熱修復之冷啓動類加載原理與實現
概述
利用DexClassLoader類加載原理,apk包含多個dex文件,會從dex中依次查找類,若是找到了就不繼續日後面找了。咱們把補丁包.dex放到最前面,就優先從補丁包中查找類。
html
原理分析
Dex分包
dex是java文件編譯的二進制產物,能夠理解成Android優化後的.class合併文件。原先全部java文件都會被打包單個dex,但因爲dex的65536問題,會分包成多個dex。
java
DexClassLoader機制
Android提供了從Dex中加載類的DexClassLoader。
咱們把修復後的com.a.fix.M生成patch.dex,
想辦法把path.dex插入到dexElements最前面,
當loader要查找com.a.fix.M時,會從前日後遍歷dexElements數組,查到了就終止遍歷。 android
DexClassLoader源碼
查看DexClassLoader源碼,已7.0的源碼爲例,選取部分代碼git
//DexClassLoader的基類,代碼有省略
public class BaseDexClassLoader extends ClassLoader {
//具體加載的事宜都交給了DexPathList,私有屬性,能夠反射調用
private final DexPathList pathList;
public BaseDexClassLoader(String dexPath, ...) {
this.pathList = new DexPathList(this, dexPath, ...);
}
@Override
protected Class<?> findClass(String name){
return pathList.findClass(name, suppressedExceptions);
}
/** * @hide,隱藏方法,能夠反射調用。能夠用來插入patch.dex */
public void addDexPath(String dexPath) {
pathList.addDexPath(dexPath, null /*optimizedDirectory*/);
}
複製代碼
//只能反射使用這個類
/*package*/ final class DexPathList {
//這個dexElements,數組很關鍵實際上Element 多是dex文件,包含dex的apk文件,包含dex的jar文件
private Element[] dexElements;
public DexPathList(ClassLoader definingContext, String dexPath,...) {
this.dexElements = makeDexElements(splitDexPath(dexPath), ...);
}
//只能反射調用,能夠用來插入patch.dex。
public void addDexPath(String dexPath, File optimizedDirectory) {
final Element[] newElements = makeDexElements(splitDexPath(dexPath),...);
final Element[] oldElements = dexElements;
dexElements = new Element[oldElements.length + newElements.length];
System.arraycopy(oldElements, 0, dexElements, 0, oldElements.length);
//新增的Elements只能加入到數組後面。咱們須要把patch加到最前面
System.arraycopy(newElements, 0, dexElements, oldElements.length, newElements.length);
}
//上圖的總結來自這裏,遍歷dexElements數組。
public Class findClass(String name, List<Throwable> suppressed) {
for (Element element : dexElements) {
//最終調用在platform/art/rumtime/native/dalvik_system_DexFile.cc中
Class clazz = element.dexFile.loadClassBinaryName(name, definingContext, suppressed);
if (clazz != null) return clazz;
}
return null;
}
/** * Element of the dex/resource/native library path */
/*package*/ static class Element {
private final File dir;
private final boolean isDirectory;
private final File zip;
private final DexFile dexFile;
}
}
複製代碼
前置插入Patch.dex
咱們須要把patch.dex插入到dexElements最前面。
因爲沒有對外暴露方法,須要反射執行。這就很簡單了,方案就有不少,好比github
- a.DexPathList.makeDexElements, 生成path element數組,合併新老數組
- b.DexPathList.addDexPath,而後把新插入patch的element調整到數組最前面
a方案,也是網上比較多的方案
b方案,理解這個東西,就能夠整出來了。
apache
過程實現
先來整一段用來顯示的代碼。完整版代碼在 熱修復之冷啓動 module:hotfix_dexload bootstrap
待修復功能
//待修復類
package com.a.fix;
public class M {
public static String a(){return "M aaa";}
}
//用來展現數據的類
package com.a.android_sample;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
String str = M.a();
((TextView) findViewById(R.id.tv)).setText(str));
}
}
複製代碼
生成patch.dex
類修復代碼
package com.a.fix;
public class M {
public static String a(){return "M aaa fix";}
}
複製代碼
java -> dex
這樣,簡單的dex文件就生成了。生成patch.dex後,咱們把代碼恢復成修復前的。數組
//來到java源碼目錄下
cd app/main/java
//.class文件
javac com/a/fix/M.java
//生成patch.dex
dx --dex --output com/a/fix/patch.dex com/a/fix/M.class
複製代碼
好奇點,咱們能夠名看看dex裏面的是啥,可使用smali相關技術 AndroidStudio安裝插件java2smali或者smali.jar包執行安全
存放patch.dex
patch.dex複製到assets文件夾中markdown
patch.dex 該放哪應用啓動後能讀取就行。放到sd卡固然能夠。 咱們選擇assets文件夾中,程序啓動時copy到咱們想要的地方,就當模擬下載了。
插入patch.dex
從這裏開始,都在自定義ApplicationApp的attachBaseContext()重載中完成。
爲何這個方法中合適, ApplicationApp是應用建立時,apk中最早實例化的類,實際上attachBaseContext在onCreate()以前調用。 這又是一個話題了,能夠看看 CSDN上老羅的應用啓動過程,有提到Applicaiton的建立。 參考源碼LoadedApk.makeApplication()
public class ApplicationApp extends Application {
