纸上得来终觉浅,绝知此事要躬行
前言
作为一个android开发者,一定都知道每个activity都需要在AndroidManifest.xml中显示的声明一下,否则在启动的activity的时候就会抛出ActivityNotFoundException的异常。那么真的就没有办法去启动一个没有声明的activity吗?来让我们从源码看起。
activity启动过程
想要知道能不能启动一个不在manifest中注册的Activity,我们先来看一下activity启动的过程,下面以Android7.1.2的代码为例。
在启动activity时会调用startActivity,首先我们来看Activity中的startActivity看起,代码在frameworks/base/core/java/android/app/Activity.java中。
public void startActivity(Intent intent) {
this.startActivity(intent, null);
}
之后有调用了两个参数的startActivity(),又经过一连串的调用,调用到了startActivityForResult()
ublic void startActivity(Intent intent, @Nullable Bundle options) {
if (options != null) {
startActivityForResult(intent, -1, options);
} else {
startActivityForResult(intent, -1);
}
}
其中真正启动activity的方法是通过Instrumentation中的execStartActivity()方法启动的。mInstrumentation是Activity中的一个成员变量,frameworks/base/core/java/android/app/Instrumentation.java
public void startActivityForResult(@RequiresPermission Intent intent, int requestCode,
@Nullable Bundle options) {
if (mParent == null) {
options = transferSpringboardActivityOptions(options);
Instrumentation.ActivityResult ar =
mInstrumentation.execStartActivity(
this, mMainThread.getApplicationThread(), mToken, this,
intent, requestCode, options);
if (ar != null) {
mMainThread.sendActivityResult(
mToken, mEmbeddedID, requestCode, ar.getResultCode(),
ar.getResultData());
}
if (requestCode >= 0) {
mStartedActivity = true;
}
cancelInputsAndStartExitTransition(options);
} else {
if (options != null) {
mParent.startActivityFromChild(this, intent, requestCode, options);
} else {
mParent.startActivityFromChild(this, intent, requestCode);
}
}
}
下面是整个流程中比较关键的方法
public ActivityResult execStartActivity(
Context who, IBinder contextThread, IBinder token, Activity target,
Intent intent, int requestCode, Bundle options) {
IApplicationThread whoThread = (IApplicationThread) contextThread;
...
try {
intent.migrateExtraStreamToClipData();
intent.prepareToLeaveProcess(who);
int result = ActivityManagerNative.getDefault()
.startActivity(whoThread, who.getBasePackageName(), intent,
intent.resolveTypeIfNeeded(who.getContentResolver()),
token, target != null ? target.mEmbeddedID : null,
requestCode, 0, null, options);
checkStartActivityResult(result, intent);
} catch (RemoteException e) {
throw new RuntimeException("Failure from system", e);
}
return null;
}
先看checkStartActivityResult()这个方法,这里会检测activity启动的各种状态,其中就包括了"have you declared this activity in your AndroidManifest.xml?"没有在AndroidManifest.xml注册activity的异常。
public static void checkStartActivityResult(int res, Object intent) {
if (res >= ActivityManager.START_SUCCESS) {
return;
}
switch (res) {
case ActivityManager.START_INTENT_NOT_RESOLVED:
case ActivityManager.START_CLASS_NOT_FOUND:
if (intent instanceof Intent && ((Intent)intent).getComponent() != null)
throw new ActivityNotFoundException(
"Unable to find explicit activity class "
+ ((Intent)intent).getComponent().toShortString()
+ "; have you declared this activity in your AndroidManifest.xml?");
throw new ActivityNotFoundException(
"No Activity found to handle " + intent);
case ActivityManager.START_PERMISSION_DENIED:
throw new SecurityException("Not allowed to start activity "
+ intent);
case ActivityManager.START_FORWARD_AND_REQUEST_CONFLICT:
throw new AndroidRuntimeException(
"FORWARD_RESULT_FLAG used while also requesting a result");
case ActivityManager.START_NOT_ACTIVITY:
throw new IllegalArgumentException(
"PendingIntent is not an activity");
case ActivityManager.START_NOT_VOICE_COMPATIBLE:
throw new SecurityException(
"Starting under voice control not allowed for: " + intent);
case ActivityManager.START_VOICE_NOT_ACTIVE_SESSION:
throw new IllegalStateException(
"Session calling startVoiceActivity does not match active session");
case ActivityManager.START_VOICE_HIDDEN_SESSION:
throw new IllegalStateException(
"Cannot start voice activity on a hidden session");
case ActivityManager.START_CANCELED:
throw new AndroidRuntimeException("Activity could not be started for "
+ intent);
default:
throw new AndroidRuntimeException("Unknown error code "
+ res + " when starting " + intent);
}
}
其中启动activity的方法是ActivityManagerNative.getDefault().startActivity()。ActivityManagerNative继承了Binder,同时实现了IActivityManager接口,启动activity用到了Android中binder机制,这里先不做具体讨论,代码在frameworks/base/core/java/android/app/ActivityManagerNative.java。先来看getDefault(),获取的是一个IActivityManager单例。
static public IActivityManager getDefault() {
return gDefault.get();
}
再看单例里做了什么,获取了系统的ActivityManagerService(AMS),ActivityManagerNative实际上就是ActivityManagerService(AMS)这个远程对象的Binder代理对象
private static final Singleton gDefault = new Singleton() {
protected IActivityManager create() {
IBinder b = ServiceManager.getService("activity");
if (false) {
Log.v("ActivityManager", "default service binder = " + b);
}
IActivityManager am = asInterface(b);
if (false) {
Log.v("ActivityManager", "default service = " + am);
}
return am;
}
};
到这里,就是整个activity启动的流程了,也找到了ActivityNotFoundException的原因,那么到底有没有办法启动一个没有在Android.xml中声明的activity呢?
