Activity启动流程：Hook实现启动未注册Activity

}

}

Intent intent = (Intent) args[index];

Intent proxyIntent = new Intent(intent);

//占位的Activity

proxyIntent.setClassName(“com.wangyz.plugindemo”, “com.wangyz.plugindemo.ProxyActivity”);

proxyIntent.putExtra(“target_intent”, intent);

args[index] = proxyIntent;

}

return method.invoke(mInstance, args);

}

});

mInstanceField.set(singleton, proxyInstance);

} catch (Exception e) {

e.printStackTrace();

}

}

获取还原Intent的Hook点

Android8.0及以下

启动Activity的消息，会回调到ActivityThread中的mH的dispatchMessage方法，可以通过给mH设置一个callBack,在callBack的handleMessage中，然后替换回真正要启动的Intent，然后返回false,让handleMessage再继续处理。

public void dispatchMessage(Message msg) {

if (msg.callback != null) {

handleCallback(msg);

} else {

if (mCallback != null) {

if (mCallback.handleMessage(msg)) {

return;

}

}

handleMessage(msg);

}

}

Android8.0及以下，在ActivityThread的mH中的handleMessage方法中，会处理LAUNCH_ACTIVITY类型的消息，在这里调用了handleLaunchActivity方法来启动Activity。

case LAUNCH_ACTIVITY: {

Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, “activityStart”);

final ActivityClientRecord r = (ActivityClientRecord) msg.obj;

r.packageInfo = getPackageInfoNoCheck(

r.activityInfo.applicationInfo, r.compatInfo);

handleLaunchActivity(r, null);

Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);

} break;

Android9.0

和8.0一样，设置callBack，然后修改Intent。

在ActivityThread的mH中的handleMessage方法中，会处理EXECUTE_TRANSACTION类型的消息，在这里调用了TransactionExecutor.execute方法

case EXECUTE_TRANSACTION:

final ClientTransaction transaction = (ClientTransaction) msg.obj;

mTransactionExecutor.execute(transaction);

if (isSystem()) {

// Client transactions inside system process are recycled on the client side

// instead of ClientLifecycleManager to avoid being cleared before this

// message is handled.

transaction.recycle();

}

// TODO(lifecycler): Recycle locally scheduled transactions.

break;

execute方法中会调用executeCallbacks

public void execute(ClientTransaction transaction) {

final IBinder token = transaction.getActivityToken();

log("Start resolving transaction for client: " + mTransactionHandler + ", token: " + token);

executeCallbacks(transaction);

executeLifecycleState(transaction);

mPendingActions.clear();

log(“End resolving transaction”);

}

public void executeCallbacks(ClientTransaction transaction) {

final List callbacks = transaction.getCallbacks();

if (callbacks == null) {

// No callbacks to execute, return early.

return;

}

log(“Resolving callbacks”);

final IBinder token = transaction.getActivityToken();

ActivityClientRecord r = mTransactionHandler.getActivityClient(token);

// In case when post-execution state of the last callback matches the final state requested

// for the activity in this transaction, we won’t do the last transition here and do it when

// moving to final state instead (because it may contain additional parameters from server).

final ActivityLifecycleItem finalStateRequest = transaction.getLifecycleStateRequest();

final int finalState = finalStateRequest != null ? finalStateRequest.getTargetState()

UNDEFINED;

// Index of the last callback that requests some post-execution state.

final int lastCallbackRequestingState = lastCallbackRequestingState(transaction);

final int size = callbacks.size();

for (int i = 0; i < size; ++i) {

final ClientTransactionItem item = callbacks.get(i);

log("Resolving callback: " + item);

final int postExecutionState = item.getPostExecutionState();

final int closestPreExecutionState = mHelper.getClosestPreExecutionState(r,

item.getPostExecutionState());

if (closestPreExecutionState != UNDEFINED) {

cycleToPath(r, closestPreExecutionState);

}

item.execute(mTransactionHandler, token, mPendingActions);

item.postExecute(mTransactionHandler, token, mPendingActions);

if (r == null) {

// Launch activity request will create an activity record.

r = mTransactionHandler.getActivityClient(token);

}

if (postExecutionState != UNDEFINED && r != null) {

// Skip the very last transition and perform it by explicit state request instead.

final boolean shouldExcludeLastTransition =

i == lastCallbackRequestingState && finalState == postExecutionState;

cycleToPath(r, postExecutionState, shouldExcludeLastTransition);

}

}

}

这个方法里会调用ClientTransactionItem的execute方法。ClientTransactionItem是在ActivityStackSupervisor中的realStartActivityLocked中添加的

final boolean realStartActivityLocked(ActivityRecord r, ProcessRecord app,

boolean andResume, boolean checkConfig) throws RemoteException {

// Create activity launch transaction.

final ClientTransaction clientTransaction = ClientTransaction.obtain(app.thread,

r.appToken);

clientTransaction.addCallback(LaunchActivityItem.obtain(new Intent(r.intent),

System.identityHashCode®, r.info,

// TODO: Have this take the merged configuration instead of separate global

// and override configs.

mergedConfiguration.getGlobalConfiguration(),

mergedConfiguration.getOverrideConfiguration(), r.compat,

r.launchedFromPackage, task.voiceInteractor, app.repProcState, r.icicle,

r.persistentState, results, newIntents, mService.isNextTransitionForward(),

profilerInfo));