@Override
protected void attachBaseContext(Context base) {
super.attachBaseContext(base);
//1.從assets中複製出來
String dexFilePath = copyAssetsDex("patch.dex");
//2.裝載補丁包,即插入到dexElements
installDex(this, dexFilePath);
}
}
//複製assets中的patch.dex到手機的存儲系統,
private String copyAssetsDex(String dexFileName) {
//這個ExternalCacheDir應用沙盒存儲,讀寫自由遍歷
String hackPath = getExternalCacheDir().getAbsolutePath() + "/" + dexFileName;
File destFile = new File(hackPath);
if (destFile.exists()) destFile.delete();
InputStream is = getAssets().open(dexFileName);
FileOutputStream fos = new FileOutputStream(destFile);
byte[] buffer = new byte[1024];
int byteCount;
while ((byteCount = is.read(buffer)) != -1) {
fos.write(buffer, 0, byteCount);
}
...
return destFile.getAbsolutePath();
}
//插入patch.dex,由於是反射調用,不一樣系統版本的源碼多是不一致的,要作區分。省略部分代碼
//這裏,我找了一些不一樣版本,能夠豐富起來。
private void installDex(Context context, String filePath) {
if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.JELLY_BEAN_MR2) {
installDexh4_3_And_Below(context, filePath);
} else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && Build.VERSION.SDK_INT <= Build.VERSION_CODES.LOLLIPOP_MR1) {
installDexh4_4_TO_5_1(context, filePath);
} else if (Build.VERSION.SDK_INT > Build.VERSION_CODES.KITKAT) {
installDexAbove_6_0_And_Above(context, filePath);
}
}
}
/** * 執行插入,羞愧,都是別人的代碼。也就是咱們的a方案,下面還有簡單的b方案。 */
public static void installDexAbove_6_0_And_Above(Context context, String patch) {
//優化目錄必須是私有目錄,可自由訪問。
File cacheDir = context.getCacheDir();
//PathClassLoader
ClassLoader classLoader = context.getClassLoader();
try {
//先獲取pathList屬性
Field pathList = getField(classLoader, "pathList");
//經過屬性反射獲取屬性的對象 DexPathList
Object pathListObject = pathList.get(classLoader);
//經過 pathListObject 對象獲取 pathList類中的dexElements 屬性
//本來的dex element數組
Field dexElementsField = getField(pathListObject, "dexElements");
//經過dexElementsField 屬性獲取它存在的對象
Object[] dexElementsObject = (Object[]) dexElementsField.get(pathListObject);
List<File> files = new ArrayList<>();
File file = new File(patch);//補丁包
if (file.exists()) {
files.add(file);
}
//插樁所用到的類
// files.add(antiazyFile);
Method method = getMethod(pathListObject, "makeDexElements", List.class, File.class, List.class, ClassLoader.class);
final List<IOException> suppressedExceptionList = new ArrayList<IOException>();
//補丁的element數組
Object[] patchElement = (Object[]) method.invoke(null, files, cacheDir, suppressedExceptionList, classLoader);
//用於替換系統本來的element數組
Object[] newElement = (Object[]) Array.newInstance(dexElementsObject.getClass().getComponentType(),
dexElementsObject.length + patchElement.length);
//合併複製element
System.arraycopy(patchElement, 0, newElement, 0, patchElement.length);
System.arraycopy(dexElementsObject, 0, newElement, patchElement.length, dexElementsObject.length);
// 替換
dexElementsField.set(pathListObject, newElement);
} catch (Exception e) {
e.printStackTrace();
}
}
//b方案就簡單點,也好理解點。
public static void installDexAbove_6_0_And_Above(Context context, String patch) {
try {
ClassLoader classLoader = context.getClassLoader();
Object pathListObject = getField(classLoader, "pathList").get(classLoader);
//1.先記錄插入patch前 dexElements的長度
Field dexElementsField = getField(pathListObject, "dexElements");
int oldLength = ((Object[]) dexElementsField.get(pathListObject)).length;
//2.插入patch.dex
Method method = getMethod(classLoader, "addDexPath", String.class);
method.invoke(classLoader, patch);
//3.讀取插入patch後 dexElements的長度
Object[] newDexElements = (Object[]) dexElementsField.get(pathListObject);
int newLength = newDexElements.length;
//4.先後交換生成新的dexElements,
