{"id":1837,"date":"2023-03-29T21:48:37","date_gmt":"2023-03-29T13:48:37","guid":{"rendered":"https:\/\/www.appblog.cn\/?p=1837"},"modified":"2023-04-22T09:17:21","modified_gmt":"2023-04-22T01:17:21","slug":"android-hook-launching-activity-without-manifests-application","status":"publish","type":"post","link":"https:\/\/www.appblog.cn\/index.php\/2023\/03\/29\/android-hook-launching-activity-without-manifests-application\/","title":{"rendered":"Android Hook\u65e0\u6e05\u5355\u542f\u52a8Activity\u7684\u5e94\u7528"},"content":{"rendered":"<p>\u6211\u4eec\u5df2\u7ecf\u5b9e\u73b0\u4e86\u542f\u52a8\u6ca1\u6709\u5728<code>menifest<\/code>\u4e2d\u6ce8\u518c\u7684<code>Activity<\/code>\u7684\u6548\u679c\uff0c\u7136\u800c\uff0c\u8fd9\u6837\u505a\u5230\u5e95\u5728\u751f\u4ea7\u5f00\u53d1\u4e2d\u6709\u4ec0\u4e48\u6837\u7684\u5e94\u7528\u5462\uff1f<\/p>\n<p>\u7b54\u6848\uff1a<strong>\u63d2\u4ef6\u5316<\/strong><\/p>\n<p>\u63d2\u4ef6\u5316\u662f\u4e00\u4e2a\u5bbd\u6cdb\u7684\u6982\u5ff5\uff0c\u53ea\u8981\u662f\u5b9e\u73b0\u4e86\u5bbf\u4e3bapp\u4e0a\u63d2\u4ef6\u529f\u80fd\u7684\u7075\u6d3b\u62d4\u63d2\uff0c\u5b9e\u73b0\u4e86\u5bbf\u4e3bapp\u4e1a\u52a1\u548c\u63d2\u4ef6\u529f\u80fd\u7684\u5b8c\u5168\u89e3\u8026\uff0c\u5c31\u53ef\u4ee5\u79f0\u4e4b\u4e3a\u63d2\u4ef6\u5316<\/p>\n<p><!-- more --><\/p>\n<blockquote>\n<p>\u539f\u7406\u662f\u7528<code>\u5bbf\u4e3b\u4e2d\u771f\u5b9eActivity<\/code>\u4f5c\u4e3a<code>\u4ee3\u7406<\/code>\uff0c\u6765\u542f\u52a8<code>\u63d2\u4ef6\u4e2d\u7684Activity<\/code>\uff0c\u7ba1\u7406\u63d2\u4ef6\u4e2dActivity\u7684\u751f\u547d\u5468\u671f\uff0c\u5e76\u4e14\u5904\u7406\u597d<code>\u63d2\u4ef6\u6e90\u4ee3\u7801<\/code>\u548c<code>\u8d44\u6e90\u6587\u4ef6<\/code>\u3002<\/p>\n<p>\u73b0\u5728\uff0c\u63d2\u4ef6\u5316\u6709\u53e6\u4e00\u79cd\u65b9\u5f0f\uff0c\u5c31\u662f\u5229\u7528<code>\u65e0\u6e05\u5355\u542f\u52a8Activity\u7684\u539f\u7406<\/code>\uff0c\u5b9e\u73b0<code>\u63d2\u4ef6apk\u4e2dActivity\u7684\u542f\u52a8<\/code><\/p>\n<\/blockquote>\n<h2>\u6574\u4f53\u601d\u8def<\/h2>\n<p>\u4e0b\u65b9\u6709\u4e24\u5f20\u56fe\uff1a\u8868\u793a\u4e86\u63d2\u4ef6\u5316\u67b6\u6784\u4e2d\uff0c\u63d2\u4ef6\u5355\u72ec\u8fd0\u884c\uff0c\u548c\u63d2\u4ef6\u4f5c\u4e3a\u5bbf\u4e3b\u7684\u4e00\u90e8\u5206\u968f\u5bbf\u4e3b\u542f\u52a8\u7684\u6280\u672f\u5173\u952e\u70b9<\/p>\n<p><iframe id=\"embed_dom\" name=\"embed_dom\" frameborder=\"0\" style=\"display:block;width:720px; height:480px;\" src=\"https:\/\/www.processon.com\/embed\/5e916c201e085369d0b916ea\"><\/iframe><br \/>\n<iframe id=\"embed_dom\" name=\"embed_dom\" frameborder=\"0\" style=\"display:block;width:720px; height:480px;\" src=\"https:\/\/www.processon.com\/embed\/5e916d88e0b34d6fea9fb360\"><\/iframe><\/p>\n<p>\u5982\u4e0a\u56fe\uff0c\u5982\u679c\u8ddf\u968f\u5bbf\u4e3b\u4e00\u8d77\u542f\u52a8\uff0c\u63d2\u4ef6<code>apk<\/code>\u7684\u8d44\u6e90\u6587\u4ef6\u8981\u80fd\u591f\u88ab\u5bbf\u4e3b\u8bfb\u5230\uff0c\u63d2\u4ef6\u7684<code>apk<\/code>\u7684<code>class<\/code>\u6587\u4ef6\u4e5f\u5fc5\u987b\u80fd\u591f\u88ab\u5bbf\u4e3b\u8bfb\u53d6\uff0c\u5b9e\u73b0\u7684\u65b9\u5f0f\u5c31\u662f\uff0c\u8ba9\u5728\u5bbf\u4e3b\u7684\u4ee3\u7801\u4e2d\u8fdb\u884c<code>hook<\/code>\u7f16\u7a0b\uff0c\u751f\u6210\u4e00\u4e2a\u80fd\u591f\u8bfb\u53d6\u5bbf\u4e3b\u4ee5\u53ca\u6240\u6709\u63d2\u4ef6\u5185<code>class<\/code>\u7684<code>ClassLoader<\/code>\uff0c\u4ee5\u53ca\u4e00\u4e2a\u80fd\u591f\u8bfb\u53d6\u5bbf\u4e3b\u4ee5\u53ca\u63d2\u4ef6\u5185\u6240\u6709\u8d44\u6e90\u7684<code>Resource<\/code>\u3002\u800c\uff0c\u5b9e\u73b0\u7684\u5177\u4f53\u8fc7\u7a0b\uff0c\u5c31\u662f\u4e00\u4e2a\u878d\u5408\u8fc7\u7a0b\u3002<\/p>\n<h2>\u5b9e\u9645\u6548\u679c\u5c55\u793a<\/h2>\n<p><img decoding=\"async\" src=\"https:\/\/upload-images.jianshu.io\/upload_images\/4100513-ee03e11b41f47e23.gif\" alt=\"\u7ed5\u8fc7Manifest\u68c0\u6d4b\u7684\u63d2\u4ef6\u5316\u542f\u52a8\" \/><\/p>\n<p>\u5bbf\u4e3b<code>manifest<\/code>\u6587\u4ef6\uff1a\u53ea\u6709\u4e00\u4e2a\u5165\u53e3<code>Activity<\/code>\uff0c\u5176\u4ed6\u7684\u4e00\u6982\u6ca1\u6709<\/p>\n<pre><code>&lt;application\n    android:name=&quot;.app.MyApplication&quot;\n    android:allowBackup=&quot;true&quot;\n    android:icon=&quot;@mipmap\/ic_launcher&quot;\n    android:label=&quot;@string\/app_name&quot;\n    android:roundIcon=&quot;@mipmap\/ic_launcher_round&quot;\n    android:supportsRtl=&quot;true&quot;\n    android:theme=&quot;@style\/AppTheme&quot;\n    tools:ignore=&quot;GoogleAppIndexingWarning&quot;&gt;\n    &lt;activity android:name=&quot;.ui.MainActivity&quot;\n        android:screenOrientation=&quot;portrait&quot;&gt;\n        &lt;intent-filter&gt;\n            &lt;action android:name=&quot;android.intent.action.MAIN&quot; \/&gt;\n            &lt;category android:name=&quot;android.intent.category.LAUNCHER&quot; \/&gt;\n        &lt;\/intent-filter&gt;\n    &lt;\/activity&gt;\n&lt;\/application&gt;<\/code><\/pre>\n<h2>Demo\u6e90\u7801\u8bb2\u89e3<\/h2>\n<p><iframe id=\"embed_dom\" name=\"embed_dom\" frameborder=\"0\" style=\"display:block;width:720px; height:480px;\" src=\"https:\/\/www.processon.com\/embed\/5e8fe6a55653bb6e6ec331fe\"><\/iframe><\/p>\n<p>\u65e0\u8bba\u662f\u5bbf\u4e3b\u7684\u4ee3\u7801\uff0c\u8fd8\u662f\u63d2\u4ef6\u7684\u4ee3\u7801\uff0c\u90fd\u975e\u5e38\u7b80\u5355\uff0c\u552f\u4e00\u9605\u8bfb\u4ef7\u503c\u7684\uff0c\u5c31\u662f<strong>\u5bbf\u4e3b\u7684Hook\u6838\u5fc3\u4ee3\u7801<\/strong><\/p>\n<p>\u5728\u8bb2\u89e3Hook\u6838\u5fc3\u4ee3\u7801\u4e4b\u524d\uff0c\u5148\u56de\u987e\u4e00\u4e0b\u6240\u5b9e\u73b0\u7684\u6548\u679c\uff1a\u80fd\u591f\u7ed5\u8fc7\u7cfb\u7edf\u7684<code>manifest<\/code>\u68c0\u6d4b\u673a\u5236\uff0c\u8ba9\u6ca1\u6709\u5728<code>manifest<\/code>\u4e2d\u6ce8\u518c\u7684<code>Activity<\/code>\u4e5f\u80fd\u591f\u6b63\u5e38\u542f\u52a8<br \/>\n\u4e00\u5b9a\u6709\u8bfb\u8005\u5728\u770b\u5b8c\u8fd9\u7bc7\u6587\u7ae0\u4e4b\u540e\uff0c\u4f1a\u60f3\uff0c\u80fd\u591f\u4e0d\u53bb\u6ce8\u518c\u5c31\u53ef\u4ee5\u542f\u52a8Activity\uff0c\u662f\u5f88\u795e\u5947\uff0c\u4f46\u662f\u53c8\u6709\u4ec0\u4e48\u5229\u7528\u4ef7\u503c\u5462\uff1f\u4ec5\u4ec5\u662f\u4e3a\u4e86\u4e0d\u53bb\u6ce8\u518c\u5c31\u53bb\u5e72\u6d89\u7cfb\u7edf\u903b\u8f91\uff0c\u592a\u534e\u800c\u4e0d\u5b9e\u4e86<\/p>\n<p>\u8fd9\u4e2a\u95ee\u9898\u7684\u7b54\u6848\uff1a<br \/>\n\u7528<code>hook<\/code>\u5b9e\u73b0\u63d2\u4ef6\u5316\u542f\u52a8<code>Activity<\/code>\uff0c\u63d2\u4ef6\u4e2d\u7684<code>manifest<\/code>\u5e76\u4e0d\u4f1a\u548c\u5bbf\u4e3b\u7684<code>manifest<\/code>\u53d1\u751f\u878d\u5408\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u5373\u4f7f\u6211\u4eec\u5b8c\u6210\u4e86\u5bf9<code>ClassLoader<\/code>\u548c<code>Resource<\/code>\u7684\u878d\u5408\uff0c\u5b9e\u73b0\u4e86\u5bbf\u4e3b\u5bf9\u63d2\u4ef6<code>class<\/code>\u548c<code>\u8d44\u6e90<\/code>\u7684\u8bbf\u95ee\uff0c\u5982\u679c\u4e0d\u80fd\u7ed5\u8fc7\u7cfb\u7edf\u7684<code>manifest<\/code>\u68c0\u6d4b\uff0c\u4f9d\u7136\u4e0d\u80fd\u542f\u52a8\u63d2\u4ef6\u7684<code>Activity<\/code><\/p>\n<p>\u6240\u4ee5\uff0c\u7528<code>hook<\/code>\u6280\u672f\u5b9e\u73b0\u63d2\u4ef6\u5316\u542f\u52a8<code>Activity<\/code>\uff0c\u5b8c\u6574\u601d\u8def\u662f\uff1a<\/p>\n<p><iframe id=\"embed_dom\" name=\"embed_dom\" frameborder=\"0\" style=\"display:block;width:720px; height:480px;\" src=\"https:\/\/www.processon.com\/embed\/5e90092fe0b34d4820f11a76\"><\/iframe><\/p>\n<p>\u4ee5\u4e0b\u662f\u5173\u952e\u4ee3\u7801\uff1a<\/p>\n<p>\u5bbf\u4e3b\u7684<code>MyApplication.java<\/code>\u4e3b\u8981\u7528\u4e8e\u8c03\u7528Hook\u6838\u5fc3\u4ee3\u7801\uff1a<\/p>\n<pre><code class=\"language-java\">public class MyApplication extends Application {\n\n    private Resources newResource;\n\n    public static String pluginPath = null;\n\n    @Override\n    public void onCreate() {\n        super.onCreate();\n        pluginPath = AssetUtil.copyAssetToCache(this, Const.PLUGIN_FILE_NAME);\n\n        \/\/Hook\u7b2c\u4e00\u6b21\uff0c\u7ed5\u8fc7manifest\u68c0\u6d4b\n        GlobalActivityHookHelper.hook(this);\n\n        \/\/Hook\u7b2c\u4e8c\u6b21\u628a\u63d2\u4ef6\u7684\u6e90\u6587\u4ef6class\u5bfc\u5165\u5230\u7cfb\u7edf\u7684ClassLoader\u4e2d\n        HookInjectHelper.injectPluginClass(this);\n\n        \/\/Hook\u7b2c\u4e09\u6b21\uff0c\u52a0\u8f7d\u63d2\u4ef6\u8d44\u6e90\u5305\uff0c\u8ba9\u7cfb\u7edf\u7684Resources\u80fd\u591f\u8bfb\u53d6\u63d2\u4ef6\u7684\u8d44\u6e90\n        newResource = HookInjectHelper.injectPluginResources(this);\n    }\n\n    \/\/\u91cd\u5199\u8d44\u6e90\u7ba1\u7406\u5668\uff0c\u8d44\u6e90\u7ba1\u7406\u5668\u662f\u6bcf\u4e2aActivity\u81ea\u5e26\u7684\uff0c\n    \/\/\u800cApplication\u7684getResources\u5219\u662f\u6240\u6709Activity\u5171\u6709\u7684\n    \/\/\u91cd\u5199\u4e86\u5b83\uff0c\u5c31\u4e0d\u5fc5\u4e00\u4e2a\u4e00\u4e2aActivity\u53bb\u91cd\u5199\u4e86\n    @Override\n    public Resources getResources() {\n        return newResource == null ? super.getResources() : newResource;\n    }\n}<\/code><\/pre>\n<p>\u7ed5\u8fc7<code>manifest<\/code>\u68c0\u6d4b\u7684<code>hook<\/code>\u6838\u5fc3\u4ee3\u7801<code>GlobalActivityHookHelper.java<\/code><\/p>\n<pre><code class=\"language-java\">import android.content.ComponentName;\nimport android.content.Context;\nimport android.content.Intent;\nimport android.content.pm.PackageManager;\nimport android.os.Build;\nimport android.os.Handler;\nimport android.os.Message;\nimport android.util.Log;\n\nimport java.lang.reflect.Field;\nimport java.lang.reflect.InvocationHandler;\nimport java.lang.reflect.Method;\nimport java.lang.reflect.Proxy;\nimport java.util.List;\n\nimport cn.appblog.hookplugindemo.utils.Util;\n\n\/**\n * hookAMS Activity\u7684\u5b9e\u73b0\u65b9\u5f0f3:\n * hookAMS AMS\uff08ActivityManagerService\uff09\u517c\u5bb9 26\u4ee5\u4e0a\uff0c\u4ee5\u53ca26\u4ee5\u4e0b\u7684\u7248\u672c(SDK 26\u5bf9AMS\u5b9e\u4f8b\u7684\u83b7\u53d6\u8fdb\u884c\u4e86\u4ee3\u7801\u66f4\u6539)\n * \u4eca\u5929\uff0c\u5728\u5df2\u7ecf\u80fd\u591f\u5b9e\u73b0\u5168\u5c40hook MS\u7684\u65b9\u6848\u4e0b\uff0c\u8fdb\u4e00\u6b65\u6539\u9020\uff0c\u5b9e\u73b0 \u65e0\u6e05\u5355\u542f\u52a8Activity\n *\/\npublic class GlobalActivityHookHelper {\n\n    public static void hook(Context context) {\n\n        hookAMS(context);\/\/\u4f7f\u7528\u5047\u7684Activity\uff0c\u9a97\u8fc7AMS\u7684\u68c0\u6d4b\n\n        if (ifSdkOverIncluding28())\n            hookActivityThread_mH_AfterIncluding28();\/\/\u5c06\u771f\u5b9e\u7684Intent\u8fd8\u539f\u56de\u53bb\uff0c\u8ba9\u7cfb\u7edf\u53ef\u4ee5\u8df3\u5230\u539f\u672c\u8be5\u8df3\u7684\u5730\u65b9.\n        else {\n            hookActivityThread_mH_before28(context);\n        }\n\n        hookPM(context);\/\/\u7531\u4e8eAppCompatActivity\u5b58\u5728PMS\u68c0\u6d4b\uff0c\u5982\u679c\u8fd9\u91cc\u4e0dhook\u7684\u8bdd\uff0c\u5c31\u4f1a\u5305PackageNameNotFoundException\n    }\n\n    \/\/\u8bbe\u5907\u7cfb\u7edf\u7248\u672c\u662f\u4e0d\u662f\u5927\u4e8e\u7b49\u4e8e26\n    private static boolean ifSdkOverIncluding26() {\n        int SDK_INT = Build.VERSION.SDK_INT;\n        if (SDK_INT &gt; 26 || SDK_INT == 26) {\n            return true;\n        } else {\n            return false;\n        }\n    }\n\n    \/\/\u8bbe\u5907\u7cfb\u7edf\u7248\u672c\u662f\u4e0d\u662f\u5927\u4e8e\u7b49\u4e8e26\n    private static boolean ifSdkOverIncluding28() {\n        int SDK_INT = Build.VERSION.SDK_INT;\n        if (SDK_INT &gt; 28 || SDK_INT == 28) {\n            return true;\n        } else {\n            return false;\n        }\n    }\n\n    \/**\n     * \u8fd9\u91cc\u5bf9AMS\u8fdb\u884chook\n     *\n     * @param context\n     *\/\n    private static void hookAMS(Context context) {\n        try {\n            Class&lt;?