【Android 安全】DEX 加密 ( Application 替换 | Android 应用启动原理 | ActivityThread 源码分析 )

2023-03-28 19:07:40 浏览数 (1)

文章目录

  • 一、ActivityThread 源码分析
  • 二、ActivityThread 部分代码示例

dex 解密时 , 需要将 代理 Application 替换为 真实 Application ; 替换 Application 首先要理解系统如何注册应用的 Application 的 ;

一、ActivityThread 源码分析


参考源码 : /frameworks/base/core/java/android/app/ActivityThread.java

Zygote 进程孵化器 fork 出应用进程后 , 就会执行 ActivityThread 中的 main 函数 ;

在 main 函数中 , 调用了 Looper.prepareMainLooper() 方法 , 初始化了 Looper , 在 main 方法最后 , 执行了 Looper.loop() , 开启了无限循环获取 Message 并执行 ;

准备完 Looper 之后 , ActivityThread thread = new ActivityThread() 创建了 ActivityThread 对象 , 并调用了该对象的 attach 函数 , thread.attach(false) ;

代码语言:javascript复制
    public static void main(String[] args) {
        Looper.prepareMainLooper();

        ActivityThread thread = new ActivityThread();
        thread.attach(false);
        Looper.loop();
    }

在 attach 函数中 , private void attach(boolean system) , 传入的参数是 false , 进入第一个分支 if (!system) { ;

在该分支中 , final IActivityManager mgr = ActivityManagerNative.getDefault() , 通过 ActivityManager 拿到了 Binder 对象 ;

通过调用该 Binder 对象的 attachApplication 方法 , mgr.attachApplication(mAppThread) , 将本 ApplicationThread 对象传送出去 ;

代码语言:javascript复制
    private void attach(boolean system) {
        sCurrentActivityThread = this;
        mSystemThread = system;
        if (!system) {
            RuntimeInit.setApplicationObject(mAppThread.asBinder());
            final IActivityManager mgr = ActivityManagerNative.getDefault();
            try {
                mgr.attachApplication(mAppThread);
            } catch (RemoteException ex) {
                // Ignore
            }
            // Watch for getting close to heap limit.
        } else {
            // Don't set application object here -- if the system crashes,
            // we can't display an alert, we just want to die die die.
        }
    }

在 main 函数中创建 ActivityThread 对象时 , 会自动创建其内部的成员属性 , 包括主线程的 Handler , final H mH = new H() 成员 , H 类型就是 Handler 的子类 , private class H extends Handler ;

利用 Binder 调用 ActivityThread 的 bindApplication 方法 , public final void bindApplication , 在 bindApplication 方法中 , 接收 ActivityManagerService 发送来的参数 , 最后发送一条 Message 给 H mH 对象 , 即 Hander 子类对象 , sendMessage(H.BIND_APPLICATION, data) ;

最终由 H 对象 , private class H extends Handler 类型 , 处理上述逻辑 , 最终调用 handleBindApplication 方法处理 , private void handleBindApplication(AppBindData data) ;

代码语言:javascript复制
    final H mH = new H();
    
    private class H extends Handler {
        public void handleMessage(Message msg) {
            switch (msg.what) {
                case BIND_APPLICATION:
                    Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication");
                    AppBindData data = (AppBindData)msg.obj;
                    handleBindApplication(data);
                    Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
                    break;
		}
	}

在 ActivityThread 的 handleBindApplication 方法中就是进行的 Application 准备工作 , 构建 Application , 并调用 Application 中的 onCreate 等生命周期函数 ;

在 handleBindApplication 方法 中 , Application app = data.info.makeApplication(data.restrictedBackupMode, null) , 此处创建 Application ;

应用 Application 的具体创建方法 , 需要查看该 data.info.makeApplication 方法 , makeApplication 是 data.info 对象中的函数 , data.info 对象类型是 android.app.LoadedApk 类型 , data.info 是调用 getPackageInfoNoCheck 获取的 , data.info = getPackageInfoNoCheck(data.appInfo, data.compatInfo) ;

代码语言:javascript复制
    private void handleBindApplication(AppBindData data) {
        try {
            // If the app is being launched for full backup or restore, bring it up in
            // a restricted environment with the base application class.
            Application app = data.info.makeApplication(data.restrictedBackupMode, null);
            mInitialApplication = app;
        } finally {
            StrictMode.setThreadPolicy(savedPolicy);
        }
	}

二、ActivityThread 部分代码示例


ActivityThread 部分代码示例 :

代码语言:javascript复制
public final class ActivityThread {
    final ApplicationThread mAppThread = new ApplicationThread();
    final Looper mLooper = Looper.myLooper();
    final H mH = new H();
    
    private class H extends Handler {
        public void handleMessage(Message msg) {
            switch (msg.what) {
                case BIND_APPLICATION:
                    Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication");
                    AppBindData data = (AppBindData)msg.obj;
                    handleBindApplication(data);
                    Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
                    break;
		}
	}

    private void handleBindApplication(AppBindData data) {
        try {
            // If the app is being launched for full backup or restore, bring it up in
            // a restricted environment with the base application class.
            Application app = data.info.makeApplication(data.restrictedBackupMode, null);
            mInitialApplication = app;
        } finally {
            StrictMode.setThreadPolicy(savedPolicy);
        }
	}

    public final void bindApplication(String processName, ApplicationInfo appInfo,
                List<ProviderInfo> providers, ComponentName instrumentationName,
                ProfilerInfo profilerInfo, Bundle instrumentationArgs,
                IInstrumentationWatcher instrumentationWatcher,
                IUiAutomationConnection instrumentationUiConnection, int debugMode,
                boolean enableOpenGlTrace, boolean isRestrictedBackupMode, boolean persistent,
                Configuration config, CompatibilityInfo compatInfo, Map<String, IBinder> services,
                Bundle coreSettings) {
            sendMessage(H.BIND_APPLICATION, data);
    }    

    private void attach(boolean system) {
        sCurrentActivityThread = this;
        mSystemThread = system;
        if (!system) {
            RuntimeInit.setApplicationObject(mAppThread.asBinder());
            final IActivityManager mgr = ActivityManagerNative.getDefault();
            try {
                mgr.attachApplication(mAppThread);
            } catch (RemoteException ex) {
                // Ignore
            }
            // Watch for getting close to heap limit.
        } else {
            // Don't set application object here -- if the system crashes,
            // we can't display an alert, we just want to die die die.
        }
    }

    public static void main(String[] args) {
        Looper.prepareMainLooper();

        ActivityThread thread = new ActivityThread();
        thread.attach(false);
        Looper.loop();
    }
}

0 人点赞