【Android 安全】DEX 加密 ( Application 替换 | 分析 BroadcastReceiver 组件中调用 getApplication() 获取的 Application )
生活随笔
收集整理的這篇文章主要介紹了
【Android 安全】DEX 加密 ( Application 替换 | 分析 BroadcastReceiver 组件中调用 getApplication() 获取的 Application )
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
文章目錄
- 一、 Service 中的 getApplication() 方法分析
- 二、 ActivityThread 中的 H 處理 RECEIVER 消息
- 三、 ActivityThread 中的 handleReceiver 方法
- 四、 ContextImpl 的 getReceiverRestrictedContext 方法
- 五、 ReceiverRestrictedContext 封裝類
- 六、 LoadedApk 中的 mApplication 成員
- 七、 ActivityThread 涉及源碼
- 八、 Instrumentation 涉及源碼
- 九、 LoadedApk 涉及源碼
一、 Service 中的 getApplication() 方法分析
在 BroadcastReceiver 中的 onReceive 方法中的 Context context 參數 , 打印出來是 android.app.ReceiverRestrictedContext 類型的 , 調用該對象的 getApplicationContext() 方法 , 獲取的 Application , 就是用戶自定義的 Application ;
public class MyBroadCastReciver extends BroadcastReceiver {@SuppressLint("LongLogTag")@Overridepublic void onReceive(Context context, Intent intent) {/*驗證 Application 是否替換成功打印 Application , ApplicationContext , ApplicationInfo*/Log.i("octopus.MyBroadCastReciver", "reciver:" + context);Log.i("octopus.MyBroadCastReciver", "reciver:" + context.getApplicationContext());Log.i("octopus.MyBroadCastReciver", "reciver:" + context.getApplicationInfo().className);} }打印結果 :
octopus.MyBroadCastReciver: reciver:android.app.ReceiverRestrictedContext@8a50e9a octopus.MyBroadCastReciver: reciver:kim.hsl.dex.MyApplication@b2b81e2 octopus.MyBroadCastReciver: reciver:kim.hsl.dex.MyApplicationReceiverRestrictedContext 類型的上下文對象 , 是在 ActivityThread 中的 Handler H 處理 RECEIVER 消息時 , 在 handleReceiver() 方法中 , 通過調用 ContextImpl 的 getReceiverRestrictedContext() 方法獲得 , 在下面有詳細的說明 ;
二、 ActivityThread 中的 H 處理 RECEIVER 消息
在 ActivityThread 中 , 創建并啟動一個 Service , H ( Handler 子類 ) 接收到 RECEIVER 消息 , 在相應的處理該 RECEIVER 消息的 handleMessage 方法中 , 調用了 handleReceiver 方法 ;
public final class ActivityThread {private class H extends Handler {public static final int RECEIVER = 113;public void handleMessage(Message msg) {switch (msg.what) {case RECEIVER:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "broadcastReceiveComp");handleReceiver((ReceiverData)msg.obj);maybeSnapshot();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;} // switch} // handleMessage} // private class H extends Handler}參考路徑 : frameworks/base/core/java/android/app/ActivityThread.java
三、 ActivityThread 中的 handleReceiver 方法
在 handleReceiver 中通過如下方法創建 BroadcastReceiver ,
// ★ 聲明 BroadcastReceiverBroadcastReceiver receiver;// ★ 創建 BroadcastReceiver 對象receiver = (BroadcastReceiver)cl.loadClass(component).newInstance();然后調用了 BroadcastReceiver 廣播接收者的 onReceive 方法 , 注意傳入的參數就是 context.getReceiverRestrictedContext() , 這就是我們在之前的廣播接收者組件中的 onReceive 方法中打印 Context context 參數類型是 ReceiverRestrictedContext 的原因 ;
// ★ 調用 BroadcastReceiver 廣播接收者的 onReceive 方法// 這里注意傳入的參數就是 context.getReceiverRestrictedContext()receiver.onReceive(context.getReceiverRestrictedContext(),data.intent);主要源碼 :
public final class ActivityThread {private class H extends Handler {public static final int LAUNCH_ACTIVITY = 100;public static final int CREATE_SERVICE = 114;public static final int RECEIVER = 113;public void handleMessage(Message msg) {if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));switch (msg.what) {case LAUNCH_ACTIVITY: {Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "activityStart");final ActivityClientRecord r = (ActivityClientRecord) msg.obj;r.packageInfo = getPackageInfoNoCheck(r.activityInfo.applicationInfo, r.compatInfo);// ★ 調用 handleLaunchActivity 方法處理該消息handleLaunchActivity(r, null, "LAUNCH_ACTIVITY");Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);} break;case