Android开发启动未注册的activity，Hook使用demo

三个工具类

 

1、

/**
 * @author : LGQ
 * @date : 2020/05/11 14
 * @desc :
 */
public class HCallback implements Handler.Callback{
    private final String TAG="HCallback";
    private Handler mHandler;
    public HCallback(Handler handler){
        mHandler=handler;
    }
    @Override
    public boolean handleMessage(Message msg) {
        //这里为159,是因为EXECUTE_TRANSACTION字段的值为159
        if(msg.what==159){
            //r实际为clienttransaction
            Object r= msg.obj;
            try {
                Class clientClazz = r.getClass();
                Field fCallbacks = clientClazz.getDeclaredField("mActivityCallbacks");
                fCallbacks.setAccessible(true);
                //得到transactionz中的callbacks,为一个list,其中元素为LaunActivityItem
                List lists = (List) fCallbacks.get(r);
                for(int i=0;i 
  
2、
 
  
public class HookHelper {
    private static  final String TAG="HookHelper";
    public static void hookAms() throws Exception {
        Class clazz = null;
        Field singletonIAMS = null;
//        Class clazz = ActivityManager.class;
//        Field singletonIAMS = clazz.getDeclaredField("IActivityManagerSingleton");
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
            clazz = ActivityManager.class;
            singletonIAMS = clazz.getDeclaredField("IActivityManagerSingleton");
        }else {
            clazz =Class.forName("android.app.ActivityManagerNative");
            singletonIAMS =clazz.getDeclaredField("gDefault");
        }
        singletonIAMS.setAccessible(true);
        Object defultSingleton = singletonIAMS.get(null);
        Class singletonClazz = Class.forName("android.util.Singleton");
        Field mInstance = singletonClazz.getDeclaredField("mInstance");
        mInstance.setAccessible(true);
        Object iAMs = mInstance.get(defultSingleton);
        Class iAmClazz =Class.forName("android.app.IActivityManager");
        Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),new Class[]{iAmClazz},new IActivityManagerProxy(iAMs));
        mInstance.set(defultSingleton,proxy);
    }
    public static void hookHandler() throws Exception{
        
        try {
            //　获取ActivityThread实例
            Class activityThreadClass = Class.forName("android.app.ActivityThread");
            Field threadField = activityThreadClass.getDeclaredField("sCurrentActivityThread");
            threadField.setAccessible(true);
            Object sCurrentActivityThread = threadField.get(null);

            //　获取mH变量
            Field mHField = activityThreadClass.getDeclaredField("mH");
            mHField.setAccessible(true);
            final Object mH = mHField.get(sCurrentActivityThread);

            //　设置mCallback变量
            Field mCallbackField = Handler.class.getDeclaredField("mCallback");
            mCallbackField.setAccessible(true);
            Handler.Callback callback = new Handler.Callback() {
                @Override
                public boolean handleMessage(Message msg) {
                    if (msg.what == 100) {
                        try {
                            Field intentField = msg.obj.getClass().getDeclaredField("intent");
                            intentField.setAccessible(true);
                            Intent intent = (Intent) intentField.get(msg.obj);
                            Intent raw = intent.getParcelableExtra("RawIntent");
                            intent.setComponent(raw.getComponent());
                        } catch (Exception e) {
                            Log.e("hook", "hookActivityThreaderr"+ e);
                        }

                    }
                    return false;
                }
            };
            mCallbackField.set(mH, callback);
        } catch (Exception e) {
            Log.e("hook", "hookActivityThreaderr"+ e);
        }
    }
}
 
  
 3、
 
  
public class IActivityManagerProxy implements InvocationHandler {
    private Object activityManager;
    private static final String TAG="IActivityManagerProxy";
    public IActivityManagerProxy(Object activityManager){
        this.activityManager=activityManager;
    }
    @Override
    public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
        if(method.getName().equals("startActivity")){
            Intent intent =null;
            int index=0;
            for(int i=0;i