-
除了Hook技術(shù)榆苞,也可用ARouter(更推薦)技術(shù)猛拴。
-
Hook技術(shù)又稱鉤子函數(shù)羹铅。
- 它是處理消息的程序段瞧柔,通過系統(tǒng)調(diào)用,把它掛入系統(tǒng)睦裳。
- 在系統(tǒng)沒有調(diào)用函數(shù)之前造锅,鉤子程序就先捕捉該消息,那么鉤子函數(shù)就先獲得控制權(quán)廉邑。
- 這時(shí)鉤子函數(shù)可以加工處理(改變)該函數(shù)的執(zhí)法行為
- 還可以強(qiáng)制結(jié)束消息的傳遞
-
Hook實(shí)現(xiàn)途徑:
- 找到Hook點(diǎn)----->找到Hook方法(執(zhí)行前的代碼)------->startActivity(系統(tǒng)哥蔚,執(zhí)行后代碼)
Hook技術(shù):
- JAVA層:反射,對(duì)象一定是靜態(tài)蛛蒙, 才可以還原系統(tǒng)對(duì)象糙箍。
- NDK層::略
開發(fā)思想:
- 舉例:灰太狼想吃懶洋洋,首先灰太狼必須偽裝自己成羊牵祟,才可以接近懶洋洋深夯、當(dāng)擒獲了羊之后、在把自己的羊皮摘掉恢復(fù)成狼
- 調(diào)用startctivity诺苹、偽裝Intent咕晋。
閱讀源碼:
ActivityManager.getService() .startActivity == Singleton.Create() -==IActivityManager.startActivity
所以我們要通過反射
APP是一個(gè)事件性驅(qū)動(dòng) 類似不斷執(zhí)行的Main函數(shù) 代碼封裝在 ActivityThread類中(main方法),里面封裝著消息泵收奔,通過handler發(fā)送消息掌呜,handler里封裝著編碼為100就是startActivity。我們通過鉤子函數(shù)偽裝就可以為所欲為 HooK點(diǎn)是mh(Handler)
//進(jìn)程不死 此處looper就一直運(yùn)轉(zhuǎn)
public static void main(String[] args) {
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ActivityThreadMain");
SamplingProfilerIntegration.start();
// CloseGuard defaults to true and can be quite spammy. We
// disable it here, but selectively enable it later (via
// StrictMode) on debug builds, but using DropBox, not logs.
CloseGuard.setEnabled(false);
Environment.initForCurrentUser();
// Set the reporter for event logging in libcore
EventLogger.setReporter(new EventLoggingReporter());
// Make sure TrustedCertificateStore looks in the right place for CA certificates
final File configDir = Environment.getUserConfigDirectory(UserHandle.myUserId());
TrustedCertificateStore.setDefaultUserDirectory(configDir);
Process.setArgV0("<pre-initialized>");
Looper.prepareMainLooper();
ActivityThread thread = new ActivityThread();
thread.attach(false);
if (sMainThreadHandler == null) {
sMainThreadHandler = thread.getHandler();
}
if (false) {
Looper.myLooper().setMessageLogging(new
LogPrinter(Log.DEBUG, "ActivityThread"));
}
// End of event ActivityThreadMain.
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
Looper.loop();
throw new RuntimeException("Main thread loop unexpectedly exited");
}
startActivty坪哄,就是handler發(fā)送一個(gè)100的消息质蕉,進(jìn)行接下的操作,我們只需要讓Handler設(shè)置接口翩肌,
public void handleMessage(Message msg) {
if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));
switch (msg.what) {
case LAUNCH_ACTIVITY: {
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "activityStart");
final ActivityClientRecord r = (ActivityClientRecord) msg.obj;
r.packageInfo = getPackageInfoNoCheck(
r.activityInfo.applicationInfo, r.compatInfo);
handleLaunchActivity(r, null, "LAUNCH_ACTIVITY");
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
} break;
}
