Hook技术实现Android插件化

##实现原理
通过Android的Activity启动原理可以知道startActivity()时,通过进程间通信(IPC)通知ActivityManagerService,然后PackageManagerService通过intent过滤器扫描清单文件。
hook技术可以让启动的Activity不在清单文件中注册,通过动态代理的方式结合反射,使用可以通过PackageManagerService扫描的intent(在清单文件注册),当intent通过后并且Acitvity启动之前,再将intent中的Component替换为需要启动的acitivty即可。

##代码实现
1.创建一个hook工具类:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
/**
     * @param proxyActivity 代理Activity 
     * @param context
     */
    public HookAmsUtil(Class<?> proxyActivity, Context context) {
        this.proxyActivity = proxyActivity;
        this.context = context;
    }
    public void hookAms() {
        try {
            //通过反射得到ActivityManagerNative类 和成员变量gDefault
            Class<?> forName = Class.forName("android.app.ActivityManagerNative");
            Field defaultField = forName.getDeclaredField("gDefault");
            defaultField.setAccessible(true);
            Object defaultValue = defaultField.get(null);
            //反射SingleTon
            Class<?> aClass = Class.forName("android.util.Singleton");
            Field instanceField = aClass.getDeclaredField("mInstance");
            instanceField.setAccessible(true);
            //得到源码中的iActivityManager
            Object iActivityManagerObject = instanceField.get(defaultValue);
            //使用动态代理 创建hook
            Class<?> iActivityManagerIntercept = Class.forName("android.app.IActivityManager");
            AmsInvocationHandler handler = new AmsInvocationHandler(iActivityManagerObject);
            Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(), new Class<?>[]{iActivityManagerIntercept}, handler);
            //替换
            instanceField.set(defaultValue, proxy);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

2.因为intent中的xxxActivity.class并没有在清单文件注册,这里将其从 IActivityManager取出并替换为代理intent,程序不会崩溃。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
class AmsInvocationHandler implements InvocationHandler {
        private Object iActivityManagerObject;
        public AmsInvocationHandler(Object iActivityManagerObject) {
            this.iActivityManagerObject = iActivityManagerObject;
        }
        @Override
        public Object invoke(Object o, Method method, Object[] objects) throws Throwable {
            Log.i("INFO", "methodName:" + method.getName());
            if ("startActivity".contains(method.getName())) {
                Intent intent = null;
                int index = 0;   //记录索引,通过后再体会为原意图
                for (int i = 0; i < objects.length; i++) {
                    if (objects[i] instanceof Intent) {
                        intent = (Intent) objects[i]; //原意图
                        index = i;
                        break;
                    }
                }
                //Intent intent = new Intent(context,ProxyActivity.class);//可以这样写
                Intent proxyIntent = new Intent();
                ComponentName componentName = new ComponentName(context, proxyActivity);
                proxyIntent.setComponent(componentName);
                //绑定通过系统的filter
                proxyIntent.putExtra("oldIntent", intent);
                //开始替换
                objects[index] = proxyIntent;
                return method.invoke(iActivityManagerObject, objects);
            }
            return method.invoke(iActivityManagerObject, objects);
        }
    }

3.当Intent通过时,启动activity通过源码 系统是通过handler进行启动,handler有个callback 当判断callback为空时才进行发消息,启动activit,这里再创建一个hook,自定义一个callback,把intent的activity替换为我们想要启动的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
public void hookSystemHandler() {
        try {
            Class<?> forName = Class.forName("android.app.ActivityThread");
            Field currentActivityThread = forName.getDeclaredField("sCurrentActivityThread");
            currentActivityThread.setAccessible(true);
            Object activityThreadValue = currentActivityThread.get(null);//程序的入口
            Field handlerField = forName.getDeclaredField("mH");
            handlerField.setAccessible(true);
            Handler handlerObject = (Handler) handlerField.get(activityThreadValue);
            Field callbackField = Handler.class.getDeclaredField("mCallback");
            callbackField.setAccessible(true);  //防止私有
            callbackField.set(handlerObject,new ActivityThreadHandlerCallback(handlerObject));
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }
    class ActivityThreadHandlerCallback implements  Handler.Callback{
        Handler handler;
        public ActivityThreadHandlerCallback(Handler handler) {
            this.handler = handler;
        }
        @Override
        public boolean handleMessage(Message message) {
            Log.i("INFO","message callback");
            //这里替换回之前的intent
            if (message.what == 100){
                Log.i("INFO","lauchActivity");
                handleLaunchActivity(message);
            }
            handler.handleMessage(message);
            return true;
        }
        private void handleLaunchActivity(Message message) {
            Object obj = message.obj;       //ActivityClientRecord
            try {
                //不能强转 framwork层
                Field intentField = obj.getClass().getDeclaredField("intent");
                intentField.setAccessible(true);
                Intent proxyIntent = (Intent) intentField.get(obj);
                Intent realIntent = proxyIntent.getParcelableExtra("oldIntent");
                if (realIntent != null){
                    //代理意图替换成真实意图
                    proxyIntent.setComponent(realIntent.getComponent());
                }
            }catch (Exception e){
                e.printStackTrace();
            }
        }
    }

4.application中配置:

1
2
3
4
5
6
7
8
9
10
public class MyApplication extends Application {
    @Override
    public void onCreate() {
        super.onCreate();
        HookAmsUtil amsUtil = new HookAmsUtil(ProxyActivity.class,this);
        amsUtil.hookAms();
        amsUtil.hookSystemHandler();
    }
}

宿主中通过下载的插件安装,后期更新。
github的demo地址