Android开发启动未注册的activity，Hook使用demo

最新推荐文章于 2024-04-06 01:21:19 发布

meixi_android

最新推荐文章于 2024-04-06 01:21:19 发布

阅读量411

点赞数

文章标签：启动未注册的activity hook

本文链接：https://blog.csdn.net/meixi_android/article/details/106057966

版权

三个工具类

1、

/**
 * @author : LGQ
 * @date : 2020/05/11 14
 * @desc :
 */
public class HCallback implements Handler.Callback{
    private final String TAG="HCallback";
    private Handler mHandler;
    public HCallback(Handler handler){
        mHandler=handler;
    }
    @Override
    public boolean handleMessage(Message msg) {
        //这里为159,是因为EXECUTE_TRANSACTION字段的值为159
        if(msg.what==159){
            //r实际为clienttransaction
            Object r= msg.obj;
            try {
                Class clientClazz = r.getClass();
                Field fCallbacks = clientClazz.getDeclaredField("mActivityCallbacks");
                fCallbacks.setAccessible(true);
                //得到transactionz中的callbacks,为一个list,其中元素为LaunActivityItem
                List<?> lists = (List) fCallbacks.get(r);
                for(int i=0;i<lists.size();i++){
                    Object item = lists.get(i);
                    Class itemClazz = item.getClass();
                    //拿到LaunActivityItem中的intent，进行替换
                    Field mIntent = itemClazz.getDeclaredField("mIntent");
                    mIntent.setAccessible(true);
                    Intent intent = (Intent) mIntent.get(item);
                    Intent target = intent.getParcelableExtra("target_intent");
                    if(target!=null){
                        intent.setComponent(target.getComponent());
                    }
                }
            } catch (NoSuchFieldException e) {
                e.printStackTrace();
            } catch (IllegalAccessException e) {
                e.printStackTrace();
            }
        }
        mHandler.handleMessage(msg);
        return true;
    }
}

2、

public class HookHelper {
    private static  final String TAG="HookHelper";
    public static void hookAms() throws Exception {
        Class clazz = null;
        Field singletonIAMS = null;
//        Class clazz = ActivityManager.class;
//        Field singletonIAMS = clazz.getDeclaredField("IActivityManagerSingleton");
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
            clazz = ActivityManager.class;
            singletonIAMS = clazz.getDeclaredField("IActivityManagerSingleton");
        }else {
            clazz =Class.forName("android.app.ActivityManagerNative");
            singletonIAMS =clazz.getDeclaredField("gDefault");
        }
        singletonIAMS.setAccessible(true);
        Object defultSingleton = singletonIAMS.get(null);
        Class singletonClazz = Class.forName("android.util.Singleton");
        Field mInstance = singletonClazz.getDeclaredField("mInstance");
        mInstance.setAccessible(true);
        Object iAMs = mInstance.get(defultSingleton);
        Class iAmClazz =Class.forName("android.app.IActivityManager");
        Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),new Class[]{iAmClazz},new IActivityManagerProxy(iAMs));
        mInstance.set(defultSingleton,proxy);
    }
    public static void hookHandler() throws Exception{
        
        try {
            //　获取ActivityThread实例
            Class activityThreadClass = Class.forName("android.app.ActivityThread");
            Field threadField = activityThreadClass.getDeclaredField("sCurrentActivityThread");
            threadField.setAccessible(true);
            Object sCurrentActivityThread = threadField.get(null);

            //　获取mH变量
            Field mHField = activityThreadClass.getDeclaredField("mH");
            mHField.setAccessible(true);
            final Object mH = mHField.get(sCurrentActivityThread);

            //　设置mCallback变量
            Field mCallbackField = Handler.class.getDeclaredField("mCallback");
            mCallbackField.setAccessible(true);
            Handler.Callback callback = new Handler.Callback() {
                @Override
                public boolean handleMessage(Message msg) {
                    if (msg.what == 100) {
                        try {
                            Field intentField = msg.obj.getClass().getDeclaredField("intent");
                            intentField.setAccessible(true);
                            Intent intent = (Intent) intentField.get(msg.obj);
                            Intent raw = intent.getParcelableExtra("RawIntent");
                            intent.setComponent(raw.getComponent());
                        } catch (Exception e) {
                            Log.e("hook", "hookActivityThreaderr"+ e);
                        }

                    }
                    return false;
                }
            };
            mCallbackField.set(mH, callback);
        } catch (Exception e) {
            Log.e("hook", "hookActivityThreaderr"+ e);
        }
    }
}

3、

public class IActivityManagerProxy implements InvocationHandler {
    private Object activityManager;
    private static final String TAG="IActivityManagerProxy";
    public IActivityManagerProxy(Object activityManager){
        this.activityManager=activityManager;
    }
    @Override
    public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
        if(method.getName().equals("startActivity")){
            Intent intent =null;
            int index=0;
            for(int i=0;i<args.length;i++){
                if(args[i] instanceof Intent){
                    index=i;
                    break;
                }
            }
            intent = (Intent) args[index];
            String packageName = "com.suny.hooktest";
            Intent subIntent = new Intent();
            //替换activity为已经注册的占坑activity
//            subIntent.setClassName(packageName,packageName+".SubActivity");

            Intent raw = (Intent) args[index];
            subIntent.setClassName(raw.getComponent().getPackageName(), StubActivity.class.getName());

            //同时将真正的intent保存在subintent中，绕过AMS的检查后，将真正的intent替换回来
//            subIntent.putExtra("target_intent",intent);
            subIntent.putExtra("RawIntent", raw);
            args[index]=subIntent;
            Log.d(TAG, "invoke: subIntent="+subIntent+"inteent="+intent);
        }
        return method.invoke(activityManager,args);
    }
}

初始化

public class MyApplication extends Application {

    @Override
    protected void attachBaseContext(Context base) {
        super.attachBaseContext(base);
        try {
            HookHelper.hookAms();
            HookHelper.hookHandler();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}