There are three prerequisites to understand plug-in:
-
Android system source code reading and understanding
-
Java reflection mechanism
-
Hook technology
What is theHook
?
Intercept and monitor the execution flow of events in the process of event execution, and integrate their own code into the execution flow.
Hook introduction: blog.csdn.net/qq_39731011…
Case 1: Hook the View onClick() event to add its own logic;
Source: github.com/itang01/jia…
Key points:
- Replace (replace the dynamic proxy in the system)
- Dynamic proxy (doing our own business logic)
Generate the OnClickListener interface proxy using the dynamic proxy, add your own logic to the proxy callback, and then replace the mOnClickListener in ListenerInfo with the OnClickListener interface proxy by reflection
Case 2: Start an unregistered Activity by hook:
Source: github.com/itang01/jia…
Key points:
- Replace the Activity configured in androidmanifest.xml before executing AMS by hook, bypassing AMS check.
- Xmllaunchactivity (); androidmanifest.xml; androidmanifest.xml; Replace it with an unregistered Activity (setting Callback to mH (Handler) and doing the replacement logic in Callback);
Case 3: Host the Activity inside the jump plug-in
Source: github.com/itang01/jia…
If you jump directly, you will get an error:
Caused by: java.lang.ClassNotFoundException: Didn't find class "com.netease.plugin_package.PluginActivity" on path: DexPathList [[zip file "/ data/app/com.net help ease. Hookproject - 1 / base. Apk",...]]Copy the code
To learn about Android class loading:
StartActivity --> AMS --> ActivityThread(the Activity of the agent is changed back) --> To instantiate the Activity (error) Activity --> Instrumentation --> AMS check --> ActivityThread (about to load) -- (handleLaunchActivity class loads Activity performLaunchActivity --> newActivity(cl ==) PathClassLoader))1.Classloaders in Java are different from classloaders in Android2.ClassLoader == PathClassLoader
3.PathClassLoader == cl.loadClass(className).newInstance(); PathClassLoader. LoadClass - > BaseDexClassLoader - > this. LoadClass - findClass (empty method) to cover the subclass methods to complete - > BaseDexClassLoader. FindClass () - > pathList. FindClass BaseDexClassLoader. FindClass () - > c: whynull, -- -- > DexPathList. FindClass (className) - > DexFile. LoadClassBinaryName (the NDK) after a series of stepsforElement.dexfile == Element[null? The dex file in Android VIRTUAL machine APK is equivalent to Element, which is a representation of dexnull? A: Because the classloading mechanism loads the host's classes.dex, aka Elements, Element solution without plug-ins: By blending the plug-in's dexElements with the host's dexElements, the PathClassLoader can be loaded into the plug-in/hostclass
HookPlug-in style, that's what it is!Copy the code
Supplement 1: Introduction to Android ClassLoader
1. Java ClassLoader is different from Android ClassLoader
2. Classloaders in Android fall into two categories:
- System-provided ClassLoader -> BootClassLoader (for system preloading use), PathClassLoader (for program/system program/application loading class), DexClassLoader (load APK file)
- The custom this
Supplement 2: Android startup process
- Kernel boot…
- Init process: First system process
- The Init process starts Zygote process: ZygoteInit. Java — > preload () – > preloadClasses () – > BootClassLoader. GetInstance ()
BootClassLoader
; HandleSystemServerProcess () – > PathClassLoaderFactory. CreateSystemServerClassloader ()PathClassLoader
- The Zygote process incubates the SystemServer
- SystemServer starts many services: AMS, PSM,…
With that in mind, the next step is to merge the dexElements of the plug-in with those of the host