前言:如果程序想要知道有activity啟動,如果想要攔截activity,然后跳轉到指定的activity怎么辦?
我們看下ActivityThread 里面:
private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {
// System.out.println("##### [" + System.currentTimeMillis() + "] ActivityThread.performLaunchActivity(" + r + ")");
ActivityInfo aInfo = r.activityInfo;
if (r.packageInfo == null) {
r.packageInfo = getPackageInfo(aInfo.applicationInfo, r.compatInfo,
Context.CONTEXT_INCLUDE_CODE);
}
ComponentName component = r.intent.getComponent();
if (component == null) {
component = r.intent.resolveActivity(
mInitialApplication.getPackageManager());
r.intent.setComponent(component);
}
if (r.activityInfo.targetActivity != null) {
component = new ComponentName(r.activityInfo.packageName,
r.activityInfo.targetActivity);
}
ContextImpl appContext = createBaseContextForActivity(r);
Activity activity = null;
try {
java.lang.ClassLoader cl = appContext.getClassLoader();
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
StrictMode.incrementExpectedActivityCount(activity.getClass());
r.intent.setExtrasClassLoader(cl);
r.intent.prepareToEnterProcess();
if (r.state != null) {
r.state.setClassLoader(cl);
}
} catch (Exception e) {
if (!mInstrumentation.onException(activity, e)) {
throw new RuntimeException(
"Unable to instantiate activity " + component
+ ": " + e.toString(), e);
}
}
....
if (activity != null) {
CharSequence title = r.activityInfo.loadLabel(appContext.getPackageManager());
Configuration config = new Configuration(mCompatConfiguration);
if (r.overrideConfig != null) {
config.updateFrom(r.overrideConfig);
}
if (DEBUG_CONFIGURATION) Slog.v(TAG, "Launching activity "
+ r.activityInfo.name + " with config " + config);
Window window = null;
if (r.mPendingRemoveWindow != null && r.mPreserveWindow) {
window = r.mPendingRemoveWindow;
r.mPendingRemoveWindow = null;
r.mPendingRemoveWindowManager = null;
}
appContext.setOuterContext(activity);
activity.attach(appContext, this, getInstrumentation(), r.token,
r.ident, app, r.intent, r.activityInfo, title, r.parent,
r.embeddedID, r.lastNonConfigurationInstances, config,
r.referrer, r.voiceInteractor, window, r.configCallback);
if (customIntent != null) {
activity.mIntent = customIntent;
}
可以看到,執行啟動activity的時候,
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
StrictMode.incrementExpectedActivityCount(activity.getClass());
那么我們是不是可以在這個時候攔截一下返回的activity呢?
OK,我們繼承Instrumentation,並且重寫里面的方法。
package com.****r.app;
import android.app.Activity;
import android.app.Instrumentation;
import android.content.Intent;
import com.*****.ActivityAbout;
/**
* =======================================================================================
* 作 者:caoxinyu
* 創建日期:2019/2/19.
* 類的作用:
* 修訂歷史:
* =======================================================================================
*/
public class MyInstrumentation extends Instrumentation {
private Instrumentation base;
public MyInstrumentation(Instrumentation base) {
this.base = base;
}
@Override
public Activity newActivity(ClassLoader cl, String className, Intent intent) throws InstantiationException, IllegalAccessException, ClassNotFoundException {
try {
//這里需要setExtrasClassLoader 不然的話,getParecleable 對象可能會拿不到
//很多hook Instrumentation的人都不知道。
// 這里try catch 是防止惡意攻擊 導致android.os.BadParcelableException: ClassNotFoundException when unmarshalling
intent.setExtrasClassLoader(cl);
intent.getBooleanExtra("a",false);
}catch (Exception e){
}
if (intent.getBooleanExtra("ActivityAbout",false)) {
return super.newActivity(cl, ActivityAbout.class.getName(), intent);
}
return super.newActivity(cl,className, intent);
}
}
那么怎么使我們重寫的類生效呢?