&gt; ActivityManagerClz;\n            final Object IActivityManagerObj;\/\/\u8fd9\u4e2a\u5c31\u662fAMS\u5b9e\u4f8b\n            Method getServiceMethod;\n            Field IActivityManagerSingletonField;\n            if (ifSdkOverIncluding26()) {\/\/26\uff0c27\uff0c28\u7684ams\u83b7\u53d6\u65b9\u5f0f\u662f\u901a\u8fc7ActivityManager.getService()\n                ActivityManagerClz = Class.forName(&quot;android.app.ActivityManager&quot;);\n                getServiceMethod = ActivityManagerClz.getDeclaredMethod(&quot;getService&quot;);\n                IActivityManagerSingletonField = ActivityManagerClz.getDeclaredField(&quot;IActivityManagerSingleton&quot;);\/\/\u5355\u4f8b\u7c7b\u6210\u5458\u7684\u540d\u5b57\u4e5f\u4e0d\u4e00\u6837\n            } else {\/\/25\u5f80\u4e0b\uff0c\u662fActivityManagerNative.getDefault()\n                ActivityManagerClz = Class.forName(&quot;android.app.ActivityManagerNative&quot;);\n                getServiceMethod = ActivityManagerClz.getDeclaredMethod(&quot;getDefault&quot;);\n                IActivityManagerSingletonField = ActivityManagerClz.getDeclaredField(&quot;gDefault&quot;);\/\/\u5355\u4f8b\u7c7b\u6210\u5458\u7684\u540d\u5b57\u4e5f\u4e0d\u4e00\u6837\n            }\n            IActivityManagerObj = getServiceMethod.invoke(null);\/\/OK\uff0c\u5df2\u7ecf\u53d6\u5f97\u8fd9\u4e2a\u7cfb\u7edf\u81ea\u5df1\u7684AMS\u5b9e\u4f8b\n\n            \/\/ 2.\u73b0\u5728\u521b\u5efa\u6211\u4eec\u7684AMS\u5b9e\u4f8b\n            \/\/ \u7531\u4e8eIActivityManager\u662f\u4e00\u4e2a\u63a5\u53e3\uff0c\u90a3\u4e48\u5176\u5b9e\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Proxy\u7c7b\u6765\u8fdb\u884c\u4ee3\u7406\u5bf9\u8c61\u7684\u521b\u5efa\n            \/\/ \u7ed3\u679c\u88ab\u6446\u4e86\u4e00\u9053\uff0cIActivityManager\u8fd9\u73a9\u610f\u5c45\u7136\u8fd8\u662f\u4e2aAIDL\uff0c\u52a8\u6001\u751f\u6210\u7684\u7c7b\uff0c\u7f16\u8bd1\u5668\u8fd8\u4e0d\u8ba4\u8bc6\u8fd9\u4e2a\u7c7b\uff0c\u600e\u4e48\u529e\uff1f\u53cd\u5c04\u54af\n            Class&lt;?&gt; IActivityManagerClz = Class.forName(&quot;android.app.IActivityManager&quot;);\n\n            \/\/ \u6784\u5efa\u4ee3\u7406\u7c7b\u9700\u8981\u4e24\u4e2a\u4e1c\u897f\u7528\u4e8e\u521b\u5efa\u4f2a\u88c5\u7684Intent\n            String packageName = Util.getPMName(context);\n            String clz = Util.getHostClzName(context, packageName);\n            Object proxyIActivityManager =\n                    Proxy.newProxyInstance(\n                            Thread.currentThread().getContextClassLoader(),\n                            new Class[]{IActivityManagerClz},\n                            new ProxyInvocation(IActivityManagerObj, packageName, clz));\n\n            \/\/3.\u62ff\u5230AMS\u5b9e\u4f8b\uff0c\u7136\u540e\u7528\u4ee3\u7406\u7684AMS\u6362\u6389\u771f\u6b63\u7684AMS\uff0c\u4ee3\u7406\u7684AMS\u5219\u662f\u7528 \u5047\u7684Intent\u9a97\u8fc7\u4e86 activity manifest\u68c0\u6d4b.\n            \/\/\u5077\u6881\u6362\u67f1\n            IActivityManagerSingletonField.setAccessible(true);\n            Object IActivityManagerSingletonObj = IActivityManagerSingletonField.get(null);\n            Class&lt;?&gt; SingletonClz = Class.forName(&quot;android.util.Singleton&quot;);\/\/\u53cd\u5c04\u521b\u5efa\u4e00\u4e2aSingleton\u7684class\n            Field mInstanceField = SingletonClz.getDeclaredField(&quot;mInstance&quot;);\n            mInstanceField.setAccessible(true);\n            mInstanceField.set(IActivityManagerSingletonObj, proxyIActivityManager);\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n\n    private static final String ORI_INTENT_TAG = &quot;origin_intent&quot;;\n\n    \/**\n     * \u628aInvocationHandler\u7684\u5b9e\u73b0\u7c7b\u63d0\u53d6\u51fa\u6765\uff0c\u56e0\u4e3a\u8fd9\u91cc\u5305\u542b\u4e86\u6838\u5fc3\u6280\u672f\u903b\u8f91\uff0c\u6700\u597d\u72ec\u7acb\uff0c\u65b9\u4fbf\u7ef4\u62a4\n     *\/\n    private static class ProxyInvocation implements InvocationHandler {\n\n        Object amsObj;\n        String packageName;\/\/\u8fd9\u4e24\u4e2aString\u662f\u7528\u6765\u6784\u5efaIntent\u7684ComponentName\u7684\n        String clz;\n\n        public ProxyInvocation(Object amsInstance, String packageName, String clz) {\n            this.amsObj = amsInstance;\n            this.packageName = packageName;\n            this.clz = clz;\n        }\n\n        @Override\n        public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {\n            \/\/proxy\u662f\u521b\u5efa\u51fa\u6765\u7684\u4ee3\u7406\u7c7b\uff0cmethod\u662f\u63a5\u53e3\u4e2d\u7684\u65b9\u6cd5\uff0cargs\u662f\u63a5\u53e3\u6267\u884c\u65f6\u7684\u5b9e\u53c2\n            if (method.getName().equals(&quot;startActivity&quot;)) {\n                Log.d(&quot;GlobalActivityHook&quot;, &quot;\u5168\u5c40hook \u5230\u4e86 startActivity&quot;);\n\n                Intent currentRealIntent = null;\/\/\u4fa6\u6d4b\u5230startActivity\u52a8\u4f5c\u4e4b\u540e\uff0c\u628aintent\u5b58\u5230\u8fd9\u91cc\n                int intentIndex = -1;\n                \/\/\u904d\u5386\u53c2\u6570\uff0c\u627e\u5230Intent\n                for (int i = 0; i &lt; args.length; i++) {\n                    Object temp = args[i];\n                    if (temp instanceof Intent) {\n                        currentRealIntent = (Intent) temp;\/\/\u8fd9\u662f\u539f\u59cb\u7684Intent,\u5b58\u8d77\u6765,\u540e\u9762\u7528\u5f97\u7740\n                        intentIndex = i;\n                        break;\n                    }\n                }\n\n                \/\/\u6784\u9020\u81ea\u5df1\u7684Intent\uff0c\u8fd9\u662f\u4e3a\u4e86\u7ed5\u8fc7manifest\u68c0\u6d4b\n                Intent proxyIntent = new Intent();\n                ComponentName componentName = new ComponentName(packageName, clz);\/\/\u7528ComponentName\u91cd\u65b0\u521b\u5efa\u4e00\u4e2aintent\n                proxyIntent.setComponent(componentName);\n                proxyIntent.putExtra(ORI_INTENT_TAG, currentRealIntent);\/\/\u5c06\u771f\u6b63\u7684proxy\u4f5c\u4e3a\u53c2\u6570\uff0c\u5b58\u653e\u5230extras\u4e2d\uff0c\u540e\u9762\u4f1a\u62ff\u51fa\u6765\u8fd8\u539f\n\n                args[intentIndex] = proxyIntent;\/\/\u66ff\u6362\u6389intent\n                \/\/\u54df\uff0c\u5df2\u7ecf\u6210\u529f\u7ed5\u8fc7\u4e86manifest\u6e05\u5355\u68c0\u6d4b. \u90a3\u4e48\uff0c\u6211\u4e0d\u80fd\u8001\u8ba9\u5b83\u8df3\u5230 \u4f2a\u88c5\u7684Activity\u554a\uff0c\u6211\u8981\u7ed9\u4ed6\u8fd8\u539f\u56de\u53bb\uff0c\u90a3\u4e48\uff0c\u53bb\u54ea\u91cc\u8fd8\u539f\u5462\uff1f\n                \/\/\u7ee7\u7eed\u770b\u6e90\u7801\u3002\n\n            }\n            return method.invoke(amsObj, args);\n        }\n    }\n\n    \/\/\u4e0b\u9762\u8fdb\u884cActivityThread\u7684mH\u7684hook,\u8fd9\u662f\u9488\u5bf9SDK28\u505a\u7684hook\n    private static void hookActivityThread_mH_AfterIncluding28() {\n\n        try {\n            \/\/\u786e\u5b9ahook\u70b9\uff0cActivityThread\u7c7b\u7684mh\n            \/\/ \u5148\u62ff\u5230ActivityThread\n            Class&lt;?