}

因此，ClientTransactionItem对应的具体类为LaunchActivityItem，它对应的execute方法

@Override

public void execute(ClientTransactionHandler client, IBinder token,

PendingTransactionActions pendingActions) {

Trace.traceBegin(TRACE_TAG_ACTIVITY_MANAGER, “activityStart”);

ActivityClientRecord r = new ActivityClientRecord(token, mIntent, mIdent, mInfo,

mOverrideConfig, mCompatInfo, mReferrer, mVoiceInteractor, mState, mPersistentState,

mPendingResults, mPendingNewIntents, mIsForward,

mProfilerInfo, client);

client.handleLaunchActivity(r, pendingActions, null /* customIntent */);

Trace.traceEnd(TRACE_TAG_ACTIVITY_MANAGER);

}

在它的方法里又调用了ClientTransactionHandler的handleLaunchActivity,而ClientTransactionHandler就是在ActivityThread中定义的

private final TransactionExecutor mTransactionExecutor = new TransactionExecutor(this);

ActivityThread继承了ClientTransactionHandler，那么它就会实现handleLaunchActivity。最终在这个方法里启动Activity

public final class ActivityThread extends ClientTransactionHandler {

@Override

public Activity handleLaunchActivity(ActivityClientRecord r,

PendingTransactionActions pendingActions, Intent customIntent) {

}

}

还原Intent

public static void hookHandler() {

try {

Field sCurrentActivityThreadThread = getField(Class.forName(“android.app.ActivityThread”), “sCurrentActivityThread”);

Object activityThread = sCurrentActivityThreadThread.get(null);

Field mHField = getField(Class.forName(“android.app.ActivityThread”), “mH”);

Object mH = mHField.get(activityThread);

Field mCallbackField = getField(Class.forName(“android.os.Handler”), “mCallback”);

mCallbackField.set(mH, new Handler.Callback() {

@Override

public boolean handleMessage(Message msg) {

switch (msg.what) {

case 100: {

try {

Field intentField = getField(msg.obj.getClass(), “intent”);

Intent proxyIntent = (Intent) intentField.get(msg.obj);

Intent targetIntent = proxyIntent.getParcelableExtra(“target_intent”);

if (targetIntent != null) {

// proxyIntent.setComponent(targetIntent.getComponent());

intentField.set(msg.obj, targetIntent);

}

} catch (Exception e) {

e.printStackTrace();

}

}

break;

case 159: {

try {

Field mActivityCallbacksField = getField(msg.obj.getClass(), “mActivityCallbacks”);

List mActivityCallbacks = (List) mActivityCallbacksField.get(msg.obj);

for (int i = 0; i < mActivityCallbacks.size(); i++) {

if (mActivityCallbacks.get(i).getClass().getName()

.equals(“android.app.servertransaction.LaunchActivityItem”)) {

Object launchActivityItem = mActivityCallbacks.get(i);

Field mIntentField = getField(launchActivityItem.getClass(), “mIntent”);

Intent intent = (Intent) mIntentField.get(launchActivityItem);

// 获取插件的

Intent proxyIntent = intent.getParcelableExtra(“target_intent”);

//替换

if (proxyIntent != null) {

mIntentField.set(launchActivityItem, proxyIntent);

}

}

}

} catch (Exception e) {

e.printStackTrace();

}

}

break;

default:

break;

}

return false;

}

});

} catch (Exception e) {

e.printStackTrace();

}

}

在Application创建时Hook

@Override

public void onCreate() {

super.onCreate();

//一般是从服务器下载回来，然后复制到应用的私有目录下，这里演示从sdcard复制到data目录下,6.0及以上需要申请动态权限。复制应该放在非UI线程上做，这里简化操作，放在UI线程上操作。

String pluginPath = getDir(“plugin”, Context.MODE_PRIVATE).getAbsolutePath();

pluginPath = pluginPath + “/plugin.apk”;

if (!new File(pluginPath).exists()) {

FileUtil.copyFile(PLUGIN_PATH, pluginPath);

}

HookUtil.loadPlugin(this, pluginPath);

HookUtil.hookAMS();

HookUtil.hookHandler();

}

到这里，就可以启用同一应用内未注册的Activity。

启动插件应用内的Activity

---

启动非同一应用内的Activity,相比启动同一应用内的Activity,需要多几个步骤。由于不在一个应用内，所以需要把插件的APK先加载进来，然后同样也需要在AMS检测前替换Intent为占位的Intent,在检测后，启动Activity前替换回为需要启动Activity的Intent。另外，由于插件是动态加载进去的，也需要解决资源加载的问题。

加载插件

加载插件主要是用到类加载器

public static void loadPlugin(Context context, String dexPath) {

//判断dex是否存在

File dex = new File(dexPath);

if (!dex.exists()) {

return;

}

try {

//获取自己的dexElements

PathClassLoader pathClassLoader = (PathClassLoader) context.getClassLoader();

Field pathListField = getField(pathClassLoader.getClass(), “pathList”);

Object pathListObject = pathListField.get(pathClassLoader);

Field dexElementsField = getField(pathListObject.getClass(), “dexElements”);

Object[] dexElementsObject = (Object[]) dexElementsField.get(pathListObject);

//获取dex中的dexElements