package com.***;
import android.app.Instrumentation;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class Hooker {
private static final String TAG = "Hooker";
public static void hookInstrumentation() {
Class<?> activityThread = null;
try {
activityThread = Class.forName("android.app.ActivityThread");
Method sCurrentActivityThread = activityThread.getDeclaredMethod("currentActivityThread");
sCurrentActivityThread.setAccessible(true);
//獲取ActivityThread 對象
Object activityThreadObject = sCurrentActivityThread.invoke(activityThread);
//獲取 Instrumentation 對象
Field mInstrumentation = activityThread.getDeclaredField("mInstrumentation");
mInstrumentation.setAccessible(true);
Instrumentation instrumentation = (Instrumentation) mInstrumentation.get(activityThreadObject);
MyInstrumentation customInstrumentation = new MyInstrumentation(instrumentation);
//將我們的 customInstrumentation 設置進去
mInstrumentation.set(activityThreadObject, customInstrumentation);
} catch (Exception e) {
e.printStackTrace();
}
}
}
上面這些代碼是通過反射,把自己的Instrumentation 設置進去。
然后在程序初始化的時候,調用下面的代碼即可。
Hooker.hookInstrumentation();
我們啟動一個A activity,如果intent.getBooleanExtra(“ActivityAbout”,false),那么你的A activity 將被攔截成ActivityAbout。
那么還有一個問題,為什么要設置ClassLoader?
intent.setExtrasClassLoader(cl);
因為如果不設置的話,getParecleable 對象可能會拿不到。在8.0以前的手機,直接崩潰:android.os.BadParcelableException: ClassNotFoundException when unmarshalling。在8.0以上的話,系統會catch 住這個崩潰,但是你的數據全都會被清空。
具體分析如下:
簡單try catch,在低版本上沒有問題。但是在android8.0以上,會有問題。
在Android8.0以上,如果getBooleanExt 方法里面失敗了,系統會catch BadParcelableException,並把intent 里面的數據清空。具體可見下面的截圖,
這就導致簡單try catch 之后的代碼,運行在8.0以上手機,收不到intent里面的數據,因為Intent 里面的跳轉數據被清空了。
還是要查清楚為什么會出現ClassNotFoundException when unmarshalling
根據源碼,在這里getBooleanExt 會出問題是因為系統在這一步還沒有設置解析Parcelable 的classLoader。如下圖
所以,有問題的代碼需要這樣改下。
系統是在調用了 mInstrumentation.newActivity之后設置了classLoader r.intent.setExtrasClassLoader(cl), 所以hook 在newActivity 這一步get Parcelable 數據是有問題的。
不然會有下面這種錯誤:
java.lang.RuntimeException: Unable to instantiate activity ComponentInfo{com.aaa./.WelcomeActivity}: android.os.BadParcelableException: ClassNotFoundException when unmarshalling: com.nearme.mcs.entity.MessageEntity
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2492)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2678)
at android.app.ActivityThread.access$900(ActivityThread.java:187)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1523)
at android.os.Handler.dispatchMessage(Handler.java:111)
at android.os.Looper.loop(Looper.java:210)
at android.app.ActivityThread.main(ActivityThread.java:5809)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1113)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:879)
Caused by: android.os.BadParcelableException: ClassNotFoundException when unmarshalling: com.nearme.mcs.entity.MessageEntity
at android.os.Parcel.readParcelableCreator(Parcel.java:2305)
at android.os.Parcel.readParcelable(Parcel.java:2255)
at android.os.Parcel.readValue(Parcel.java:2162)
at android.os.Parcel.readArrayMapInternal(Parcel.java:2495)
at android.os.BaseBundle.unparcel(BaseBundle.java:221)
at android.os.BaseBundle.getBoolean(BaseBundle.java:658)
at android.content.Intent.getBooleanExtra(Intent.java:5129)
at com.nearme.game.sdk.y.o_a(SourceFile:46)
at com.nearme.game.sdk.y.newActivity(SourceFile:28)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2469)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2678)
at android.app.ActivityThread.access$900(ActivityThread.java:187)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1523)
at android.os.Handler.dispatchMessage(Handler.java:111)
at android.os.Looper.loop(Looper.java:210)
at android.app.ActivityThread.main(ActivityThread.java:5809)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1113)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:879)
加油,自己學會了使用Source Insight 看源碼。開始慢慢的去學習技術的原理。加油!