivity"); } try { Method execStartActivity = Instrumentation.class.getDeclaredMethod("execStartActivity", Context.class, IBinder.class, IBinder.class, Activity.class, Intent.class, int.class, Bundle.class); return (ActivityResult) execStartActivity.invoke(mInstrumentation, who, contextThread, token, target, intent, requestCode, options); } catch (NoSuchMethodException e) { e.printStackTrace(); } catch (IllegalAccessException e) { e.printStackTrace(); } catch (InvocationTargetException e) { e.printStackTrace(); } return null; } public Activity newActivity(ClassLoader cl, String className, Intent intent) throws InstantiationException, IllegalAccessException, ClassNotFoundException { String intentName = intent.getStringExtra(HookHelper.REQUEST_TARGET_INTENT_NAME); if (!TextUtils.isEmpty(intentName)) { return super.newActivity(cl, intentName, intent); } return super.newActivity(cl, className, intent); } } 复制代码
InstrumentationProxy类继承类Instrumentation,实现了类execStartActivity方法,接着通过反射去用原始Instrumentation的execStartActivity方法,这就是替换为占坑Activity的过程。Activity的创建是在ActivityThread中,里面有个performLaunchActivity方法;
private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) { ... try { java.lang.ClassLoader cl = appContext.getClassLoader(); activity = mInstrumentation.newActivity( cl, component.getClassName(), r.intent); StrictMode.incrementExpectedActivityCount(activity.getClass()); r.intent.setExtrasClassLoader(cl); r.intent.prepareToEnterProcess(); if (r.state != null) { r.state.setClassLoader(cl); } } ... activity.attach(appContext, this, getInstrumentation(), r.token, r.ident, app, r.intent, r.activityInfo, title, r.parent, r.embeddedID, r.lastNonConfigurationInstances, config, r.referrer, r.voiceInteractor, window, r.configCallback); ... } 复制代码
这里的newActivity就是创建Activity的过程,我们同样的在代理类中去实现这个方法,这就是还原插件Activity 的过程。
接下来我们看个例子: 占位坑Activity:
public class StubActivity extends BaseActivity { @Override public int bindLayout() { return R.layout.activity_stub; } @Override public void initViews() { } @Override public void onClick(View v) { } } 复制代码
这个Activity一定是需要在AndroidManifest中去注册。 再写一个插件Activity
public class TargetActivity extends BaseActivity { @Override public int bindLayout() { return R.layout.activity_target; } @Override public void initViews() { } @Override public void onClick(View v) { } } 复制代码
都是很简单的Activity,TargetActivity并没有注册,现在我们需要启动这个Activity。代理类上面代码已经贴出来了。接下来就是替换代理类,达到Hook的目的,我们在Application中做这个事情:
public class MyApplication extends Application { @Override protected void attachBaseContext(Context base) { super.attachBaseContext(base); hookActivityThreadInstrumentation(); } private void hookActivityThreadInstrumentation() { try { Class<?> activityThreadClass=Class.forName("android.app.ActivityThread"); Field activityThreadField=activityThreadClass.getDeclaredField("sCurrentActivityThread"); activityThreadField.setAccessible(true); //获取ActivityThread对象sCurrentActivityThread Object activityThread=activityThreadField.get(null); Field instrumentationField=activityThreadClass.getDeclaredField("mInstrumentation"); instrumentationField.setAccessible(true); //从sCurrentActivityThread中获取成员变量mInstrumentation Instrumentation instrumentation= (Instrumentation) instrumentationField.get(activityThread); //创建代理对象InstrumentationProxy InstrumentationProxy proxy=new InstrumentationProxy(instrumentation,getPackageManager()); //将sCurrentActivityThread中成员变量mInstrumentation替换成代理类InstrumentationProxy instrumentationField.set(activityThread,proxy); } catch (NoSuchFieldException e) { e.printStackTrace(); } catch (IllegalAccessException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } } } 复制代码
这样就把原始的Instrumentation替换为代理的了,具体的操作我们在InstrumentationProxy中去做实现。接下来我们就是从主界面跳转插件Activity了:
public class PluginActivity extends BaseActivity { @Override public int bindLayout() { return R.layout.activity_stub; } @Override public void initViews() { Log.d("", "initViews: "); findViewById(R.id.btn_start_replugin).setOnClickListener(new View.OnClickListener() { @Override public void onClick(View v) { startActivity(new Intent(PluginActivity.this, TargetActivity.class )); } }); } @Override public void onClick(View v) { } public static void startActivity(Context context) { Intent i = new Intent(context, PluginActivity.class); context.startActivity(i); } } 复制代码
以上所述就是小编给大家介绍的《Hook技术之Hook Activity》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:- 用技术解决“非技术”问题
- 数据安全治理重要相关技术——脱敏技术
- 零信任技术进阶篇:关键技术及挑战
- 零信任技术进阶篇:关键技术及挑战
- 2021 技术展望 | 走向未来的实时生成技术
- 前端技术演进(一):Web前端技术基础
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。