hook分析
还是从gDefault这个单例看起,有没有办法把这个单例替换掉,自己实现startActivity方法来绕过系统对activity的校验呢?同时我们看到IActivityManager是一个接口,那么是不是有什么办法可以动态修改这个接口的实现呢?熟悉Java的同学一定会想到动态代理。我们先来实现一个InvocationHandler,代码如下
public class HookActivityHandler implements InvocationHandler {
private static final String TAG = "HookActivityHandler";
private Object mBase;
public HookActivityHandler(Object base) {
this.mBase = base;
}
@Override
public Object invoke(Object o, Method method, Object[] objects) throws Throwable {
if ("startActivity".equalsIgnoreCase(method.getName())) {
Log.d(TAG, "invoke: startActivity");
}
return method.invoke(mBase, objects);
}
}
接着,我们需要通过反射将ActivityManagerNative中的gDefault中的gDefault换成我们自己的实现,代码如下
public static final void hookActivityManagerService(ClassLoader classLoader) {
try {
Class> activityManagerNativeClass = Class.forName("android.app.ActivityManagerNative");
if (activityManagerNativeClass == null) {
return;
}
Field gDefaultField = activityManagerNativeClass.getDeclaredField("gDefault");
if (gDefaultField == null) {
return;
}
gDefaultField.setAccessible(true);
Object gDefault = gDefaultField.get(null);
Class> singleton = Class.forName("android.util.Singleton");
if (singleton == null) {
return;
}
Field mInstanceField = singleton.getDeclaredField("mInstance");
if (mInstanceField == null) {
return;
}
mInstanceField.setAccessible(true);
Object activityManager = mInstanceField.get(gDefault);
Class> activityManagerInterface = Class.forName("android.app.IActivityManager");
Object proxy = Proxy.newProxyInstance(classLoader,
new Class[] {activityManagerInterface}, new HookActivityHandler(activityManager));
mInstanceField.set(gDefault, proxy);
} catch (Exception e) {
e.printStackTrace();
}
}
然后新建一个正常activity看看能否正常调用到hook的方法中,输出日志如下。
08-15 23:10:10.476 13208-13208/com.test.hookactivity D/HookActivityHandler: invoke: startActivity
可以看到,已经成功的将startActivity()方法hook住了,接下来就可以在startActivity的时候做些事情了。在启动activity的时候,会对activity做校验,那么我们能不能用一个注册在AndroidMenifest.xml中的activity作为桥梁,在校验的时候用这个存在的activity,校验过后再换会真正想要的activity,来个偷梁换柱。再回到HookActivityHandler中,只看invoke方法。
在startActivity之前先将目标intent取出来并缓存起来,将intent换成已经存在的PlaceHolderActivity,这样校验的时候就可以绕过系统对activity的校验。大家可以试着运行一次代码,并不会抛出ActivityNotFoundException的异常,验证了之前的想法。
@Override
public Object invoke(Object o, Method method, Object[] objects) throws Throwable {
if ("startActivity".equalsIgnoreCase(method.getName())) {
Log.d(TAG, "invoke: startActivity");
Intent rawIntent = null;
int index = 0;
for (int i = 0; i < objects.length; i++) {
if (objects[i] instanceof Intent) {
index = i;
break;
}
}
rawIntent = (Intent) objects[index];
Intent newIntent = new Intent();
String targetPackageName = "com.test.hookactivity";
ComponentName componentName = new ComponentName(targetPackageName,
PlaceHolderActivity.class.getCanonicalName());
newIntent.setComponent(componentName);
newIntent.putExtra("extra_target_intent", rawIntent);
objects[index] = newIntent;
return method.invoke(mBase, objects);
}
return method.invoke(mBase, objects);
}
那么绕过校验之后怎样恢复到我们想要的activity呢?从源码中可以看到,在启动activity时最后会通过ActivityThread中的handleMessage()方法,代码如下
public void handleMessage(Message msg) {
if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));
switch (msg.what) {
case LAUNCH_ACTIVITY: {
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "activityStart");
final ActivityClientRecord r = (ActivityClientRecord) msg.obj;
r.packageInfo = getPackageInfoNoCheck(
r.activityInfo.applicationInfo, r.compatInfo);
handleLaunchActivity(r, null, "LAUNCH_ACTIVITY");
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
} break;
...