&gt; ActivityThreadClz = Class.forName(&quot;android.app.ActivityThread&quot;);\n            Field field = ActivityThreadClz.getDeclaredField(&quot;sCurrentActivityThread&quot;);\n            field.setAccessible(true);\n            Object ActivityThreadObj = field.get(null);\/\/OK\uff0c\u62ff\u5230\u4e3b\u7ebf\u7a0b\u5b9e\u4f8b\n\n            \/\/\u73b0\u5728\u62ffmH\n            Field mHField = ActivityThreadClz.getDeclaredField(&quot;mH&quot;);\n            mHField.setAccessible(true);\n            Handler mHObj = (Handler) mHField.get(ActivityThreadObj);\/\/ok\uff0c\u5f53\u524d\u7684mH\u62ff\u5230\u4e86\n            \/\/\u518d\u62ff\u5b83\u7684mCallback\u6210\u5458\n            Field mCallbackField = Handler.class.getDeclaredField(&quot;mCallback&quot;);\n            mCallbackField.setAccessible(true);\n\n            \/\/2.\u73b0\u5728\uff0c\u9020\u4e00\u4e2a\u4ee3\u7406mH\uff0c\n            \/\/ \u4ed6\u5c31\u662f\u4e00\u4e2a\u7b80\u5355\u7684Handler\u5b50\u7c7b\n            ProxyHandlerCallback proxyMHCallback = new ProxyHandlerCallback();\/\/\u9519\uff0c\u4e0d\u9700\u8981\u91cd\u5199\u5168\u90e8mH\uff0c\u53ea\u9700\u8981\u5bf9mH\u7684callback\u8fdb\u884c\u91cd\u65b0\u5b9a\u4e49\n\n            \/\/3.\u66ff\u6362\n            \/\/\u5c06Handler\u7684mCallback\u6210\u5458\uff0c\u66ff\u6362\u6210\u521b\u5efa\u51fa\u6765\u7684\u4ee3\u7406HandlerCallback\n            mCallbackField.set(mHObj, proxyMHCallback);\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n\n    private static class ProxyHandlerCallback implements Handler.Callback {\n\n        private int EXECUTE_TRANSACTION = 159;\/\/\u8fd9\u4e2a\u503c\uff0c\u662fandroid.app.ActivityThread\u7684\u5185\u90e8\u7c7bH \u4e2d\u5b9a\u4e49\u7684\u5e38\u91cfEXECUTE_TRANSACTION\n\n        @Override\n        public boolean handleMessage(Message msg) {\n            boolean result = false;\/\/\u8fd4\u56de\u503c\uff0c\u8bf7\u770bHandler\u7684\u6e90\u7801\uff0cdispatchMessage\u5c31\u4f1a\u61c2\u4e86\n            \/\/Handler\u7684dispatchMessage\u67093\u4e2acallback\u4f18\u5148\u7ea7\uff0c\u9996\u5148\u662fmsg\u81ea\u5e26\u7684callback\uff0c\u5176\u6b21\u662fHandler\u7684\u6210\u5458mCallback,\u6700\u540e\u624d\u662fHandler\u7c7b\u81ea\u8eab\u7684handlerMessage\u65b9\u6cd5,\n            \/\/\u5b83\u6210\u5458mCallback.handleMessage\u7684\u8fd4\u56de\u503c\u4e3atrue\uff0c\u5219\u4e0d\u4f1a\u7ee7\u7eed\u5f80\u4e0b\u6267\u884c Handler.handlerMessage\n            \/\/\u6211\u4eec\u8fd9\u91cc\u53ea\u662f\u8981hook\uff0c\u63d2\u5165\u903b\u8f91\uff0c\u6240\u4ee5\u5fc5\u987b\u8fd4\u56defalse\uff0c\u8ba9Handler\u539f\u672c\u7684handlerMessage\u80fd\u591f\u6267\u884c.\n            if (msg.what == EXECUTE_TRANSACTION) {\/\/\u8fd9\u662f\u8df3\u8f6c\u7684\u65f6\u5019,\u8981\u5bf9intent\u8fdb\u884c\u8fd8\u539f\n                try {\n                    \/\/\u5148\u628a\u76f8\u5173@hide\u7684\u7c7b\u90fd\u5efa\u597d\n                    Class&lt;?&gt; ClientTransactionClz = Class.forName(&quot;android.app.servertransaction.ClientTransaction&quot;);\n                    Class&lt;?&gt; LaunchActivityItemClz = Class.forName(&quot;android.app.servertransaction.LaunchActivityItem&quot;);\n\n                    Field mActivityCallbacksField = ClientTransactionClz.getDeclaredField(&quot;mActivityCallbacks&quot;);\/\/ClientTransaction\u7684\u6210\u5458\n                    mActivityCallbacksField.setAccessible(true);\n                    \/\/\u7c7b\u578b\u5224\u5b9a\uff0c\u597d\u4e60\u60ef\n                    if (!ClientTransactionClz.isInstance(msg.obj)) return true;\n                    Object mActivityCallbacksObj = mActivityCallbacksField.get(msg.obj);\/\/\u6839\u636e\u6e90\u7801\uff0c\u5728\u8fd9\u4e2a\u5206\u652f\u91cc\u9762,msg.obj\u5c31\u662f ClientTransaction\u7c7b\u578b,\u6240\u4ee5\uff0c\u76f4\u63a5\u7528\n                    \/\/\u62ff\u5230\u4e86ClientTransaction\u7684List&lt;ClientTransactionItem&gt; mActivityCallbacks;\n                    List list = (List) mActivityCallbacksObj;\n\n                    if (list.size() == 0) return true;\n                    Object LaunchActivityItemObj = list.get(0);\/\/\u6240\u4ee5\u8fd9\u91cc\u76f4\u63a5\u5c31\u62ff\u5230\u7b2c\u4e00\u4e2a\u5c31\u597d\u4e86\n\n                    if (!LaunchActivityItemClz.isInstance(LaunchActivityItemObj)) return true;\n                    \/\/\u8fd9\u91cc\u5fc5\u987b\u5224\u5b9a LaunchActivityItemClz\uff0c\n                    \/\/ \u56e0\u4e3a \u6700\u521d\u7684ActivityResultItem\u4f20\u8fdb\u53bb\u4e4b\u540e\u90fd\u88ab\u8f6c\u5316\u6210\u4e86\u8fd9LaunchActivityItemClz\u7684\u5b9e\u4f8b\n\n                    Field mIntentField = LaunchActivityItemClz.getDeclaredField(&quot;mIntent&quot;);\n                    mIntentField.setAccessible(true);\n                    Intent mIntent = (Intent) mIntentField.get(LaunchActivityItemObj);\n                    Intent oriIntent = (Intent) mIntent.getExtras().get(ORI_INTENT_TAG);\n                    \/\/\u90a3\u4e48\u73b0\u5728\u6709\u4e86\u6700\u539f\u59cb\u7684intent\uff0c\u5e94\u8be5\u600e\u4e48\u5904\u7406\u5462\uff1f\n                    Log.d(&quot;1&quot;, &quot;2&quot;);\n                    mIntentField.set(LaunchActivityItemObj, oriIntent);\n                    return result;\n                } catch (Exception e) {\n                    e.printStackTrace();\n                }\n            }\n            return result;\n        }\n    }\n\n    \/**\n     * @param context\n     * @throws Exception\n     *\/\n    private static void hookActivityThread_mH_before28(Context context) {\n        try {\n            Class&lt;?