3、Binder Hook(Hook 系统服务)
上面通过Hook技术修改了活动的启动过程,属于应用程序的Hook,下面尝试Hook Android的系统服务,修改系统的功能,在Hook之前还是先了解一下系统服务的获取过程,并尝试寻找Hook点;
3.1、系统获取服务的原理
- ContextImpl.getSystemService(String name)
@Override
public Object getSystemService(String name) {
return SystemServiceRegistry.getSystemService(this, name);
}
public static Object getSystemService(ContextImpl ctx, String name) {
//1、从注册的SYSTEM_SERVICE_FETCHERS中根据名称获取ServiceFetcher
ServiceFetcher<?> fetcher = SYSTEM_SERVICE_FETCHERS.get(name);
return fetcher != null ? fetcher.getService(ctx) : null; //2、ServiceFetcher中创建服务
}
在使用系统服务时会直接调用Context的getSystemService(),最终调用ContextImpl中的方法,在ContextImpl中调用SystemServiceRegistry.getSystemService(),关于SystemServiceRegistry简单介绍一下,系统在启动时会向SystemServiceRegistry中注册一系列服务,在使用过程中直接根据服务名换获取服务;
- SYSTEM_SERVICE_FETCHERS中注册服务(以JOB_SCHEDULER_SERVICE为例
)
//注册服务
registerService(Context.JOB_SCHEDULER_SERVICE, JobScheduler.class, new StaticServiceFetcher() {
@Override
public JobScheduler createService() {
IBinder b = ServiceManager.getService(Context.JOB_SCHEDULER_SERVICE); //从ServiceManager中获取Binder
return new JobSchedulerImpl(IJobScheduler.Stub.asInterface(b)); //获取Binder的代理对象
}});
private static void registerService(String serviceName, Class serviceClass,ServiceFetcher serviceFetcher) {
SYSTEM_SERVICE_NAMES.put(serviceClass, serviceName);
SYSTEM_SERVICE_FETCHERS.put(serviceName, serviceFetcher); //以键值对的形式保存服务名称、StaticServiceFetcher实例
}
从上面的注册过程知道,系统首先将每个服务的创建过程封装在对应的ServiceFetcher对象中,然后将ServiceFetcher对象以服务名称注册在SYSTEM_SERVICE_FETCHERS中,这也就是为什么获取服务时传入服务名称;
- ServiceManager.getService():获取系统中相应服务对应的Binder对象
public JobScheduler createService() throws ServiceNotFoundException {
IBinder b = ServiceManager.getServiceOrThrow(Context.JOB_SCHEDULE