Object[] resultElements = (Object[]) Array.newInstance(newDexElements.getClass().getComponentType(),
newLength);
System.arraycopy(newDexElements, 0, resultElements, newLength - oldLength, oldLength);
System.arraycopy(newDexElements, oldLength, resultElements, 0, newLength - oldLength);
//5.從新反射替換dexElements
dexElementsField.set(pathListObject, resultElements);
} catch (Exception e) {
e.printStackTrace();
}
}
}
複製代碼
驗證
到此爲止,咱們的修復功能就實現了。我試了Android7都ok。
pre-verified問題
現象
上面的代碼,咱們試試跑在Android4.4及如下,結果報錯了。
java.lang.IllegalAccessError: Class ref in pre-verified class resolved to unexpected implementation at com.a.android_sample.MainActivity.onCreate(MainActivity.java:16) at android.app.Activity.perfromCreate(Activity.java:5266) at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1313) at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3733) at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3939) 複製代碼
出錯代碼
String str = M.a();
複製代碼
緣由分析
簡單來講
1.假如類A及其引用類都在同一個dex中,則類A會被提早驗證和優化,並被標記CLASS_ISPREVERIFIED
這裏,MainActivity就會被標記上。
2.當咱們調用M.a()時,須要加載類M,此時虛擬機會去校驗M和MainActivity是否屬於同一個dex。很明顯不在,這就報錯了。
不瞭解,Dalvik類加載機制,這個緣由是分析不出來的。咱們算是站在巨人的肩膀上,有跡可循,而不是小馬過河。
具體代碼拋錯處
Android4.4 dalvik/vm/oo/Resolve.cpp
//省略了部分代碼
ClassObject* dvmResolveClass(const ClassObject* referrer, u4 classIdx,
bool fromUnverifiedConstant){
DvmDex* pDvmDex = referrer->pDvmDex;
ClassObject* resClass;
const char* className;
//不用重複解析
resClass = dvmDexGetResolvedClass(pDvmDex, classIdx);
if (resClass != NULL) return resClass;
....
//這裏的resClass是 com.a.fix.M,
//referrer是com.a.
resClass = dvmFindClassNoInit(className, referrer->classLoader);
//....
if (resClass != NULL) {
/* * If the referrer was pre-verified, the resolved class must come * from the same DEX or from a bootstrap class. */
if (!fromUnverifiedConstant &&
IS_CLASS_FLAG_SET(referrer, CLASS_ISPREVERIFIED)) {
ClassObject* resClassCheck = resClass;
if (referrer->pDvmDex != resClassCheck->pDvmDex &&
resClassCheck->classLoader != NULL){
dvmThrowIllegalAccessError(
"Class ref in pre-verified class resolved to unexpected "
"implementation");
return NULL;
}
}
//存一下,
dvmDexSetResolvedClass(pDvmDex, classIdx, resClass);
}
.....
return resClass;
}
複製代碼
調用鏈路
M.a()
AndroidStudio安裝插件java2smali,看看MainActivity編譯後的產物。
MainActivity.smali 部分代碼
.class public Lcom/a/android_sample/MainActivity;
.source "MainActivity.java"
.method protected onCreate(Landroid/os/Bundle;)V .registers 4 #執行到這一行出錯了。 .line 16 invoke-static {}, Lcom/a/fix/M;->a()Ljava/lang/String;
.line 17
...
invoke-virtual {v1, v0}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V
...
.end method
複製代碼
invoke-static
代碼在Android4.4源碼 dalvik/vm/mterp/out/InterpC-portable.cpp
GOTO_TARGET(invokeStatic, bool methodCallRange)
methodToCall = dvmDexGetResolvedMethod(methodClassDex, ref);
if (methodToCall == NULL) {
//還沒解析過,就去解析它
methodToCall = dvmResolveMethod(curMethod->clazz, ref, METHOD_STATIC);
}
GOTO_invokeMethod(methodCallRange, methodToCall, vsrc1, vdst);
GOTO_TARGET_END
複製代碼
dvmResolveMethod
Android4.4源碼 dalvik/vm/oo/Resolve.cpp
解析Method前,先解析其所在的class
/* * Find the method corresponding to "methodRef". * If this is a static method, we ensure that the method's class is * initialized. */
//省略了部分代碼
Method* dvmResolveMethod(const ClassObject* referrer, u4 methodIdx,
MethodType methodType){
ClassObject* resClass;
const DexMethodId* pMethodId;
pMethodId = dexGetMethodId(pDvmDex->pDexFile, methodIdx);
//這裏就開始調用到咱們上一節提到的具體代碼拋錯處了。
resClass = dvmResolveClass(referrer, pMethodId->classIdx, false);
if (resClass == NULL) {
/* can't find the class that the method is a part of */
assert(dvmCheckException(dvmThreadSelf()));
return NULL;
}
....