&gt; activityThreadClazz = Class.forName(&quot;android.app.ActivityThread&quot;);\n            Field sCurrentActivityThreadField = activityThreadClazz.getDeclaredField(&quot;sCurrentActivityThread&quot;);\n            sCurrentActivityThreadField.setAccessible(true);\n            Object sCurrentActivityThreadObj = sCurrentActivityThreadField.get(null);\n\n            Field mHField = activityThreadClazz.getDeclaredField(&quot;mH&quot;);\n            mHField.setAccessible(true);\n            Handler mH = (Handler) mHField.get(sCurrentActivityThreadObj);\n            Field callBackField = Handler.class.getDeclaredField(&quot;mCallback&quot;);\n            callBackField.setAccessible(true);\n            callBackField.set(mH, new ActivityThreadHandlerCallBack(context));\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n\n    }\n\n    public static class ActivityThreadHandlerCallBack implements Handler.Callback {\n\n        private final Context mContext;\n\n        public ActivityThreadHandlerCallBack(Context context) {\n            mContext = context;\n        }\n\n        @Override\n        public boolean handleMessage(Message msg) {\n            int LAUNCH_ACTIVITY = 0;\n            try {\n                Class&lt;?&gt; clazz = Class.forName(&quot;android.app.ActivityThread$H&quot;);\n                Field field = clazz.getField(&quot;LAUNCH_ACTIVITY&quot;);\n                LAUNCH_ACTIVITY = field.getInt(null);\n            } catch (Exception e) {\n            }\n            if (msg.what == LAUNCH_ACTIVITY) {\n                handleLaunchActivity(mContext, msg);\n            }\n            return false;\n        }\n    }\n\n    private static void handleLaunchActivity(Context context, Message msg) {\n        try {\n            Object obj = msg.obj;\n            Field intentField = obj.getClass().getDeclaredField(&quot;intent&quot;);\n            intentField.setAccessible(true);\n            Intent proxyIntent = (Intent) intentField.get(obj);\n            \/\/\u62ff\u5230\u4e4b\u524d\u771f\u5b9e\u8981\u88ab\u542f\u52a8\u7684Intent \u7136\u540e\u628aIntent\u6362\u6389\n            Intent originallyIntent = proxyIntent.getParcelableExtra(ORI_INTENT_TAG);\n            if (originallyIntent == null) {\n                return;\n            }\n            proxyIntent.setComponent(originallyIntent.getComponent());\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n\n    \/**\n     * \u7531\u4e8e\u6211\u53ea\u5728SDK 28 \u5bf9\u5e94\u76849.0\u8bbe\u5907\u4e0a\u505a\u8fc7\u6210\u529f\u7684\u8bd5\u9a8c\uff0c\u6240\u4ee5\u6b64\u65b9\u6cd5\u547d\u540d\u4e3ahookPMAfter28\n     *\n     * @param context\n     *\/\n    private static void hookPM(Context context) {\n        try {\n            String pmName = Util.getPMName(context);\n            String hostClzName = Util.getHostClzName(context, pmName);\n\n            Class&lt;?&gt; forName = Class.forName(&quot;android.app.ActivityThread&quot;);\/\/PM\u5c45\u7136\u662f\u6765\u81eaActivityThread\n            Field field = forName.getDeclaredField(&quot;sCurrentActivityThread&quot;);\n            field.setAccessible(true);\n            Object activityThread = field.get(null);\n            Method getPackageManager = activityThread.getClass().getDeclaredMethod(&quot;getPackageManager&quot;);\n            Object iPackageManager = getPackageManager.invoke(activityThread);\n\n            String packageName = Util.getPMName(context);\n            PMSInvocationHandler handler = new PMSInvocationHandler(iPackageManager, packageName, hostClzName);\n            Class&lt;?&gt; iPackageManagerIntercept = Class.forName(&quot;android.content.pm.IPackageManager&quot;);\n            Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(), new\n                    Class&lt;?&gt;[]{iPackageManagerIntercept}, handler);\n            \/\/ \u83b7\u53d6 sPackageManager \u5c5e\u6027\n            Field iPackageManagerField = activityThread.getClass().getDeclaredField(&quot;sPackageManager&quot;);\n            iPackageManagerField.setAccessible(true);\n            iPackageManagerField.set(activityThread, proxy);\n        } catch (\n                Exception e)\n\n        {\n            e.printStackTrace();\n        }\n    }\n\n    static class PMSInvocationHandler implements InvocationHandler {\n\n        private Object base;\n        private String packageName;\n        private String hostClzName;\n\n        public PMSInvocationHandler(Object base, String packageName, String hostClzName) {\n            this.packageName = packageName;\n            this.base = base;\n            this.hostClzName = hostClzName;\n        }\n\n        @Override\n        public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {\n\n            if (method.getName().equals(&quot;getActivityInfo&quot;)) {\n                ComponentName componentName = new ComponentName(packageName, hostClzName);\n                return method.invoke(base, componentName, PackageManager.GET_META_DATA, 0);\/\/\u7834\u8d39\uff0c\u4e00\u5b9a\u662f\u8fd9\u6837\n            }\n\n            return method.invoke(base, args);\n        }\n    }\n\n}<\/code><\/pre>\n<p>\u5c06\u5bbf\u4e3b\u548c\u63d2\u4ef6\u7684<code>ClassLoader\/Resource<\/code>\u878d\u5408\u7684<code>HookInjectHelper.java<\/code><\/p>\n<pre><code class=\"language-java\">import android.content.Context;\nimport android.content.res.AssetManager;\nimport android.content.res.Resources;\n\nimport java.lang.reflect.Array;\nimport java.lang.reflect.Field;\nimport java.lang.reflect.Method;\n\nimport dalvik.system.DexClassLoader;\nimport dalvik.system.PathClassLoader;\nimport cn.appblog.hookplugindemo.app.MyApplication;\n\npublic class HookInjectHelper {\n\n    \/**\n     *\n     * \u6b64\u65b9\u6cd5\u7684\u4f5c\u7528\u662f\uff1a\u63d2\u4ef6\u5185\u7684class\u878d\u5408\u5230\u5bbf\u4e3b\u7684classLoader\u4e2d\uff0c\u8ba9\u5bbf\u4e3b\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6\u63d2\u4ef6\u5185\u7684class\n     *\n     * @param context\n     *\/\n    public static void injectPluginClass(Context context) {\n        String cachePath = context.getCacheDir().getAbsolutePath();\n        String apkPath = MyApplication.pluginPath;\n\n        \/\/\u8fd8\u8bb0\u4e0d\u8bb0\u5f97dexClassLoader\uff1f\u5b83\u662f\u4e13\u95e8\u7528\u4e8e\u52a0\u8f7d\u5916\u90e8apk\u7684classes.dex\u6587\u4ef6\u7684\n        \/\/(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)\n        \/\/ 4\u4e2a\u53c2\u6570\u5206\u522b\u662f\uff0c\u5916\u90e8dex\u7684path\uff0c\u4f18\u5316\u4e4b\u540e\u7684\u76ee\u5f55\uff0clib\u5e93\u6587\u4ef6\u67e5\u627e\u76ee\u5f55\uff0c\u6211\u4eec\u8fd9\u6ca1\u6709\u7528\u5230lib\u91cc\u9762\u7684so\uff0c\u6240\u4ee5\u53ef\u4ee5\u8bbe\u7f6e\u4e3anull,\u6700\u540e\u4e00\u4e2a\u662f\u7236ClassLoader\n        DexClassLoader dexClassLoader = new DexClassLoader(apkPath, cachePath, null, context.getClassLoader());\n        \/\/\u5148\u6784\u9020\u4e00\u4e2a\u80fd\u591f\u8bfb\u53d6\u5916\u90e8apk\u7684classLoader\u5bf9\u8c61\n\n        \/\/\u7b2c\u4e00\u6b65 \u627e\u5230\u63d2\u4ef6\u7684Elements\u6570\u7ec4dexPathlist dexElement\n\n        try {\n            Class myDexClazzLoader = Class.forName(&quot;dalvik.system.BaseDexClassLoader&quot;);\n            Field myPathListFiled = myDexClazzLoader.getDeclaredField(&quot;pathList&quot;);\n            myPathListFiled.setAccessible(true);\n            Object myPathListObject = myPathListFiled.get(dexClassLoader);\n\n            Class myPathClazz = myPathListObject.getClass();\n            Field myElementsField = myPathClazz.getDeclaredField(&quot;dexElements&quot;);\n            myElementsField.setAccessible(true);\n            \/\/\u81ea\u5df1\u63d2\u4ef6\u7684  dexElements[]\n            Object myElements = myElementsField.get(myPathListObject);\n\n            \/\/\u7b2c\u4e8c\u6b65 \u627e\u5230\u7cfb\u7edf\u7684Elements\u6570\u7ec4dexElements\n            PathClassLoader pathClassLoader = (PathClassLoader) context.getClassLoader();\n            Class baseDexClazzLoader = Class.forName(&quot;dalvik.system.BaseDexClassLoader&quot;);\n            Field pathListFiled = baseDexClazzLoader.getDeclaredField(&quot;pathList&quot;);\n            pathListFiled.setAccessible(true);\n            Object pathListObject = pathListFiled.get(pathClassLoader);\n\n            Class systemPathClazz = pathListObject.getClass();\n            Field systemElementsField = systemPathClazz.getDeclaredField(&quot;dexElements&quot;);\n            systemElementsField.setAccessible(true);\n            \/\/\u7cfb\u7edf\u7684dexElements[]\n            Object systemElements = systemElementsField.get(pathListObject);\n            \/\/\u7b2c\u4e09\u6b65 \u4e0a\u9762\u7684dexElements\u6570\u7ec4\u5408\u5e76\u6210\u65b0\u7684dexElements\u7136\u540e\u901a\u8fc7\u53cd\u5c04\u91cd\u65b0\u6ce8\u5165\u7cfb\u7edf\u7684Field(dexElements)\u53d8\u91cf\u4e2d\n\n            \/\/\u65b0\u7684Element[]\u5bf9\u8c61\n            \/\/dalvik.system.Element\n\n            int systemLength = Array.getLength(systemElements);\n            int myLength = Array.getLength(myElements);\n            \/\/\u627e\u5230 Element \u7684Class\u7c7b\u578b\u6570\u7ec4\u6bcf\u4e00\u4e2a\u6210\u5458\u7684\u7c7b\u578b\n            Class&lt;?&gt; sigleElementClazz = systemElements.getClass().getComponentType();\n            int newSysteLength = myLength + systemLength;\n            Object newElementsArray = Array.newInstance(sigleElementClazz, newSysteLength);\n            \/\/\u878d\u5408\n            for (int i = 0; i &lt; newSysteLength; i++) {\n                \/\/\u5148\u878d\u5408\u63d2\u4ef6\u7684Elements\n                if (i &lt; myLength) {\n                    Array.set(newElementsArray, i, Array.get(myElements, i));\n                } else {\n                    Array.set(newElementsArray, i, Array.get(systemElements, i - myLength));\n                }\n            }\n            Field elementsField = pathListObject.getClass().getDeclaredField(&quot;dexElements&quot;);\n\n            elementsField.setAccessible(true);\n            \/\/\u5c06\u65b0\u751f\u6210\u7684EleMents\u6570\u7ec4\u5bf9\u8c61\u91cd\u65b0\u653e\u5230\u7cfb\u7edf\u4e2d\u53bb\n            elementsField.set(pathListObject, newElementsArray);\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n\n    public static Resources injectPluginResources(Context context) {\n        AssetManager assetManager;\n        Resources newResource = null;\n        String apkPath = MyApplication.pluginPath;\n        try {\n            assetManager = AssetManager.class.newInstance();\n            Method addAssetPathMethod = assetManager.getClass().getDeclaredMethod(&quot;addAssetPath&quot;, String.class);\n            addAssetPathMethod.setAccessible(true);\n            addAssetPathMethod.invoke(assetManager, apkPath);\n            Resources supResource = context.getResources();\n            newResource = new Resources(assetManager, supResource.getDisplayMetrics(), supResource.getConfiguration());\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n        return newResource;\n    }\n}<\/code><\/pre>\n<p>\u5173\u4e8e<code>Resource<\/code>\u7684\u878d\u5408\uff0c\u5728\u6587\u7ae0\uff1aAndroid hook\u6280\u672f\u5b9e\u73b0\u4e00\u952e\u6362\u80a4 \u91cc\u9762\u6709\u63d0\u53ca<br \/>\n\u7ed5\u8fc7manifest\u68c0\u6d4b\uff0c\u5728\u53e6\u4e00\u7bc7\u6587\u7ae0 Android Hook-\u5b9e\u73b0\u65e0\u6e05\u5355\u542f\u52a8Activity \u6709\u8be6\u89e3\uff0c\u8fd9\u91cc\u4e0d\u518d\u8d58\u8ff0<\/p>\n<p>\u8be6\u7ec6\u8bb2\u8bb2<code>ClassLoader<\/code>\u5982\u4f55\u878d\u5408<\/p>\n<p>\u6211\u4eec\u7528<code>context.getClassLoader<\/code>\u62ff\u5230\u7684\u662f<code>PathClassLoader<\/code>\uff0c\u800c\u6211\u4eec\u6784\u5efa\u80fd\u591f\u8bbf\u95ee\u63d2\u4ef6\u4e2d<code>class<\/code>\u7684<code>classLoader<\/code>\u662f<code>DexClassLoader<\/code>\uff0c\u5b83\u4eec\u6709\u5171\u540c\u7684\u7236\u7c7b<code>BaseDexClassLoader<\/code>\uff0c\u800c\u4e14\uff0c\u8fd9\u4e2a<code>BaseDexClassLoader<\/code>\u7c7b\u7684\u672c\u8eab\u5c31\u62e5\u6709\u80fd\u591f\u88c5\u8f7d\u591a\u4e2a<code>dex<\/code>\u8def\u5f84\u7684\u80fd\u529b\u3002<\/p>\n<p>\u63d2\u4ef6<code>DexClassLoader<\/code>\u8bfb\u53d6\u7684\u662f\u63d2\u4ef6<code>apk<\/code>\u4e2d\u7684<code>classes.dex<\/code>\uff0c\u5bbf\u4e3b<code>PathClassLoader<\/code>\u8bfb\u53d6\u7684\u662f<code>data\/app\/\u5305\u540d\/base.apk<\/code>\u7684<code>classes.dex