VirtualApp hook so及activity回调

作者: LiuJP | 来源:发表于2019-01-21 17:14 被阅读13次

VirtualApp hook so及activity回调
如何使用FastHook免root hook微信
抽象，接口，回调
Java回调
第一章 activity的生命周期
Android事件传递
Android 插件化的原理，对 startActivity 方
Activity回调方法
Fragment回调Activity
Activity 接口回调

先推几篇VA原理

VA项目地址：

IOUniformer.cpp hook so

void inlineHookSymbol(void *sohandle, const char *symbol, void *replace, void **result) {
 void *address = dlsym(sohandle, symbol);
  if (address) {
    MSHookFunction(address, replace, result);
  }
}
void *(*org_runtime_invoke)(void *a_method, void *a_obj, void **a_params, int **a_exc) = NULL;

void *new_runtime_invoke(void *a_method, void *a_obj, void **a_params, int **a_exc) {
//    register_Class_From_Image(a_method);
//    runInMonoInvokeRuntimeHooker(a_method, a_obj, a_params);
return org_runtime_invoke(a_method, a_obj, a_params, a_exc);
}


void onSoLoaded(const char *name, void *handle) {
ALOGE("%s %s %d", __FUNCTION__, name, handle);
if (strstr(name, "libil2cpp.so"))
    inlineHookSymbol(handle, "il2cpp_runtime_invoke", (void *) &new_runtime_invoke,
                     (void **) &org_runtime_invoke);
}

int findSymbol(const char *name, const char *libn,
           unsigned long *addr) {
int ret = find_name(getpid(), name, libn, addr);
return ret;
}


int hook_dlopen_rom24(void *symbol, const char *rom) {
//hw mate8_8.0
int ret = findSymbol("__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv", "linker",
                     (unsigned long *) &symbol);
if (ret == 0) {
    MSHookFunction(symbol, (void *) new_do_dlopen_V24,
                   (void **) &orig_do_dlopen_V24);
}
ALOGE("%s %s %d", __FUNCTION__, rom, ret);
return ret;
}

void hook_dlopen(int api_level, const char *rom) {
void *symbol = NULL;
if (api_level > 23) {

    if (findSymbol("__dl__Z9do_dlopenPKciPK17android_dlextinfoPv", "linker",
                   (unsigned long *) &symbol) == 0) {
        MSHookFunction(symbol, (void *) new_do_dlopen_V24,
                       (void **) &orig_do_dlopen_V24);
    } else {
        hook_dlopen_rom24(symbol, rom);
    }

} else if (api_level >= 19) {
    if (findSymbol("__dl__Z9do_dlopenPKciPK17android_dlextinfo", "linker",
                   (unsigned long *) &symbol) == 0) {
        MSHookFunction(symbol, (void *) new_do_dlopen_V19,
                       (void **) &orig_do_dlopen_V19);
    }
} else {
    if (findSymbol("__dl_dlopen", "linker",
                   (unsigned long *) &symbol) == 0) {
        MSHookFunction(symbol, (void *) new_dlopen, (void **) &orig_dlopen);
    }
}
}

activity回调

com.lody.virtual.client.ipc.VActivityManager

   public void onActivityResumed(Activity activity) {
    VLog.e("ga",activity.getClass().getName());
    IBinder token = mirror.android.app.Activity.mToken.get(activity);
    try {
        getService().onActivityResumed(VUserHandle.myUserId(), token);
    } catch (RemoteException e) {
        e.printStackTrace();
    }
}

activity 就是 app 的activity

壹杯敬月光