CREATE_SERVICE:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, ("serviceCreate: " + String.valueOf(msg.obj)));handleCreateService((CreateServiceData)msg.obj);Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;case RECEIVER:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "broadcastReceiveComp");handleReceiver((ReceiverData)msg.obj);maybeSnapshot();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;} // switch} // handleMessage} // private class H extends Handlerprivate void handleLaunchActivity(ActivityClientRecord r, Intent customIntent, String reason) {// ★ 此處創建了一個 Activity Activity a = performLaunchActivity(r, customIntent);}private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {// System.out.println("##### [" + System.currentTimeMillis() + "] ActivityThread.performLaunchActivity(" + r + ")");ActivityInfo aInfo = r.activityInfo;ContextImpl appContext = createBaseContextForActivity(r);// ★ 聲明 Activity Activity activity = null;try {java.lang.ClassLoader cl = appContext.getClassLoader();// ★ 創建 Activity , 與創建 Application 類似 activity = mInstrumentation.newActivity(cl, component.getClassName(), r.intent);} catch (Exception e) {}try {// ★ 這里是傳入 Activity attach 方法中的 Application , 賦值給 Activity 中的 mApplication 成員 Application app = r.packageInfo.makeApplication(false, mInstrumentation);if (activity != null) {appContext.setOuterContext(activity);// ★ 此處調用了 Activity 的 attach 方法 , 給 Activity 中的 mApplication 成員賦值activity.attach(appContext, this, getInstrumentation(), r.token,r.ident, app, r.intent, r.activityInfo, title, r.parent,r.embeddedID, r.lastNonConfigurationInstances, config,r.referrer, r.voiceInteractor, window, r.configCallback);return activity;}// ★ 創建 Service 組件private void handleCreateService(CreateServiceData data) {LoadedApk packageInfo = getPackageInfoNoCheck(data.info.applicationInfo, data.compatInfo);Service service = null;try {java.lang.ClassLoader cl = packageInfo.getClassLoader();// ★ 創建 Service service = (Service) cl.loadClass(data.info.name).newInstance();} catch (Exception e) {}try {ContextImpl context = ContextImpl.createAppContext(this, packageInfo);context.setOuterContext(service);Application app = packageInfo.makeApplication(false, mInstrumentation);// ★ 調用了 Service 的 attach 方法 service.attach(context, this, data.info.name, data.token, app,ActivityManager.getService());service.onCreate();} catch (Exception e) {}}private void handleReceiver(ReceiverData data) {Application app;// ★ 聲明 BroadcastReceiverBroadcastReceiver receiver;ContextImpl context;try {app = packageInfo.makeApplication(false, mInstrumentation);context = (ContextImpl) app.getBaseContext();// ★ 創建 BroadcastReceiver 對象receiver = (BroadcastReceiver)cl.loadClass(component).newInstance();} catch (Exception e) {}try {// ★ 調用 BroadcastReceiver 廣播接收者的 onReceive 方法// 這里注意傳入的參數就是 context.getReceiverRestrictedContext()receiver.onReceive(context.getReceiverRestrictedContext(),data.intent);} catch (Exception e) {} finally {}}}參考路徑 : frameworks/base/core/java/android/app/ActivityThread.java
四、 ContextImpl 的 getReceiverRestrictedContext 方法
查看 ContextImpl 源碼 , 分析 getReceiverRestrictedContext() 方法獲取的上下文對象 , 在該方法中返回對象創建方式如下 ,
mReceiverRestrictedContext = new ReceiverRestrictedContext(getOuterContext());getOuterContext() 方法返回的是 Context mOuterContext 成員變量 , 這個成員變量就是在 【Android 安全】DEX 加密 ( Application 替換 | 創建用戶自定義 Application | 替換 ContextImpl 對象的 mOuterContext 成員 ) 博客中 , 替換的 ContextImpl 中的 Application ;
由此可見 , 該獲取的 Application 是替換成功的 , 已經將代理 Application 類 ProxyApplication 替換成了自定義 Application 類 MyApplication ;