<\/code>\u3002\u5b83\u4eec\u5206\u522b\u5c06\u8bfb\u53d6\u5230\u7684\u8def\u5f84\uff0c\u5b58\u5230\u4e86\u4e0a\u56fe\u4e2d\u7684<code>Element[] dexElements<\/code>\u6570\u7ec4\u4e2d<\/p>\n<p>\u90a3\u4e48\u5982\u679c\u6211\u4eec\u53ef\u4ee5\u5c06\u63d2\u4ef6<code>DexClassLoader<\/code>\u4e2d\u7684<code>dexElements<\/code>\u878d\u5408\u5230\u5bbf\u4e3b<code>PathClassLoader<\/code>\u7684<code>dexElements<\/code>\u4e2d\u53bb\uff0c\u5c31\u53ef\u4ee5\u5b9e\u73b0\u5bbf\u4e3b\u8bfb\u53d6\u63d2\u4ef6<code>apk<\/code>\u7684<code>class.dex<\/code><\/p>\n<p><code>HookInjectHelper<\/code>\u7c7b\u4e2d\u7684<code>injectPluginClass<\/code>\u65b9\u6cd5\uff0c\u5c31\u662f\u4ee5\u4e0a\u9762\u7684\u601d\u8def\u4e3a\u4f9d\u636e\u8fdb\u884c\u7684<code>hook<\/code>\u3002\u5177\u4f53\u6b65\u9aa4\u4e3a\uff1a<\/p>\n<ul>\n<li>\n<ol>\n<li>\u6784\u5efa\u63d2\u4ef6<code>DexClassLoader<\/code>\u5bf9\u8c61<\/li>\n<\/ol>\n<\/li>\n<li>\n<ol start=\"2\">\n<li>\u83b7\u5f97\u7cfb\u7edf\u7684<code>PathClassLoader<\/code>\u5bf9\u8c61<\/li>\n<\/ol>\n<\/li>\n<li>\n<ol start=\"3\">\n<li>\u5206\u522b\u83b7\u5f97\u63d2\u4ef6<code>DexClassLoader<\/code>\u548c\u7cfb\u7edf<code>PathClassLoader<\/code>\u7684<code>DexPathList<\/code>\u4e2d\u7684<code>dexElements<\/code>\u6570\u7ec4<\/li>\n<\/ol>\n<\/li>\n<li>\n<ol start=\"4\">\n<li>\u5c06\u4e0a\u8ff0\u4e24\u4e2a<code>dexElements<\/code>\u6570\u7ec4\u8fdb\u884c\u878d\u5408<\/li>\n<\/ol>\n<\/li>\n<li>\n<ol start=\"5\">\n<li>\u5c06\u878d\u5408\u4e4b\u540e\u7684\u7684<code>dexElements<\/code>\u8bbe\u7f6e\u5230\u7cfb\u7edf<code>PathClassLoader<\/code>\u4e2d<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p>\u81f3\u6b64\uff0c\u7cfb\u7edf\u4e5f\u80fd\u591f\u8bbf\u95ee\u63d2\u4ef6apk\u4e2d\u7684class\u4e86<\/p>\n<p>\u90a3\u4e48\u63a5\u4e0b\u6765\uff0c\u5982\u4f55\u542f\u52a8\u63d2\u4ef6\u4e2d\u7684Activity\u5462\uff1f<\/p>\n<p>\u7531\u4e8e\u6211\u4eec\u5728\u5199\u5bbf\u4e3b\u4ee3\u7801\u7684\u65f6\u5019\uff0c\u5e76\u4e0d\u80fd\u76f4\u63a5\u5f15\u7528\u63d2\u4ef6\u7684\u7c7b\uff0c\u6240\u4ee5\u6211\u4eec\u53ea\u80fd\u901a\u8fc7\u5982\u4e0b\u65b9\u5f0f\uff1a<\/p>\n<pre><code class=\"language-java\">findViewById(R.id.btn1).setOnClickListener(new View.OnClickListener() {\n    @Override\n    public void onClick(View v) {\n        Intent intent = new Intent();\n        intent.setComponent(new ComponentName(&quot;cn.appblog.plugin&quot;,  \/\/\u63d2\u4ef6\u7684\u5305\u540d\n                &quot;cn.appblog.plugin.Plugin1Activity&quot;));  \/\/\u63d2\u4ef6Activity\u7684\u5b8c\u6574\u7c7b\u540d\n        startActivity(intent);\n    }\n});<\/code><\/pre>\n<p>\u90a3\u4e48\u53c8\u5982\u4f55\u542f\u52a8\u5bbf\u4e3b\u81ea\u8eab\u7684Activity\u5176\u4ed6\u5462\uff1f\u53ef\u4ee5\u6309\u7167\u4e0a\u9762\u7684\u65b9\u5f0f\u3002\u6216\u8005\u4e5f\u53ef\u4ee5\u7528\u666e\u901a\u7684\u65b9\u5f0f\uff1a<\/p>\n<pre><code>findViewById(R.id.button).setOnClickListener(new View.OnClickListener() {\n    @Override\n    public void onClick(View v) {\n        Intent intent = new Intent(MainActivity.this, Main2Activity.class);\n        startActivity(intent);\n    }\n});<\/code><\/pre>\n<p>\u800c\u5bbf\u4e3b\u7684<code>manifest<\/code>\u91cc\uff0c\u4f9d\u7136\u53ea\u6709\u4e00\u4e2a<code>Activity<\/code>\uff0c\u5176\u4ed6\u7684\u90fd\u53ef\u4ee5\u4e0d\u7ecf\u6ce8\u518c\u76f4\u63a5\u542f\u52a8\uff0c\u5269\u4e0b\u7684\u8fd9\u4e00\u4e2a\u662f\u4e3a\u4e86\u4f5c\u4e3a<code>Launch Activity<\/code><\/p>\n<pre><code class=\"language-xml\">&lt;application\n    android:name=&quot;.app.MyApplication&quot;\n    android:allowBackup=&quot;true&quot;\n    android:icon=&quot;@mipmap\/ic_launcher&quot;\n    android:label=&quot;@string\/app_name&quot;\n    android:roundIcon=&quot;@mipmap\/ic_launcher_round&quot;\n    android:supportsRtl=&quot;true&quot;\n    android:theme=&quot;@style\/AppTheme&quot;\n    tools:ignore=&quot;GoogleAppIndexingWarning&quot;&gt;\n    &lt;activity android:name=&quot;.ui.MainActivity&quot;\n        android:screenOrientation=&quot;portrait&quot;&gt;\n        &lt;intent-filter&gt;\n            &lt;action android:name=&quot;android.intent.action.MAIN&quot; \/&gt;\n\n            &lt;category android:name=&quot;android.intent.category.LAUNCHER&quot; \/&gt;\n        &lt;\/intent-filter&gt;\n    &lt;\/activity&gt;\n&lt;\/application&gt;<\/code><\/pre>\n<p>OK\uff0c\u5168\u90e8\u8bb2\u5b8c<\/p>\n<h2>\u5751\u5751\u66f4\u5065\u5eb7<\/h2>\n<p>\u7ec6\u5fc3\u7684\u8bfb\u8005\u4f1a\u53d1\u73b0\uff0c\u5728\u5bbf\u4e3b\u91cc\u9762\u7528\u7684\u662f<code>android.app.Activity<\/code>\uff0c\u800c\u4e0d\u662f<code>AppCompatActivity<\/code>\u3002\u5305\u62ec\u5bbf\u4e3b\u5185\u7684\u7b2c\u4e8c\u4e2a<code>Main2Activity<\/code>\uff0c\u4f9d\u7136\u662f<code>android.app.Activity<\/code>\u3002<\/p>\n<p>\u56e0\u4e3a\u53d1\u73b0\uff0c\u5982\u679c\u6362\u6210<code>AppCompatActivity<\/code>\uff0c\u5728\u542f\u52a8\u5bbf\u4e3b\u7684\u65f6\u5019\uff0c\u5c31\u4f1a\u62a5\u83ab\u540d\u5176\u5999\u7684\u5f02\u5e38\uff1a<\/p>\n<pre><code>03-09 18:39:19.069 16437-16437\/cn.appblog.hookplugindemo E\/AndroidRuntime: FATAL EXCEPTION: main\n    Process: cn.appblog.hookplugindemo, PID: 16437\n    java.lang.RuntimeException: Unable to start activity ComponentInfo{cn.appblog.hookplugindemo\/cn.appblog.hookplugindemo.ui.MainActivity}: java.lang.NullPointerException: Attempt to invoke interface method &#039;void android.support.v7.widget.DecorContentParent.setWindowCallback(android.view.Window$Callback)&#039; on a null object reference\n        at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2443)\n        at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2503)\n        at android.app.ActivityThread.