加固前奏2-替换application

运行加载过程
ActivityThread.JAVA
Application app = data.info.makeApplication(data.restrictedBackupMode, null);
                            ->进入LoadedApk.java
                                    String appClass = mApplicationInfo.className;
                                    app.attachBaseContext()        //可控函数
                                    ...
                                    mActivityThread.mAllApplications.add(app);
                                    mApplication = app;
                            <-退出
mInitialApplication = app;
mInstrumentation.callApplicationOnCreate(app);
                            ->    app.onCreate()                //可控函数

 

onCreate中实现

        Object currentActivityThread = javaRef.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread",
                new Class[]{}, new Object[]{});
				
        Object mBoundApplication = javaRef.getFieldValue("android.app.ActivityThread", "mBoundApplication", currentActivityThread);
        Object loadedApk = javaRef.getFieldValue("android.app.ActivityThread$AppBindData", "info", mBoundApplication);

        javaRef.setFieldValue("android.app.LoadedApk", "mApplication", loadedApk, null);
        ApplicationInfo applicationInfo_loadapk = (ApplicationInfo) javaRef.getFieldValue("android.app.LoadedApk", "mApplicationInfo", loadedApk);
        String desAppName = "com.cc.shell.MyApplication";
        applicationInfo_loadapk.className = desAppName;

        Application oldApplication = (Application) javaRef.getFieldValue("android.app.ActivityThread", "mInitialApplication", currentActivityThread);

        ArrayList mAllApplications = (ArrayList) javaRef.getFieldValue("android.app.ActivityThread",
                "mAllApplications", currentActivityThread);
        mAllApplications.remove(oldApplication);

        Application realApp = (Application) javaRef.invokeMethod("android.app.LoadedApk", "makeApplication", loadedApk
                , new Class[]{boolean.class, Instrumentation.class}, new Object[]{false, null});

        realApp.onCreate();

        javaRef.setFieldValue("com.android.ActivityThread", "mInitialApplication", currentActivityThread, realApp);

 

慢慢分析,下班了

你可能感兴趣的:(Android)