}
複製代碼
dex文件驗證優化
回頭在來看dex文件優化,咱們就放上調用
//libcore/dalvik/src/main/java/dalvik/system/BaseDexClassLoader.java
BaseDexClassLoader(dexPath,optimizedDirectory,libraryPath,parent)
//libcore/dalvik/src/main/java/dalvik/system/DexPathList.java
DexPathList.loadDexFile(file, optimizedDirectory);
//libcore/dalvik/src/main/java/dalvik/system/DexFile.java
DexFile.loadDex(file.getPath(), optimizedPath, 0);
//dalvik/vm/native/dalvik_system_DexFile.cpp
Dalvik_dalvik_system_DexFile_openDexFileNative(const u4* args, JValue* pResult)
//dalvik/vm/RawDexFile.cpp
dvmRawDexFileOpen(sourceName, outputName, &pRawDexFile, false)
//dalvik/vm/analysis/DexPrepare.cpp
dvmOptimizeDexFile(optFd, dexOffset, fileSize,fileName,....)
//建立進程 /system/bing/dexopt
//dalvik/dexopt/OptMain.cpp
int main(int argc, char* const argv[]) fromDex(int argc, char* const argv[]) dvmContinueOptimization(fd, offset, length...) //dalvik/vm/analysis/DexPrepare.cpp rewriteDex(addr, int len,doVerify,doOpt,..) verifyAndOptimizeClasses(pDvmDex->pDexFile, doVerify, doOpt) verifyAndOptimizeClass(pDexFile, clazz, pClassDef, doVerify, doOpt) dvmVerifyClass(clazz)//Set the "is preverified" flag in the DexClassDef 複製代碼
dvmVerifyClass
//dalvik/vm/analysis/DexPrepare.cpp
if (dvmVerifyClass(clazz)) {
/* Set the "is preverified" flag in the DexClassDef. */
((DexClassDef*)pClassDef)->accessFlags |= CLASS_ISPREVERIFIED;
verified = true;
}
//dalvik/vm/analysis/DexVerify.cpp
bool dvmVerifyClass(ClassObject* clazz) bool verifyMethod(method) bool dvmVerifyCodeFlow(VerifierData* vdata) //dalvik/vm/analysis/CodeVerify.cpp bool doCodeVerification() ... 複製代碼
參考
深刻理解Java虛擬機:JVM高級特性與最佳實踐(第3版)周志明.pdf
深刻理解Dalvik虛擬機
系統源碼(AOSP) github地址連接,下載你想要的。或者這個官網連接
安卓App熱補丁動態修復技術介紹
android熱修復的pre-verify問題詳解及實踐
05-DALVIK加載和解析DEX過程
pre-verified解決
方案分析
咱們在把代碼抄過來,發現有三個條件同時知足纔會報錯
//省略了部分代碼
ClassObject* dvmResolveClass(const ClassObject* referrer, u4 classIdx,
bool fromUnverifiedConstant){
resClass = dvmDexGetResolvedClass(pDvmDex, classIdx);
if (resClass != NULL) return resClass;
if (!fromUnverifiedConstant &&
IS_CLASS_FLAG_SET(referrer, CLASS_ISPREVERIFIED)) {
ClassObject* resClassCheck = resClass;
if (referrer->pDvmDex != resClassCheck->pDvmDex &&
resClassCheck->classLoader != NULL){
dvmThrowIllegalAccessError(
"Class ref in pre-verified class resolved to unexpected "
"implementation");
return NULL;
}
}
}
return resClass;
}
複製代碼
根據上述代碼,解決方案大體上有如下四種。
- 禁止dexopt過程打上CLASS_ISPREVERIFIED標記
Q-zone插樁方案突破了此限制,可是致使preverify失效,損失了性能。
- 修改fromUnverfiedConstant=true
須要經過 native hook 攔截系統方法,更改方法的入口參數,將 fromUnverifiedConstant 統一改成 true, 風險大,幾乎無人採用。Cydia native hook
- 使dvmDexGetResolvedClass返回不爲null,直接返回
QFix採用此方案,
- 補丁類與引用類放在同一個dex中
Tinker等全量合成方案突破了此限制。
Q-zone插樁方案
方案分析
經過字節碼技術,在每一個類的構造方法中插入一段引用 HackCode.class的代碼,使得MainActivity引用到hack.dex中的Hack.class,致使verify不經過。 此時方案分紅兩部分
- 單獨打包HackCode.class
- MainActivity引用HackCode.class。
package com.a.hack;
public class HackCode {}
複製代碼
實際代碼執行處。
//dalvik/vm/analysis/CodeVerify.cpp
case OP_CONST_CLASS:
//給它整失敗了,會把錯誤值給failure,後面判斷下失敗,就返回失敗了,就不標記了。
resClass = dvmOptResolveClass(meth->clazz, decInsn.vB, &failure);
////dalvik/vm/analysis/Optimize.cpp
/* * Performs access checks on every resolve, * and refuses to acknowledge the existence of classes * defined in more than one DEX file. * 不認可定義在多個dex中的類 */
ClassObject* dvmOptResolveClass(ClassObject* referrer, u4 classIdx, VerifyError* pFailure){
...
