通過看原始碼
ActivityManagerNative,IActivityManagerActivity
,Instrumentation,ActivityThread,
通過反射和代理來實現,大家可以直接拿來用,廢話不多說,直接擼程式碼。
1.程式碼如下,建立Utils類複製程式碼
package com.zhang.hook;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.os.Handler;
import android.os.Message;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
/**
* Created by zhang_shuai on 2017/10/17.
* Del:
*/
public class Utils {
private Context mContext;
private Class<?> mProxyActivty;
public Utils(Context context , Class<?> proxy){
this.mContext = context;
this.mProxyActivty = proxy;
}
public void UtilsAms() throws Exception {
//得到系統ActivityManager
Class<?> forname = Class.forName("android.app.ActivityManagerNative");
//得到IActivityManagerSingleton
Field defaultField = forname.getDeclaredField("gDefault");
defaultField.setAccessible(true);//java語言呼叫
Object defaultValue = defaultField.get(null);//靜態
Class<?> forName = Class.forName("android.util.Singleton");
Field instance = forName.getDeclaredField("mInstance");
instance.setAccessible(true);
Object activityManager = instance.get(defaultValue);
Class<?> iActivity = Class.forName("android.app.IActivityManager");
AMSInvokeHandler handler = new AMSInvokeHandler(activityManager);
//l攔截物件
Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),new Class<?>[]{iActivity},handler);
instance.set(defaultValue,proxy);
}
class AMSInvokeHandler implements InvocationHandler{
Object iActivytManegerObj;
public AMSInvokeHandler(Object iActivytManegerObj){
this.iActivytManegerObj = iActivytManegerObj;
}
@Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
if("startActivity".contains(method.getName())){
Intent intent = null;
int index = 0;
for (int i = 0; i < args.length; i++) {
if(args[i] instanceof Intent){
intent = (Intent) args[i];
index = i;
break;
}
}
//替換
Intent proxyIntent = new Intent();
ComponentName componetName = new ComponentName(mContext,mProxyActivty);
proxyIntent.setComponent(componetName);
proxyIntent.putExtra("oldIntent",intent);
args[index] = proxyIntent;
return method.invoke(iActivytManegerObj,args);
}
return method.invoke(iActivytManegerObj,args);
}
}
//攔截系統回撥
public void hookSystemHandler(){
try {
Class<?> forName = Class.forName("android.app.ActivityThread");
Field currentActivityThread = forName.getDeclaredField("sCurrentActivityThread");
currentActivityThread.setAccessible(true);
Object objActivity = currentActivityThread.get(null);
Field mH = forName.getDeclaredField("mH");
mH.setAccessible(true);
Handler handlerObj = (Handler) mH.get(objActivity);
Field callBackObj = Handler.class.getDeclaredField("mCallback");//系統的callBack
callBackObj.setAccessible(true);
AcivityCallBack callBack = new AcivityCallBack(handlerObj);
callBackObj.set(handlerObj,callBack);
} catch (Exception e) {
e.printStackTrace();
}
}
public class AcivityCallBack implements Handler.Callback{
private Handler handler;
public AcivityCallBack(Handler handler){
this.handler = handler;
}
@Override
public boolean handleMessage(Message msg) {
if(msg.what == 100){
handlerLaunchActivity(msg);
}
handler.handleMessage(msg);//傳送訊息給系統
return true;
}
private void handlerLaunchActivity(Message msg) {
Object obj = msg.obj;
try {
Field intnetField = obj.getClass().getDeclaredField("intent");
intnetField.setAccessible(true);
Intent proxyIntent = (Intent) intnetField.get(obj);
Intent realinIntent = proxyIntent.getParcelableExtra("oldIntent");
if(realinIntent!=null){
proxyIntent.setComponent(realinIntent.getComponent());//替換
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
}複製程式碼
2.建立一個ProxyActivity 繼承Activity,然後什麼東不用幹,在清單檔案註冊一下,為了通過PMS的校驗。也可以稱之為替死鬼。看你心情哦!
3.gitHub地址:https://github.com/fengyutongxing/Hook 歡迎各位前來Star複製程式碼