目錄:
- 1. 運行 VirtualAPP,查看行程
- 2. VirtualAPP 分成四種型別的行程
- 3. 關于 Stub
- 4. 關于 ServiceManager
1. 運行 VirtualAPP,查看行程
adb shell;
top;在 VirtualAPP 中打開百度 App, 可以看到如下輸出:
PID USER PR NI VIRT RES SHR S[%CPU] %MEM TIME+ ARGS
2498 u0_a1809 20 0 1.3G 79M 61M S 0.0 1.4 0:00.48 com.docker:x
2443 u0_a1809 10 -10 1.3G 120M 87M S 0.0 2.1 0:01.19 com.docker
6155 u0_a2009 20 0 1.3G 97M 51M S 8.0 1.7 0:02.66 com.docker:p1
922 system -2 0 343M 18M 12M S 35.6 0.3 92:29.87 surfaceflinger
1214 system 10 -10 8.4G 323M 323M S 1.0 5.7 44:46.97 system_server
5043 u0_a1809 20 0 1.5G 290M 80M S 0.3 5.1 0:09.86 com.baidu.searchbox:loki
5007 u0_a1809 20 0 1.5G 288M 77M S 0.0 5.1 0:08.45 com.baidu.searchbox:titanSandbox
2. VirtualAPP 分成四種型別的行程
public class DockerCore {
/**
* Process type
*/
private enum ProcessType {
/**
* Server process
*/
Server,
/**
* Virtual app process
*/
VAppClient,
/**
* Main process
*/
Main,
/**
* Child process
*/
CHILD
}
}
3. 關于 Stub
package com.android.dockercore.client.hook.proxies.am;
@Inject(MethodProxies.class)
public class ActivityManagerStub extends MethodInvocationProxy<MethodInvocationStub<IInterface>> {
public ActivityManagerStub() {
// 呼叫 ActivityManagerNative 相關鏡像類反射獲取 ActivityManagerProxy(IActivityManager 型別) 物件
super(new MethodInvocationStub<>(ActivityManagerNative.getDefault.call()));
}
@Override
public void inject() throws Throwable {
if (BuildCompat.isOreo()) {
Object singleton = ActivityManagerOreo.IActivityManagerSingleton.get();
Singleton.mInstance.set(singleton, getInvocationStub().getProxyInterface());
} else {
if (ActivityManagerNative.gDefault.type() == IActivityManager.TYPE) {
ActivityManagerNative.gDefault.set(getInvocationStub().getProxyInterface());
} else if (ActivityManagerNative.gDefault.type() == Singleton.TYPE) {
Object gDefault = ActivityManagerNative.gDefault.get();
Singleton.mInstance.set(gDefault, getInvocationStub().getProxyInterface());
}
}
// 構造 IBinder, 傳入 ActivityManagerProxy.getBaseInterface(IInterface 型別)
BinderInvocationStub hookAMBinder = new BinderInvocationStub(getInvocationStub().getBaseInterface());
hookAMBinder.copyMethodProxies(getInvocationStub());
// 添加到鏡像類 ServiveManager
ServiceManager.sCache.get().put(Context.ACTIVITY_SERVICE, hookAMBinder);
}
@Override
protected void onBindMethods() {
super.onBindMethods();
// 運行 app 啟動行程,hook AMS 相關函式
if (DockerCore.get().isVAppProcess()) {
addMethodProxy(new StaticMethodProxy("navigateUpTo") {
@Override
public Object call(Object who, Method method, Object... args) throws Throwable {
return method.invoke(who, args);
}
});
addMethodProxy(new ReplaceLastUidMethodProxy("checkPermissionWithToken"));
addMethodProxy(new isUserRunning());
addMethodProxy(new ResultStaticMethodProxy("updateConfiguration", 0));
addMethodProxy(new ReplaceCallingPkgMethodProxy("setAppLockedVerifying"));
addMethodProxy(new StaticMethodProxy("checkUriPermission") {
@Override
public Object afterCall(Object who, Method method, Object[] args, Object result) throws Throwable {
return PackageManager.PERMISSION_GRANTED;
}
});
addMethodProxy(new StaticMethodProxy("getRecentTasks") {
@Override
public Object call(Object who, Method method, Object... args) throws Throwable {
// ...
return _infos;
}
});
addMethodProxy(new StaticMethodProxy("getRunningTasks") {
@Override
public Object call(Object who, Method method, Object... args) throws Throwable {
// ...
return _infos;
}
});
}
}
//...
}4. 關于 ServiceManager
VirtualAPP 鏡像類 ServiceManager:
package mirror.android.os;
import android.os.IBinder;
import android.os.IInterface;
import java.util.Map;
import mirror.RefClass;
import mirror.MethodParams;
import mirror.RefStaticObject;
import mirror.RefStaticMethod;
public class ServiceManager {
// 映射到 Java 層真實的 android.os.ServiceManager,內部會通過 binder 呼叫到 framework(c++ 的 ServiceManager)
public static Class<?> TYPE = RefClass.load(ServiceManager.class, "android.os.ServiceManager");
@MethodParams({String.class, IBinder.class})
public static RefStaticMethod<Void> addService;
public static RefStaticMethod<IBinder> checkService;
public static RefStaticMethod<IInterface> getIServiceManager;
public static RefStaticMethod<IBinder> getService;
public static RefStaticMethod<String[]> listServices;
public static RefStaticObject<Map<String, IBinder>> sCache;
}看看 android.os.ServiceManager 的實作:
/*
* Copyright (C) 2007 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.os;
import com.android.internal.os.BinderInternal;
import android.util.Log;
import java.util.HashMap;
import java.util.Map;
/** @hide */
public final class ServiceManager {
private static final String TAG = "ServiceManager";
private static IServiceManager sServiceManager;
private static HashMap<String, IBinder> sCache = new HashMap<String, IBinder>();
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
// 采用了單例模式獲取ServiceManager getIServiceManager()回傳的是ServiceManagerProxy(簡稱SMP)物件
sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());
return sServiceManager;
}
/**
* 關于getIServiceManager(),等價于new ServiceManagerProxy(new BinderProxy()),
* 其中sCache = new HashMap<String, IBinder>()以hashmap格式快取已組成的名稱,請求獲取服務程序中,先從快取中查詢是否存在,
* 如果快取中不存在的話,再通過binder互動來查詢相應的服務
*/
public static IBinder getService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return getIServiceManager().getService(name);
}
} catch (RemoteException e) {
Log.e(TAG, "error in getService", e);
}
return null;
}
public static void addService(String name, IBinder service) {
try {
// 先獲取SMP物件,則執行注冊服務操作
getIServiceManager().addService(name, service, false);
} catch (RemoteException e) {
Log.e(TAG, "error in addService", e);
}
}
public static void addService(String name, IBinder service, boolean allowIsolated) {
try {
getIServiceManager().addService(name, service, allowIsolated);
} catch (RemoteException e) {
Log.e(TAG, "error in addService", e);
}
}
public static IBinder checkService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return getIServiceManager().checkService(name);
}
} catch (RemoteException e) {
Log.e(TAG, "error in checkService", e);
return null;
}
}
public static String[] listServices() {
try {
return getIServiceManager().listServices();
} catch (RemoteException e) {
Log.e(TAG, "error in listServices", e);
return null;
}
}
public static void initServiceCache(Map<String, IBinder> cache) {
if (sCache.size() != 0) {
throw new IllegalStateException("setServiceCache may only be called once");
}
sCache.putAll(cache);
}
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/273745.html
標籤:其他
上一篇:Android系統原始碼編譯