const char* className = dexStringByTypeIdx(pDvmDex->pDexFile, classIdx);
//referrer是全部引用類包括MainAcitivityClass,resClass的Hack.class
//referrer的dex中固然沒有Hack.class
resClass = dvmFindClassNoInit(className, referrer->classLoader);
if (resClass == NULL) {
*pFailure = VERIFY_ERROR_NO_CLASS;
...
}
...
}
複製代碼
引用hackCode.class
apk源碼不能包含HackCode.class,咱們經過字節碼插入引用。 編寫自定義Gradle插件,使用javassist字節碼技術 自定義Gradle插件參考 Gradle系列一 -- Groovy、Gradle和自定義Gradle插件 javassist參考 javassist使用全解析 關鍵代碼,有點長
class HackTransform extends Transform {
def pool = ClassPool.default
def project
....
@Override
void transform(TransformInvocation transformInvocation) throws javax.xml.crypto.dsig.TransformException, InterruptedException, IOException {
super.transform(transformInvocation)
project.android.bootClasspath.each {
pool.appendClassPath(it.absolutePath)
}
//這一行要注意,不然編譯不經過哦
pool.makeClass("com.a.hack.HackCode")
transformInvocation.inputs.each {
it.jarInputs.each {
pool.insertClassPath(it.file.absolutePath)
// 重命名輸出文件(同目錄copyFile會衝突)
def jarName = it.name
def md5Name = DigestUtils.md5Hex(it.file.getAbsolutePath())
if (jarName.endsWith(".jar")) {
jarName = jarName.substring(0, jarName.length() - 4)
}
def dest = transformInvocation.outputProvider.getContentLocation(
jarName + md5Name, it.contentTypes, it.scopes, Format.JAR)
org.apache.commons.io.FileUtils.copyFile(it.file, dest)
}
it.directoryInputs.each {
def inputDir = it.file.absolutePath
pool.insertClassPath(inputDir)
findTarget(it.file, inputDir)
def dest = transformInvocation.outputProvider.getContentLocation(
it.name, it.contentTypes, it.scopes, Format.DIRECTORY)
org.apache.commons.io.FileUtils.copyDirectory(it.file, dest)
}
}
}
private void findTarget(File fileOrDir, String inputDir) {
if (fileOrDir.isDirectory()) {
fileOrDir.listFiles().each {
findTarget(it, inputDir)
}
} else {
modify(fileOrDir, inputDir)
}
}
private void modify(File file, String fileName) {
def filePath = file.absolutePath
if (!filePath.endsWith(SdkConstants.DOT_CLASS)
||filePath.contains('R$')
|| filePath.contains('R.class')
|| filePath.contains("BuildConfig.class")) {
return
}
def className = filePath.replace(fileName, "")
.replace("\\", ".").replace("/", ".")