}
}
这里的handleLaunchActivity()就是启动activity真正的方法,这里就是另一个hook点,在handleLaunchActivity()中将目标activity的intent替换回来,首先实现Handler.Callback,代码如下。通过反射讲message中的intent换会原来的intent。
public class ActivityThreadHandlerCallback implements Handler.Callback {
private Handler mHandler;
public ActivityThreadHandlerCallback(Handler handler) {
this.mHandler = handler;
}
@Override
public boolean handleMessage(Message message) {
int what = message.what;
switch (what) {
case 100: //这里对应的是LAUNCH_ACTIVITY
handleStartActivity(message);
break;
}
mHandler.handleMessage(message);
return true;
}
private void handleStartActivity(Message message) {
Object object = message.obj;
try {
Field intent = object.getClass().getDeclaredField("intent");
if (intent == null) {
return;
}
intent.setAccessible(true);
Intent rawIntent = (Intent) intent.get(object);
Intent targetIntent = rawIntent.getParcelableExtra("extra_target_intent");
if (targetIntent == null) {
return;
}
rawIntent.setComponent(targetIntent.getComponent());
} catch (Exception e) {
e.printStackTrace();
}
}
}
还差最后一步,就是将ActivityThread中的mCallback换成我们hook的callback,还是用老办法——反射。在ActivityThread中handler定义的变量为mH,所以主要替换的目标是mH,代码如下
public static final void hookActivityThreadHandler() {
try {
Class> activityThreadClass = Class.forName("android.app.ActivityThread");
Field currentActivityThreadField = activityThreadClass.getDeclaredField("sCurrentActivityThread");
if (currentActivityThreadField == null) {
return;
}
currentActivityThreadField.setAccessible(true);
Object currentActivityThread = currentActivityThreadField.get(null);
Field mHField = activityThreadClass.getDeclaredField("mH");
if (mHField == null) {
return;
}
mHField.setAccessible(true);
Handler mH = (Handler) mHField.get(currentActivityThread);
Field mCallbackField = Handler.class.getDeclaredField("mCallback");
if (mCallbackField == null) {
return;
}
mCallbackField.setAccessible(true);
mCallbackField.set(mH, new ActivityThreadHandlerCallback(mH));
} catch (Exception e) {
e.printStackTrace();
}
}
到此,就神不知鬼不觉的绕过系统的校验,在启动的时候就是真正我们想要的页面了,而这个页面并没有在AndroidManifest.xml中注册。
小结
通过以上的方法,用动态代理分别hook了ActivityManagerNative中的IActivityManager和ActivityThread中handler的callback,用这两个hook点就成功的绕过了系统的校验,实现了启动没有声明的activity。看似简单,但是一定要对activity启动的流程十分熟悉,还要理解android中的binder机制,这就是android插件化框架用到的原理之一。除了动态代理,利用双亲委派机制也可以实现对相关方法的hook。
有些人也许会问,启动一个没有在AndroidManifest.xml中的activity有什么用。的确,正常应用开发的确没什么用。但是如果有一天你想动态下发一个activity的时候,就有用了。应用发布的时候不可能预埋不存在的activity,当有一天因为产品的变化,需求的变更的时候就只能发版解决了。但是如果可以做到动态下发,就可以静默对应用进行升级,而新增activity就是基础能力之一。
参考
- Android插件化原理解析——概要
- Binder学习指南
- Android应用程序内部启动Activity过程的源代码分析
- DroidPlugin
- VirtualApk