ContextImpl 相關源碼 :
class ContextImpl extends Context {private Context mOuterContext;final Context getReceiverRestrictedContext() {if (mReceiverRestrictedContext != null) {return mReceiverRestrictedContext;}return mReceiverRestrictedContext = new ReceiverRestrictedContext(getOuterContext());}final Context getOuterContext() {return mOuterContext;}}參考源碼路徑 : frameworks/base/core/java/android/app/ContextImpl.java
五、 ReceiverRestrictedContext 封裝類
ReceiverRestrictedContext 封裝類 , 重寫了 registerReceiver , registerReceiverAsUser , bindService 333 個函數 ;
在 廣播接收者 中 不能注冊廣播接收者 , 不能綁定服務 ;
一旦發現在其中注冊廣播接收者 , 或者綁定服務 , 立刻 拋出異常 ;
ReceiverRestrictedContext 源碼 :
class ReceiverRestrictedContext extends ContextWrapper {ReceiverRestrictedContext(Context base) {super(base);}@Overridepublic Intent registerReceiver(BroadcastReceiver receiver, IntentFilter filter) {return registerReceiver(receiver, filter, null, null);}@Overridepublic Intent registerReceiver(BroadcastReceiver receiver, IntentFilter filter,String broadcastPermission, Handler scheduler) {if (receiver == null) {// Allow retrieving current sticky broadcast; this is safe since we// aren't actually registering a receiver.return super.registerReceiver(null, filter, broadcastPermission, scheduler);} else {throw new ReceiverCallNotAllowedException("BroadcastReceiver components are not allowed to register to receive intents");}}@Overridepublic Intent registerReceiverAsUser(BroadcastReceiver receiver, UserHandle user,IntentFilter filter, String broadcastPermission, Handler scheduler) {if (receiver == null) {// Allow retrieving current sticky broadcast; this is safe since we// aren't actually registering a receiver.return super.registerReceiverAsUser(null, user, filter, broadcastPermission, scheduler);} else {throw new ReceiverCallNotAllowedException("BroadcastReceiver components are not allowed to register to receive intents");}}@Overridepublic boolean bindService(Intent service, ServiceConnection conn, int flags) {throw new ReceiverCallNotAllowedException("BroadcastReceiver components are not allowed to bind to services");} }參考源碼路徑 : frameworks/base/core/java/android/app/ContextImpl.java
六、 LoadedApk 中的 mApplication 成員
LoadedApk 中的 mApplication 成員已經替換成了自定義的 Application , 不再是代理的 Application , 因此從 Service 組件中獲取的 Application 是已經替換后的用戶自定義的 Application , 不是代理 Application ;
Application 已經執行完畢 , Application 替換操作是在 Application 的 onCreate 方法中執行的 , 此處的 Activity 執行肯定在 Application 創建完畢之后執行的 ;
主要源碼 :
public final class LoadedApk {public Application makeApplication(boolean forceDefaultAppClass,Instrumentation instrumentation) {// ★ 如果之前創建過 Application , 就直接使用 if (mApplication != null) {return mApplication;}} }參考路徑 : frameworks/base/core/java/android/app/LoadedApk.java
七、 ActivityThread 涉及源碼
public final class ActivityThread {private class H extends Handler {public static final int LAUNCH_ACTIVITY = 100;public static final int CREATE_SERVICE = 114;public static final int RECEIVER = 113;public void handleMessage(Message msg) {if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));switch (msg.what) {case LAUNCH_ACTIVITY: {Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "activityStart");final ActivityClientRecord r = (ActivityClientRecord) msg.obj;r.packageInfo = getPackageInfoNoCheck(r.activityInfo.applicationInfo, r.compatInfo);// ★ 調用 handleLaunchActivity 方法處理該消息handleLaunchActivity(r, null, "LAUNCH_ACTIVITY");Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);} break;case CREATE_SERVICE:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, ("serviceCreate: " + String.valueOf(msg.obj)));handleCreateService((CreateServiceData)msg.obj);Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;case RECEIVER:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "broadcastReceiveComp");handleReceiver((ReceiverData)msg.obj);maybeSnapshot();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;} // switch} // handleMessage} // private class H extends Handlerprivate void handleLaunchActivity(ActivityClientRecord r, Intent customIntent, String reason) {// If we are getting ready to gc after going to the background, well// we are back active so skip it.unscheduleGcIdler();mSomeActivitiesChanged = true;if (r.profilerInfo != null) {mProfiler.setProfiler(r.profilerInfo);mProfiler.startProfiling();}// Make sure we are running with the most recent config.handleConfigurationChanged(null, null);if (localLOGV) Slog.v(TAG, "Handling launch of " + r);// Initialize before creating the activityWindowManagerGlobal.initialize();// ★ 此處創建了一個 Activity Activity a = performLaunchActivity(r, customIntent);if (a != null) {r.createdConfig = new Configuration(mConfiguration);reportSizeConfigurations(r);Bundle oldState = r.state;handleResumeActivity(r.token, false, r.isForward,!r.activity.mFinished && !r.startsNotResumed, r.lastProcessedSeq, reason);if (!r.activity.mFinished && r.startsNotResumed) {// The activity manager actually wants this one to start out paused, because it// needs to be visible but isn't in the foreground. We accomplish this by going// through the normal startup (because activities expect to go through onResume()// the first time they run, before their window is displayed), and then pausing it.// However, in this case we do -not- need to do the full pause cycle (of freezing// and such) because the activity manager assumes it can just retain the current// state it has.performPauseActivityIfNeeded(r, reason);// We need to keep around the original state, in case we need to be created again.// But we only do this for pre-Honeycomb apps, which always save their state when// pausing, so we can not have them save their state when restarting from a paused// state. For HC and later, we want to (and can) let the state be saved as the// normal part of stopping the activity.if (r.isPreHoneycomb()) {r.state = oldState;}}} else {// If there was an error, for any reason, tell the activity manager to stop us.try {ActivityManager.getService().finishActivity(r.token, Activity.RESULT_CANCELED, null,Activity.DONT_FINISH_TASK_WITH_ACTIVITY);} catch (RemoteException ex) {throw ex.rethrowFromSystemServer();}}}private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {// System.out.println("##### [" + System.currentTimeMillis() + "] ActivityThread.performLaunchActivity(" + r + ")");ActivityInfo aInfo = r.activityInfo;if (r.packageInfo == null) {r.packageInfo = getPackageInfo(aInfo.applicationInfo, r.compatInfo,Context.CONTEXT_INCLUDE_CODE);}ComponentName component = r.intent.getComponent();if (component == null) {component = r.intent.resolveActivity(mInitialApplication.getPackageManager());r.intent.setComponent(component);}if (r.activityInfo.targetActivity != null) {component = new ComponentName(r.activityInfo.packageName,r.activityInfo.targetActivity);}ContextImpl appContext = createBaseContextForActivity(r);// ★ 聲明 Activity Activity activity = null;try {java.lang.ClassLoader cl = appContext.getClassLoader();// ★ 創建 Activity , 與創建 Application 類似 activity = mInstrumentation.newActivity(cl, component.getClassName(), r.intent);StrictMode.incrementExpectedActivityCount(activity.getClass());r.intent.setExtrasClassLoader(cl);r.intent.prepareToEnterProcess();if (r.state != null) {r.state.setClassLoader(cl);}} catch (Exception e) {if (!mInstrumentation.onException(activity, e)) {throw new RuntimeException("Unable to instantiate activity " + component+ ": " + e.toString(), e);}}try {// ★ 這里是傳入 Activity attach 方法中的 Application , 賦值給 Activity 中的 mApplication 成員 Application app = r.packageInfo.makeApplication(false, mInstrumentation);if (localLOGV) Slog.v(TAG, "Performing launch of " + r);if (localLOGV) Slog.v(TAG, r + ": app=" + app+ ", appName=" + app.getPackageName()+ ", pkg=" + r.packageInfo.getPackageName()+ ", comp=" + r.intent.getComponent().toShortString()+ ", dir=" + r.packageInfo.getAppDir());if (activity != null) {CharSequence title = r.activityInfo.loadLabel(appContext.getPackageManager());Configuration config = new Configuration(mCompatConfiguration);if (r.overrideConfig != null) {config.updateFrom(r.overrideConfig);}if (DEBUG_CONFIGURATION) Slog.v(TAG, "Launching activity "+ r.activityInfo.name + " with config " + config);Window window = null;if (r.mPendingRemoveWindow != null && r.mPreserveWindow) {window = r.mPendingRemoveWindow;r.mPendingRemoveWindow = null;r.mPendingRemoveWindowManager = null;}appContext.setOuterContext(activity);// ★ 此處調用了 Activity 的 attach 方法 , 給 Activity 中的 mApplication 成員賦值activity.attach(appContext, this, getInstrumentation(), r.token,r.ident, app, r.intent, r.activityInfo, title, r.parent,r.embeddedID, r.lastNonConfigurationInstances, config,r.referrer, r.voiceInteractor, window, r.configCallback);if (customIntent != null) {activity.mIntent = customIntent;}r.lastNonConfigurationInstances = null;checkAndBlockForNetworkAccess();activity.mStartedActivity = false;int theme = r.activityInfo.getThemeResource();if (theme != 0) {activity.setTheme(theme);}activity.mCalled = false;if (r.isPersistable()) {mInstrumentation.callActivityOnCreate(activity, r.state, r.persistentState);} else {mInstrumentation.callActivityOnCreate(activity, r.state);}if (!activity.mCalled) {throw new SuperNotCalledException("Activity " + r.intent.getComponent().toShortString() +" did not call through to super.onCreate()");}r.activity = activity;r.stopped = true;if (!r.activity.mFinished) {activity.performStart();r.stopped = false;}if (!r.activity.mFinished) {if (r.isPersistable()) {if (r.state != null || r.persistentState != null) {mInstrumentation.callActivityOnRestoreInstanceState(activity, r.state,r.persistentState);}} else if (r.state != null) {mInstrumentation.callActivityOnRestoreInstanceState(activity, r.state);}}if (!r.activity.mFinished) {activity.mCalled = false;if (r.isPersistable()) {mInstrumentation.callActivityOnPostCreate(activity, r.state,r.persistentState);} else {mInstrumentation.callActivityOnPostCreate(activity, r.state);}if (!activity.mCalled) {throw new SuperNotCalledException("Activity " + r.intent.getComponent().toShortString() +" did not call through to super.onPostCreate()");}}}r.paused = true;mActivities.put(r.token, r);} catch (SuperNotCalledException e) {throw e;} catch (Exception e) {if (!mInstrumentation.onException(activity, e)) {throw new RuntimeException("Unable to start activity " + component+ ": " + e.toString(), e);}}return activity;}// ★ 創建 Service 組件private void handleCreateService(CreateServiceData data) {// If we are getting ready to gc after going to the background, well// we are back active so skip it.unscheduleGcIdler();LoadedApk packageInfo = getPackageInfoNoCheck(data.info.applicationInfo, data.compatInfo);Service service = null;try {java.lang.ClassLoader cl = packageInfo.getClassLoader();// ★ 創建 Service service = (Service) cl.loadClass(data.info.name).newInstance();} catch (Exception e) {if (!mInstrumentation.onException(service, e)) {throw new RuntimeException("Unable to instantiate service " + data.info.name+ ": " + e.toString(), e);}}try {if (localLOGV) Slog.v(TAG, "Creating service " + data.info.name);ContextImpl context = ContextImpl.createAppContext(this, packageInfo);context.setOuterContext(service);Application app = packageInfo.makeApplication(false, mInstrumentation);// ★ 調用了 Service 的 attach 方法 service.attach(context, this, data.info.name, data.token, app,ActivityManager.getService());service.onCreate();mServices.put(data.token, service);try {ActivityManager.getService().serviceDoneExecuting(data.token, SERVICE_DONE_EXECUTING_ANON, 0, 0);} catch (RemoteException e) {throw e.rethrowFromSystemServer();}} catch (Exception e) {if (!mInstrumentation.onException(service, e)) {throw new RuntimeException("Unable to create service " + data.info.name+ ": " + e.toString(), e);}}}private void handleReceiver(ReceiverData data) {// If we are getting ready to gc after going to the background, well// we are back active so skip it.unscheduleGcIdler();String component = data.intent.getComponent().getClassName();LoadedApk packageInfo = getPackageInfoNoCheck(data.info.applicationInfo, data.compatInfo);IActivityManager mgr = ActivityManager.getService();Application app;// ★ 聲明 BroadcastReceiverBroadcastReceiver receiver;ContextImpl context;try {app = packageInfo.makeApplication(false, mInstrumentation);context = (ContextImpl) app.getBaseContext();if (data.info.splitName != null) {context = (ContextImpl) context.createContextForSplit(data.info.splitName);}java.lang.ClassLoader cl = context.getClassLoader();data.intent.setExtrasClassLoader(cl);data.intent.prepareToEnterProcess();data.setExtrasClassLoader(cl);// ★ 創建 BroadcastReceiver 對象receiver = (BroadcastReceiver)cl.loadClass(component).newInstance();} catch (Exception e) {if (DEBUG_BROADCAST) Slog.i(TAG,"Finishing failed broadcast to " + data.intent.getComponent());data.sendFinished(mgr);throw new RuntimeException("Unable to instantiate receiver " + component+ ": " + e.toString(), e);}try {if (localLOGV) Slog.v(TAG, "Performing receive of " + data.intent+ ": app=" + app+ ", appName=" + app.getPackageName()+ ", pkg=" + packageInfo.getPackageName()+ ", comp=" + data.intent.getComponent().toShortString()+ ", dir=" + packageInfo.getAppDir());sCurrentBroadcastIntent.set(data.intent);receiver.setPendingResult(data);// ★ 調用 BroadcastReceiver 廣播接收者的 onReceive 方法// 這里注意傳入的參數就是 context.getReceiverRestrictedContext()receiver.onReceive(context.getReceiverRestrictedContext(),data.intent);} catch (Exception e) {if (DEBUG_BROADCAST) Slog.i(TAG,"Finishing failed broadcast to " + data.intent.getComponent());data.sendFinished(mgr);if (!mInstrumentation.onException(receiver, e)) {throw new RuntimeException("Unable to start receiver " + component+ ": " + e.toString(), e);}} finally {sCurrentBroadcastIntent.set(null);}if (receiver.getPendingResult() != null) {data.finish();}}}
參考路徑 : frameworks/base/core/java/android/app/ActivityThread.java
八、 Instrumentation 涉及源碼
Instrumentation 中創建 Activity 的 newActivity 方法 ;