def name = className.replace(SdkConstants.DOT_CLASS, "").substring(1)
CtClass ctClass = pool.get(name)
//咱們的自定義的Application是初始類,加載完dex之後的類,才能插入Hakcode引用。
if (ctClass.getSuperclass() != null
&& ctClass.getSuperclass().name == "android.app.Application") {
return
}
//真正執行插入字節碼的地方
ctClass.defrost()
CtConstructor[] constructors = ctClass.getDeclaredConstructors()
if (constructors != null && constructors.length > 0) {
CtConstructor constructor = constructors[0]
def body = "android.util.Log.e(\"alvin\",\"${constructor.name} constructor\" + com.a.hack.HackCode.class);"
constructor.insertBefore(body)
}
ctClass.writeFile(fileName)
ctClass.detach()
}
}
複製代碼
生成hack.dex
參考patch.dex的生成方式。 編寫app/main/java/com/a/hack/HackCode.java,單獨編譯成dex,生成後,能夠刪掉此java文件。
package com.a.hack;
public class HackCode {}
複製代碼
//來到java源碼目錄下,
cd app/main/java
//.class文件
javac com/a/hack/HackCode.java
//生成hack.dex
dx --dex --output com/a/hack/hack.dex com/a/hack/HackCode.class
複製代碼
加載hack.dex
參考patch.dex的方式。
驗證
android4.4上驗證成功
Cydia NativeHook
須要經過 native hook 攔截系統方法,更改方法的入口參數,將 fromUnverifiedConstant 統一改成 true,
這裏咱們採用Cydia Substrate,hook dvmResolveClass方法,步驟以下 Demo代碼:hook具體實現與動態庫下載,注意方案只在Android4.4上驗證可行。
實現步驟
cydia so庫和頭文件
這裏能夠下載。 so庫放到一個本身的目錄底下 好比
<moduleName>/src/main/jniLibs/armeabi-v7a/libsubstrate.so
<moduleName>/src/main/jniLibs/armeabi-v7a/libsubstrate-dvm.so
複製代碼
導入頭文件
<moduleName>/src/main/cpp/include/substrate.h
複製代碼
hook代碼實現
//<moduleName>/src/main/cpp/cydia-hook.cpp
#include "include/substrate.h"
#include <android/log.h>
#define TAG "alvin"
#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, TAG, __VA_ARGS__) //舊函數指針,指向舊函數 void *(*oldDvmResolveClass)(void *referrer, unsigned int classIdx, bool fromUnverifiedConstant);
//新函數實現
void *newDvmResolveClass(void *referrer, unsigned int classIdx, bool fromUnverifiedConstant) {
//這裏,fromUnverifiedConstant 強制爲true,就不會去check dex是否相等了。
return oldDvmResolveClass(referrer, classIdx, true);
}
//指明要hook的lib,涉及到dvmResolveClass的so
MSConfig(MSFilterLibrary, "/system/lib/libdvm.so")
//指明要hook的應用
MSConfig(MSFilterExecutable, "com.a.dexload.cydia")
MSInitialize {
MSImageRef image = MSGetImageByName("/system/lib/libdvm.so");
if (image == NULL) {
return;
}
void *resloveMethd = MSFindSymbol(image, "dvmResolveClass");
if (resloveMethd == NULL) {
return;
}
//具體的Hook實現
MSHookFunction(resloveMethd, (void *) newDvmResolveClass, (void **) &oldDvmResolveClass);
}
複製代碼
CMakeLists.txt
生成libcydiahook.so
cmake_minimum_required(VERSION 3.10.2)
add_library(cydiahook SHARED src/main/cpp/cydia-hook.cpp)
target_include_directories(cydiahook PRIVATE ${CMAKE_SOURCE_DIR}/src/main/cpp/include)
find_library(log-lib log)
file(GLOB libs ${CMAKE_SOURCE_DIR}/src/main/jniLibs/armeabi-v7a/libsubstrate.so ${CMAKE_SOURCE_DIR}/src/main/jniLibs/armeabi-v7a/libsubstrate-dvm.so)
target_link_libraries( cydiahook ${libs} ${log-lib})
複製代碼
libcydiahook.so加載
public class ApplicationApp extends Application {
static {
System.loadLibrary("cydiahook");
}
}
複製代碼
其餘
ClassObject屬性
如同Andfix,咱們能夠引入DexFile.h頭文件,能夠把參數和結果轉成實際的class對象,查看class的一些屬性
//新函數實現
void *newDvmResolveClass(void *referrer, unsigned int classIdx, bool fromUnverifiedConstant) {
void *res = oldDvmResolveClass(referrer, classIdx, true);
ClassObject *referrerClass = reinterpret_cast<ClassObject *>(referrer);
ClassObject *resClass = reinterpret_cast<ClassObject *>(res);
if (resClass == NULL) {
LOGE("newDvmResolveClass %s, %s", referrerClass->descriptor,
"resClass is NULL");
} else {
LOGE("newDvmResolveClass %s, %s", referrerClass->descriptor,
resClass->descriptor);
}
return res;
}
複製代碼
風險
和 Andfix 相似,native hook 方式存在各類兼容性和穩定性問題,甚至安全性問題。同時,攔截的是一個涉及 dalvik 基礎功能同時調用很頻繁的方法,無疑風險會大不少。
QFix方案實現
原理可參考這篇文章QFix探索之路—手Q熱補丁輕量級方案
方案
回到這張圖,從dvmResolveClass方法入手,提早解析patch類。 一開始想到的方案是提早使用"const-class" 或者 "instance-of"指令建立類,fromUnverifiedConstant = true,繞過dex檢測。實際也成功了。但有兩個問題:
- 怎麼提早知道哪些補丁類?
