1、源码寻找启动Activity的Hook的对象
一般来说,静态变量和单列变量是相对不容改变,是比较好的Hook的对象,可以设一个动态代理对象进去,进行拦截。
启动一个页面:
public void start(View view) {
Intent intent = new Intent(this, HookActivity.class);
startActivity(intent);
}
追溯到ContextImpl:
@Override
public void startActivity(Intent intent, Bundle options) {
mMainThread.getInstrumentation().execStartActivity(
getOuterContext(), mMainThread.getApplicationThread(), null,
(Activity) null, intent, -1, options);
}
回到Instrumentation:
public ActivityResult execStartActivity(
Context who, IBinder contextThread, IBinder token, Activity target,
Intent intent, int requestCode, Bundle options) {
IApplicationThread whoThread = (IApplicationThread) contextThread;
Uri referrer = target != null ? target.onProvideReferrer() : null;
if (referrer != null) {
intent.putExtra(Intent.EXTRA_REFERRER, referrer);
}
...
try {
intent.migrateExtraStreamToClipData();
intent.prepareToLeaveProcess(who);
int result = ActivityManagerNative.getDefault()
.startActivity(whoThread