Android插件化架構 攔截Activity的啓動流程繞過AndroidManifest檢測

1. 概述

---

  瞭解了Java的動態代理設計模式以後，配合上一期的文章Android插件化架構 - Activity的啓動流程分析，那麼接下來就須要親自操刀去攔截Activity的啓動流程了。前面好事沒少幹，那麼如今就來乾乾壞事，到底怎樣才能讓沒有註冊的Activity啓動不報錯呢？答案就是Hook下鉤子。   

2. Hook啓動流程

---

  怎麼樣去找Hook點是個問題，把鉤子下在哪裏呢？通常的套路確定最好是靜態，而後是接口，配合反射注入就能夠了。Activity啓動流程的源碼我就再也不貼了，若是不瞭解請移步這裏Android插件化架構 - Activity的啓動流程分析，我這裏直接下鉤子。

/**
     * hook start activity
     */
    public void hookStartActivity() throws Exception{
        // 先獲取ActivityManagerNative中的gDefault
        Class<?> amnClazz = Class.forName("android.app.ActivityManagerNative");
        Field defaultField = amnClazz.getDeclaredField("gDefault");
        defaultField.setAccessible(true);
        Object gDefaultObj = defaultField.get(null);

        // 獲取Singleton裏面的mInstance
        Class<?> singletonClazz = Class.forName("android.util.Singleton");
        Field amsField = singletonClazz.getDeclaredField("mInstance");
        amsField.setAccessible(true);
        Object amsObj = amsField.get(gDefaultObj);

        // 動態代理Hook下鉤子
        amsObj = Proxy.newProxyInstance(mContext.getClass().getClassLoader(),
                amsObj.getClass().getInterfaces(),
                new StartActivityInvocationHandler(amsObj));
        // 注入
        amsField.set(gDefaultObj,amsObj);
    }

    /**
     * Start Activity Invocation Handler
     */
    private class StartActivityInvocationHandler implements InvocationHandler{
        private Object mAmsObj;
        public StartActivityInvocationHandler(Object amsObj){
            this.mAmsObj = amsObj;
        }
        @Override
        public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
            // 攔截到全部ActivityManagerService的方法
            Log.e("TAG","methodName"+method.getName());
            return method.invoke(mAmsObj,args);
        }
    }
複製代碼

3. 借屍還魂

---

  上面咱們已經攔截到了Activity的啓動了，也可以看到startActivity方法的打印。可是若是不作任何處理仍是會蹦，那麼咱們須要有一個Activity預先在AndroidMnifest.xml中註冊一下，它是不怕太陽的，經過它能夠作到借屍還魂。

/**
     * Start Activity Invocation Handler
     */
    private class StartActivityInvocationHandler implements InvocationHandler{
        private Object mAmsObj;
        public StartActivityInvocationHandler(Object amsObj){
            this.mAmsObj = amsObj;
        }
        @Override
        public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
            // 攔截到全部ActivityManagerService的方法
            Log.e("TAG","methodName"+method.getName());
            if(method.getName().equals("startActivity")){
                // 啓動Activity的方法,找到原來的Intent
                Intent realIntent = (Intent) args[2];
                // 代理的Intent
                Intent proxyIntent = new Intent();
                proxyIntent.setComponent(new ComponentName(mContext,mProxyActivity));
                // 把原來的Intent綁在代理Intent上面
                proxyIntent.putExtra("realIntent",realIntent);
                // 讓proxyIntent去曬太陽，借屍
                args[2] = proxyIntent;
            }
            return method.invoke(mAmsObj,args);
        }
    }
複製代碼

還魂

/**
     * hook Launch Activity
     */
    public void hookLaunchActivity() throws Exception{
        // 獲取ActivityThread
        Class<?> activityThreadClazz = Class.forName("android.app.ActivityThread");
        Field sCurrentActivityThreadField = activityThreadClazz.getDeclaredField("sCurrentActivityThread");
        sCurrentActivityThreadField.setAccessible(true);
        Object sCurrentActivityThreadObj = sCurrentActivityThreadField.get(null);
        // 獲取Handler mH
        Field mHField = activityThreadClazz.getDeclaredField("mH");
        mHField.setAccessible(true);
        Handler mH = (Handler) mHField.get(sCurrentActivityThreadObj);
        // 設置Callback
        Field callBackField = Handler.class.getDeclaredField("mCallback");
        callBackField.setAccessible(true);
        callBackField.set(mH, new ActivityThreadHandlerCallBack());
    }

    class ActivityThreadHandlerCallBack implements Handler.Callback {

        @Override
        public boolean handleMessage(Message msg) {
            if (msg.what == LAUNCH_ACTIVITY) {
                handleLaunchActivity(msg);
            }
            return false;
        }
    }
    // 還魂
    private void handleLaunchActivity(Message msg) {
        // final ActivityClientRecord r = (ActivityClientRecord) msg.obj;
        try {
            Object obj = msg.obj;
            Field intentField = obj.getClass().getDeclaredField("intent");
            intentField.setAccessible(true);
            Intent proxyIntent = (Intent) intentField.get(obj);
            // 代理意圖
            Intent originIntent = proxyIntent.getParcelableExtra(EXTRA_ORIGIN_INTENT);
            if (originIntent != null) {
                // 替換意圖
                intentField.set(obj, originIntent);
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
複製代碼

4. 兼容AppCompatActivity

---

  繼承自Activity是百試百靈，不再須要在AndroidMnifest中註冊了，可是發現繼承AppCompatActivity仍是會報錯，我都不記得當時是怎麼解決這個問題的，反正搞了好幾天，我選擇遺忘那段操蛋的時光。

// 兼容AppCompatActivity報錯問題
    Class<?> forName = Class.forName("android.app.ActivityThread");
    Field field = forName.getDeclaredField("sCurrentActivityThread");
    field.setAccessible(true);
    Object activityThread = field.get(null);
    Method getPackageManager = activityThread.getClass().getDeclaredMethod("getPackageManager");
    Object iPackageManager = getPackageManager.invoke(activityThread);

    PackageManagerHandler handler = new PackageManagerHandler(iPackageManager);
    Class<?> iPackageManagerIntercept = Class.forName("android.content.pm.IPackageManager");
    Object proxy = newProxyInstance(Thread.currentThread().getContextClassLoader(),
        new Class<?>[]{iPackageManagerIntercept}, handler);

    // 獲取 sPackageManager 屬性
    Field iPackageManagerField = activityThread.getClass().getDeclaredField("sPackageManager");
    iPackageManagerField.setAccessible(true);
    iPackageManagerField.set(activityThread, proxy);
複製代碼

  總算走出了插件化架構的一小步，過程對於通常人來說仍是有點痛苦的，可是結果帶來那種成就感仍是值得的，後面咱們解決一下資源和佈局的加載問題，而後介紹一下360開源的插件化框架DroidPlugin，分析一下它的源碼就直接拿過用吧。

全部分享大綱：2017Android進階之路與你同行

視頻講解地址：http://pan.baidu.com/s/1o8bPZ9C