- 或者乾脆引用全部類?性能問題?如何實現?
public class ApplicationApp extends Application {
@Override
protected void attachBaseContext(Context base) {
super.attachBaseContext(base);
DexInstaller.installDex(base, this.getExternalCacheDir().getAbsolutePath() + "/patch.dex");
//會執行 const-class 指令
Log.d("alvin", "bug class:" + com.a.fix.M.class);
}
複製代碼
QFix放棄了此直接load patch class的方案。通過分析,
- 補丁包中的class數量是有限的。
- apk中dex文件的數量也是有限的。
獲得以下方案:
- 構建apk時,dex預先埋入空白類,同時獲得每一個dex與空白類的關聯文件。
- 構建補丁包,映射關聯即bug dex的空白類與補丁類在原dex中的 classIdx。
- -----------運行app,加載補丁包-------------
- 使用java方法,調用classLoader.loadClass(空白類name)
- 使用jni方法,調用 dvmFindLoadedClass(空白類descriptor)
- 使用jni方法,調用dvmResolveClass(referrer:空白類,classIdx,fromUnverifiedConstant:true)
至於怎麼找到這個方法的,固然就是源碼裏面遊蕩了。
實操
所有實現代碼都在github中
空白類注入到Dex
自定義gradle插件,使用smali操做dexfile,注入class。
1.buildSrc/build.gradle加入依賴
//buildSrc/build.gradle
dependencies {
...
compile group: 'org.smali', name: 'dexlib2', version: '2.2.4'
...
}
複製代碼
2.plugin代碼
class QFixPlugin implements Plugin<Project> {
void apply(Project project1) {
project1.afterEvaluate { project ->
project.tasks.mergeDexDebug {
doLast {
println 'QFixPlugin inject Class after mergeDexDebug'
project.tasks.mergeDexDebug.getOutputs().getFiles().each { dir ->
println "outputs: " + dir
if (dir != null && dir.exists()) {
def files = dir.listFiles()
files.each { file ->
String dexfilepath = file.getAbsolutePath()
println "Outputs Dex file's path: " + dexfilepath
InjectClassHelper.injectHackClass(dexfilepath)
}
}
}
}
}
}
}
}
複製代碼
InjectClassHelper.java
public class InjectClassHelper {
public static void injectHackClass(String dexPath) {
try {
File file = new File(dexPath);
String fileName = file.getName();
String indexStr = fileName.split("\\.")[0].replace("classes", "");
System.out.println(" =============indexStr:"+indexStr);
String className = "com.a.Hack"+ indexStr;
String classType = "Lcom/a/Hack" + indexStr + ";";
DexBackedDexFile dexFile = DexFileFactory.loadDexFile(dexPath, Opcodes.getDefault());
ImmutableDexFile immutableDexFile = ImmutableDexFile.of(dexFile);
Set<ClassDef> classDefs = new HashSet<>();
for (ImmutableClassDef classDef : immutableDexFile.getClasses()) {
classDefs.add(classDef);
}
ImmutableClassDef immutableClassDef = new ImmutableClassDef(
classType,
AccessFlags.PUBLIC.getValue(),
"Ljava/lang/Object;",
null, null, null, null, null);
classDefs.add(immutableClassDef);
String resultPath = dexPath;
File resultFile = new File(resultPath);
if (resultFile != null && resultFile.exists()) resultFile.delete();
DexFileFactory.writeDexFile(resultPath, new DexFile() {
@Override
public Set<ClassDef> getClasses() {
return new HashSet<>(classDefs);
}
@Override
public Opcodes getOpcodes() {
return dexFile.getOpcodes();
}
});
System.out.println("Outputs injectHackClass: " + file.getName() + ":" + className);
} catch (Exception e) {
e.printStackTrace();
}
}
}
複製代碼
Mapping
Outputs Dex file's path: /Users/mawenqiang/Documents/demo_project/hotfix_dexload/dexload_QFix/build/intermediates/dex/debug/out/classes2.dex Outputs injectHackClass: classes2.dex:com.a.Hack2 Outputs Dex file's path: /Users/mawenqiang/Documents/demo_project/hotfix_dexload/dexload_QFix/build/intermediates/dex/debug/out/classes.dex
Outputs injectHackClass: classes.dex:com.a.Hack
複製代碼
執行指令 dexdump
#dexdump -h classes2.dex > classes2.dump
Class #1697 header:
class_idx : 2277 #class_idx
......
Class descriptor : 'Lcom/a/fix/M;'
......
