【Android 安全】DEX 加密 ( Application 替换 | Android 应用启动原理 | ActivityThread 源码分析 )
【Android 安全】DEX 加密 ( Application 替换 | Android 应用启动原理 | ActivityThread 源码分析 )
文章目录
dex 解密时 , 需要将 代理 Application 替换为 真实 Application ; 替换 Application 首先要理解系统如何注册应用的 Application 的 ;
一、ActivityThread 源码分析
参考源码 : /frameworks/base/core/java/android/app/ActivityThread.java
Zygote 进程孵化器 fork 出应用进程后 , 就会执行 ActivityThread 中的 main 函数 ;
在 main 函数中 , 调用了 Looper.prepareMainLooper() 方法 , 初始化了 Looper , 在 main 方法最后 , 执行了 Looper.loop() , 开启了无限循环获取 Message 并执行 ;
准备完 Looper 之后 , ActivityThread thread = new ActivityThread() 创建了 ActivityThread 对象 , 并调用了该对象的 attach 函数 , thread.attach(false) ;
public static void main(String[] args) {
Looper.prepareMainLooper();
ActivityThread thread = new ActivityThread();
thread.attach(false);
Looper.loop();
}在 attach 函数中 , private void attach(boolean system) , 传入的参数是 false , 进入第一个分支 if (!system) { ;
在该分支中 , final IActivityManager mgr = ActivityManagerNative.getDefault() , 通过 ActivityManager 拿到了 Binder 对象 ;
通过调用该 Binder 对象的 attachApplication 方法 , mgr.attachApplication(mAppThread) , 将本 ApplicationThread 对象传送出去 ;
private void attach(boolean system) {
sCurrentActivityThread = this;
mSystemThread = system;
if (!system) {
RuntimeInit.setApplicationObject(mAppThread.asBinder());
final IActivityManager mgr = ActivityManagerNative.getDefault();
try {
mgr.attachApplication(mAppThread);
} catch (RemoteException ex) {
// Ignore
}
// Watch for getting close to heap limit.
} else {
// Don't set application object here -- if the system crashes,
// we can't display an alert, we just want to die die die.
}
}在 main 函数中创建 ActivityThread 对象时 , 会自动创建其内部的成员属性 , 包括主线程的 Handler , final H mH = new H() 成员 , H 类型就是 Handler 的子类 , private class H extends Handler ;
利用 Binder 调用 ActivityThread 的 bindApplication 方法 , public final void bindApplication , 在 bindApplication 方法中 , 接收 ActivityManagerService 发送来的参数 , 最后发送一条 Message 给 H mH 对象 , 即 Hander 子类对象 , sendMessage(H.BIND_APPLICATION, data) ;
最终由 H 对象 , private class H extends Handler 类型 , 处理上述逻辑 , 最终调用 handleBindApplication 方法处理 , private void handleBindApplication(AppBindData data) ;
final H mH = new H();
private class H extends Handler {
public void handleMessage(Message msg) {
switch (msg.what) {
case BIND_APPLICATION:
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication");
AppBindData data = (AppBindData)msg.obj;
handleBindApplication(data);
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
break;
}
}在 ActivityThread 的 handleBindApplication 方法中就是进行的 Application 准备工作 , 构建 Application , 并调用 Application 中的 onCreate 等生命周期函数 ;
在 handleBindApplication 方法 中 , Application app = data.info.makeApplication(data.restrictedBackupMode, null) , 此处创建 Application ;
应用 Application 的具体创建方法 , 需要查看该 data.info.makeApplication 方法 , makeApplication 是 data.info 对象中的函数 , data.info 对象类型是 android.app.LoadedApk 类型 , data.info 是调用 getPackageInfoNoCheck 获取的 , data.info = getPackageInfoNoCheck(data.appInfo, data.compatInfo) ;
private void handleBindApplication(AppBindData data) {
try {
// If the app is being launched for full backup or restore, bring it up in
// a restricted environment with the base application class.
Application app = data.info.makeApplication(data.restrictedBackupMode, null);
mInitialApplication = app;
} finally {
StrictMode.setThreadPolicy(savedPolicy);
}
}二、ActivityThread 部分代码示例
ActivityThread 部分代码示例 :
public final class ActivityThread {
final ApplicationThread mAppThread = new ApplicationThread();
final Looper mLooper = Looper.myLooper();
final H mH = new H();
private class H extends Handler {
public void handleMessage(Message msg) {
switch (msg.what) {
case BIND_APPLICATION:
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication");
AppBindData data = (AppBindData)msg.obj;
handleBindApplication(data);
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
break;
}
}
private void handleBindApplication(AppBindData data) {
try {
// If the app is being launched for full backup or restore, bring it up in
// a restricted environment with the base application class.
Application app = data.info.makeApplication(data.restrictedBackupMode, null);
mInitialApplication = app;
} finally {
StrictMode.setThreadPolicy(savedPolicy);
}
}
public final void bindApplication(String processName, ApplicationInfo appInfo,
List<ProviderInfo> providers, ComponentName instrumentationName,
ProfilerInfo profilerInfo, Bundle instrumentationArgs,
IInstrumentationWatcher instrumentationWatcher,
IUiAutomationConnection instrumentationUiConnection, int debugMode,
boolean enableOpenGlTrace, boolean isRestrictedBackupMode, boolean persistent,
Configuration config, CompatibilityInfo compatInfo, Map<String, IBinder> services,
Bundle coreSettings) {
sendMessage(H.BIND_APPLICATION, data);
}
private void attach(boolean system) {
sCurrentActivityThread = this;
mSystemThread = system;
if (!system) {
RuntimeInit.setApplicationObject(mAppThread.asBinder());
final IActivityManager mgr = ActivityManagerNative.getDefault();
try {
mgr.attachApplication(mAppThread);
} catch (RemoteException ex) {
// Ignore
}
// Watch for getting close to heap limit.
} else {
// Don't set application object here -- if the system crashes,
// we can't display an alert, we just want to die die die.
}
}
public static void main(String[] args) {
Looper.prepareMainLooper();
ActivityThread thread = new ActivityThread();
thread.attach(false);
Looper.loop();
}
}腾讯云开发者