public class Instrumentation {/*** Perform instantiation of an {@link Activity} object. This method is intended for use with* unit tests, such as android.test.ActivityUnitTestCase. The activity will be useable* locally but will be missing some of the linkages necessary for use within the system.* * @param clazz The Class of the desired Activity* @param context The base context for the activity to use* @param token The token for this activity to communicate with* @param application The application object (if any)* @param intent The intent that started this Activity* @param info ActivityInfo from the manifest* @param title The title, typically retrieved from the ActivityInfo record* @param parent The parent Activity (if any)* @param id The embedded Id (if any)* @param lastNonConfigurationInstance Arbitrary object that will be* available via {@link Activity#getLastNonConfigurationInstance()* Activity.getLastNonConfigurationInstance()}.* @return Returns the instantiated activity* @throws InstantiationException* @throws IllegalAccessException*/public Activity newActivity(Class<?> clazz, Context context, IBinder token, Application application, Intent intent, ActivityInfo info, CharSequence title, Activity parent, String id,Object lastNonConfigurationInstance) throws InstantiationException, IllegalAccessException {Activity activity = (Activity)clazz.newInstance();ActivityThread aThread = null;activity.attach(context, aThread, this, token, 0 /* ident */, application, intent,info, title, parent, id,(Activity.NonConfigurationInstances)lastNonConfigurationInstance,new Configuration(), null /* referrer */, null /* voiceInteractor */,null /* window */, null /* activityConfigCallback */);return activity;}}參考路徑 : frameworks/base/core/java/android/app/Instrumentation.java
九、 LoadedApk 涉及源碼
LoadedApk 中相關源碼 :
public final class LoadedApk {public Application makeApplication(boolean forceDefaultAppClass,Instrumentation instrumentation) {// ★ 如果之前創建過 Application , 就直接使用 if (mApplication != null) {return mApplication;}Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "makeApplication");Application app = null;String appClass = mApplicationInfo.className;if (forceDefaultAppClass || (appClass == null)) {appClass = "android.app.Application";}try {java.lang.ClassLoader cl = getClassLoader();if (!mPackageName.equals("android")) {Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER,"initializeJavaContextClassLoader");initializeJavaContextClassLoader();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);}ContextImpl appContext = ContextImpl.createAppContext(mActivityThread, this);app = mActivityThread.mInstrumentation.newApplication(cl, appClass, appContext);appContext.setOuterContext(app);} catch (Exception e) {if (!mActivityThread.mInstrumentation.onException(app, e)) {Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);throw new RuntimeException("Unable to instantiate application " + appClass+ ": " + e.toString(), e);}}mActivityThread.mAllApplications.add(app);mApplication = app;if (instrumentation != null) {try {instrumentation.callApplicationOnCreate(app);} catch (Exception e) {if (!instrumentation.onException(app, e)) {Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);throw new RuntimeException("Unable to create application " + app.getClass().getName()+ ": " + e.toString(), e);}}}// Rewrite the R 'constants' for all library apks.SparseArray<String> packageIdentifiers = getAssets().getAssignedPackageIdentifiers();final int N = packageIdentifiers.size();for (int i = 0; i < N; i++) {final int id = packageIdentifiers.keyAt(i);if (id == 0x01 || id == 0x7f) {continue;}rewriteRValues(getClassLoader(), packageIdentifiers.valueAt(i), id);}Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);return app;}}參考路徑 : frameworks/base/core/java/android/app/LoadedApk.java
總結
以上是生活随笔為你收集整理的【Android 安全】DEX 加密 ( Application 替换 | 分析 BroadcastReceiver 组件中调用 getApplication() 获取的 Application )的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【Android 安全】DEX 加密 (
- 下一篇: 【Android 安全】DEX 加密 (