複製代碼
咱們能夠獲得mapping.txt
classes2.dex:com.a.Hack2:com.a.fix.M:2277
複製代碼
導入patch.dex和mapping.text
load patch.dex
patch.dex的生成和加載不變,參看本文上方。
resolve 補丁M.class
一樣在ApplicationApp.attachBaseContext()中執行,在load patch以後執行。 代碼文件 ApplicationApp.java
- 解析Mapping.txt,獲得hackClassName,patchClassIdx
- classLoader.loadClass(com.a.Hack2)
- nativeResolveClass(hackClassDescriptor, patchClassIdx)
public static void resolvePatchClasses(Context context) {
try {
BufferedReader br = new BufferedReader(new FileReader(context.getExternalCacheDir().getAbsolutePath() + "/classIdx.txt"));
String line = "";
while (!TextUtils.isEmpty(line = br.readLine())) {
String[] ss = line.split(":");
//classes2.dex:com.a.Hack2:com.a.fix.M:2277
if (ss != null && ss.length == 4) {
String hackClassName = ss[1];
long patchClassIdx = Long.parseLong(ss[3]);
Log.d("alvin", "readLine:" + line);
String hackClassDescriptor = "L" + hackClassName.replace('.', '/') + ";";
Log.d("alvin", "classNameToDescriptor: " + hackClassName + " --> " + hackClassDescriptor);
ResolveTool.loadClass(context, hackClassName);
ResolveTool.nativeResolveClass(hackClassDescriptor, patchClassIdx);
}
}
br.close();
} catch (Exception e) {
e.printStackTrace();
}
}
/** * * "descriptor" should have the form "Ljava/lang/Class;" or * * "[Ljava/lang/Class;", i.e. a descriptor and not an internal-form * * class name. * * @param referrerDescriptor * @param classIdx * @return */
public static native boolean nativeResolveClass(String referrerDescriptor, long classIdx);
public static void loadClass(Context context, String className) {
try {
Log.d("alvin", context.getClassLoader().loadClass(className).getSimpleName());
} catch (Exception e) {
e.printStackTrace();
Log.d("alvin", e.getMessage());
}
}
複製代碼
nativeResolveClass 就是正常的jni方法,代碼實際也是簡單的。
#include <jni.h>
#include <android/log.h>
#include <dlfcn.h>
#define LOG_TAG "alvin"
#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR,LOG_TAG,__VA_ARGS__)
//方法指針
void *(*dvmFindLoadedClass)(const char *);
//方法指針
void *(*dvmResolveClass)(const void *, unsigned int, bool);
extern "C" jboolean Java_com_a_dexload_qfix_ResolveTool_nativeResolveClass(JNIEnv *env, jclass thiz, jstring referrerDescriptor, jlong classIdx) {
LOGE("enter nativeResolveClass");
void *handle = 0;
handle = dlopen("/system/lib/libdvm.so", RTLD_LAZY);
if (!handle) LOGE("dlopen libdvm.so fail");
if (!handle) return false;
const char *loadClassSymbols[3] = {
"_Z18dvmFindLoadedClassPKc", "_Z18kvmFindLoadedClassPKc", "dvmFindLoadedClass"};
for (int i = 0; i < 3; i++) {
dvmFindLoadedClass = reinterpret_cast<void *(*)(const char *)>(
dlsym(handle, loadClassSymbols[i]));
if (dvmFindLoadedClass) {
LOGE("dlsym dvmFindLoadedClass success %s", loadClassSymbols[i]);
break;
}
}
const char *resolveClassSymbols[2] = {"dvmResolveClass", "vResolveClass"};
for (int i = 0; i < 2; i++) {
dvmResolveClass = reinterpret_cast<void *(*)(const void *, unsigned int, bool)>(
dlsym(handle, resolveClassSymbols[i]));
if (dvmResolveClass) {
LOGE("dlsym dvmResolveClass success %s", resolveClassSymbols[i]);
break;
}
}
if (!dvmFindLoadedClass) LOGE("dlsym dvmFindLoadedClass fail");
if (!dvmResolveClass) LOGE("dlsym dvmResolveClass fail");
if (!dvmFindLoadedClass || !dvmResolveClass) return false;
const char *descriptorChars = (*env).GetStringUTFChars(referrerDescriptor, 0);
//referrerClassObj 即爲 com.a.Hack2
void *referrerClassObj = dvmFindLoadedClass(descriptorChars);
dvmResolveClass(referrerClassObj, classIdx, true);
return true;
}
複製代碼
到此,代碼就所有實現了。
相關文章
- 1. Android熱修復技術(三)-----代碼修復之冷啓動類加載原理
- 2. Android熱修復之dex修復原理
- 3. Android 類加載機制及熱修復原理
- 4. 一篇文章搞懂熱修復類加載方案原理
- 5. Tinker熱修復原理實現
- 6. Android熱修復原理及實現
- 7. 冷啓動和熱啓動
- 8. 熱修復原理
- 9. 熱修復設計之熱修復原理(三)
- 10. Android熱修復升級探索——代碼修復冷啓動方案
- 更多相關文章...
- • ionic 加載動作 - ionic 教程
- • ionic 加載動畫 - ionic 教程
- • Java Agent入門實戰(三)-JVM Attach原理與使用
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章