-wrap11(ActivityThread.java)\n        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1353)\n        at android.os.Handler.dispatchMessage(Handler.java:102)\n        at android.os.Looper.loop(Looper.java:148)\n        at android.app.ActivityThread.main(ActivityThread.java:5529)\n        at java.lang.reflect.Method.invoke(Native Method)\n        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:745)\n        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:635)\n     Caused by: java.lang.NullPointerException: Attempt to invoke interface method &#039;void android.support.v7.widget.DecorContentParent.setWindowCallback(android.view.Window$Callback)&#039; on a null object reference\n        at android.support.v7.app.AppCompatDelegateImplV9.createSubDecor(AppCompatDelegateImplV9.java:410)\n        at android.support.v7.app.AppCompatDelegateImplV9.ensureSubDecor(AppCompatDelegateImplV9.java:323)\n        at android.support.v7.app.AppCompatDelegateImplV9.setContentView(AppCompatDelegateImplV9.java:284)\n        at android.support.v7.app.AppCompatActivity.setContentView(AppCompatActivity.java:139)\n        at cn.appblog.hookplugindemo.ui.MainActivity.onCreate(MainActivity.java:22)\n        at android.app.Activity.performCreate(Activity.java:6278)\n        at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1107)\n        at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2396)\n        at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2503) \n        at android.app.ActivityThread.-wrap11(ActivityThread.java) \n        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1353) \n        at android.os.Handler.dispatchMessage(Handler.java:102) \n        at android.os.Looper.loop(Looper.java:148) \n        at android.app.ActivityThread.main(ActivityThread.java:5529) \n        at java.lang.reflect.Method.invoke(Native Method) \n        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:745) \n        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:635) <\/code><\/pre>\n<p>\u8bf7\u6559\u4e86\u5927\u4f6c\uff0c\u5f97\u5230\u4e86\u9760\u8c31\u7b54\u6848\uff0c<code>AppCompatActivity<\/code>\u5728\u542f\u52a8\u7684\u65f6\u5019\u4f1a\u8fdb\u884c\u4e0a\u4e0b\u6587\u68c0\u67e5\uff0c\u4e8e\u662f\u62a5\u51fa\u4e86\u4e0a\u9762\u7684\u95ee\u9898\u3002\u4f7f\u7528Activity\u5373\u53ef\uff0c\u4e0d\u7528\u4f7f\u7528AppCompatActivity<\/p>\n<p>\u5b9e\u9645\u4e0a\u540e\u7eed\u4e5f\u67e5\u4e86\u4e24\u8005\u7684\u533a\u522b\uff0c<code>AppCompatActivity<\/code>\u662f\u4e3a\u4e86\u517c\u5bb9\u4f4e\u7248\u672c\u8bbe\u5907\u800c\u8bbe\u8ba1\u7684\uff0c\u5b83\u548c<code>Activity<\/code>\u7684\u533a\u522b\u662f\uff0c<code>AppCompatActivity<\/code>\u62e5\u6709\u9ed8\u8ba4\u7684<code>ActionBar<\/code>\uff0c\u4e5f\u62e5\u6709\u81ea\u5df1\u7684<code>Theme<\/code>\u7c7b\u3002\u800c<code>Activity<\/code>\u9ed8\u8ba4\u4e0d\u5e26<code>ActionBar<\/code>\uff0c<code>Theme<\/code>\u7684\u4f7f\u7528\u4e5f\u548c\u524d\u8005\u4e0d\u540c<\/p>\n<p>\u6240\u4ee5\u5230\u76ee\u524d\u4e3a\u6b62\u4e5f\u5f88\u7591\u60d1\uff0c\u4e0d\u8fc7\u5012\u5e76\u4e0d\u5f71\u54cd\u6211\u4eec\u63d2\u4ef6\u5316\u5f00\u53d1\uff0c\u7528<code>android.app.Activity<\/code>\u548c<code>AppCompatActivity<\/code>\u5f00\u53d1\u7684<code>Activity<\/code>\u4e5f\u5e76\u6ca1\u6709\u51fa\u73b0\u4ec0\u4e48\u517c\u5bb9\u95ee\u9898<\/p>\n<p>\u5176\u5b9e\u5728 Android\u63d2\u4ef6\u5316\u542f\u52a8Activity \u4e2d\uff0c\u4e5f\u51fa\u73b0\u8fc7\u4e00\u6b21\u7c7b\u4f3c\u7684\u95ee\u9898\uff0c\u4f7f\u7528<code>android.app.Activity<\/code>\u6ca1\u95ee\u9898\uff0c\u4f46\u662f\u6362\u6210<code>AppCompatActivity<\/code>\uff0c\u5219\u4f1a\u62a5\u4e0a\u9762\u4e00\u6837\u7684\u9519\u8bef\uff0c\u76f8\u5f53\u8be1\u5f02\uff0c\u4f46\u662f\u4e5f\u540c\u6837\u4e0d\u5f71\u54cd\u5f00\u53d1.<\/p>\n<h2>\u7ed3\u8bed<\/h2>\n<p>\u63d2\u4ef6\u5316\u5f00\u53d1\u8fd9\u4e2a\u8bdd\u9898\uff0c\u770b\u8d77\u6765\u9ad8\u6df1\u83ab\u6d4b\uff0c\u5b9e\u9645\u4e0a\u73a9\u8d77\u6765\u4e5f\u5e76\u4e0d\u7b80\u5355\u3002\u5b9e\u73b0\u7684\u65b9\u5f0f\u4e5f\u4e0d\u6b62\u4e00\u79cd\u3002\u76ee\u524d\u4e86\u89e3\u770b\u6765\u6709\u4e24\u79cd\u89e3\u51b3\u65b9\u6848\uff0c\u7528<code>\u5bbf\u4e3b\u7684\u771f\u5b9eActivity<\/code>\u53bb\u4ee3\u7406<code>\u63d2\u4ef6Activity<\/code>\uff0c\u53e6\u4e00\u79cd\u5c31\u662f\u7528<code>hook<\/code>\u53bb\u7ed5\u8fc7<code>manifest<\/code>\u68c0\u67e5\u3002<\/p>\n<p>\u4e24\u79cd\u65b9\u6848\u5404\u6709\u4f18\u52a3\uff0c<code>hook<\/code>\u53ef\u80fd\u4f1a\u5931\u6548\uff0c\u56e0\u4e3a\u8c37\u6b4c\u6700\u8fd1\u53d1\u5e03\u4e86\u7981\u7528\u53cd\u5c04\u7684API\u540d\u5355\uff0c\u800c\u4e14`Android Studio\u4e5f\u5728\u4f7f\u7528\u53cd\u5c04\u7684\u65f6\u5019\u63d0\u793a\uff0c\u53cd\u5c04\u53ef\u80fd\u5931\u6548\u3002\u4f46\u662f\uff0c\u8fd8\u662f\u90a3\u53e5\u8bdd\uff0c\u5929\u584c\u4e0b\u6765\u7838\u4e0d\u5230\u6211\u4eec\u7684\u5934\u4e0a\uff0c\u81ea\u7136\u6709\u5927\u4f6c\u9876\u7740\uff0c\u5230\u65f6\u5019\uff0c\u5982\u679c\u8c37\u6b4c\u771f\u7684\u7981\u7528\u53cd\u5c04\uff0c\u56fd\u5185\u7684\u5de8\u4f6c\u4eec\u81ea\u7136\u6709\u65b0\u7684\u89e3\u51b3\u529e\u6cd5\uff0c\u5230\u65f6\u5019\u8ddf\u968f\u5927\u6d41\u5c31\u597d\u3002<\/p>\n<p>\u800c<code>\u4ee3\u7406Activity<\/code>\u7684\u65b9\u5f0f\uff0c\u5219\u591a\u4e86\u4e00\u4e2a<code>PluginLib<\/code>\u5c42\uff0c\u9700\u8981\u7ef4\u62a4\uff0c\u597d\u5904\u5c31\u662f\uff0c\u4e0d\u7528\u770b\u8c37\u6b4c\u8138\u8272\u3002<\/p>\n<p>\u672c\u6587\u8f6c\u8f7d\u81f3\uff1a<a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/www.jianshu.com\/p\/a8184c8fe688\">https:\/\/www.jianshu.com\/p\/a8184c8fe688<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6211\u4eec\u5df2\u7ecf\u5b9e\u73b0\u4e86\u542f\u52a8\u6ca1\u6709\u5728menifest\u4e2d\u6ce8\u518c\u7684Activity\u7684\u6548\u679c\uff0c\u7136\u800c\uff0c\u8fd9\u6837\u505a\u5230\u5e95\u5728\u751f\u4ea7\u5f00\u53d1\u4e2d\u6709\u4ec0\u4e48\u6837\u7684 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[311],"tags":[60,310],"class_list":["post-1837","post","type-post","status-publish","format-standard","hentry","category-android-advance","tag-activity","tag-hook"],"_links":{"self":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/comments?post=1837"}],"version-history":[{"count":0,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1837\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/media?parent=1837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/categories?post=1837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/tags?post=1837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}