加固前奏2-替换application

运行加载过程
ActivityThread.JAVA
Application app = data.info.makeApplication(data.restrictedBackupMode, null);
                            ->进入LoadedApk.java
                                    String appClass = mApplicationInfo.className;
                                    app.attachBaseContext()        //可控函数
                                    ...
                                    mActivityThread.mAllApplications.add(app);
                                    mApplication = app;
                            <-退出
mInitialApplication = app;
mInstrumentation.callApplicationOnCreate(app);
                            ->    app.onCreate()                //可控函数

 

onCreate中实现

        Object currentActivityThread = javaRef.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread",
                new Class[]{}, new Object[]{});
				
        Object mBoundApplication = javaRef.getFieldValue("android.app.ActivityThread", "mBoundApplication", currentActivityThread); Object loadedApk = javaRef.getFieldValue("android.app.ActivityThread$AppBindData", "info", mBoundApplication); javaRef.setFieldValue("android.app.LoadedApk", "mApplication", loadedApk, null); ApplicationInfo applicationInfo_loadapk = (ApplicationInfo) javaRef.getFieldValue("android.app.LoadedApk", "mApplicationInfo", loadedApk); String desAppName = "com.cc.shell.MyApplication"; applicationInfo_loadapk.className = desAppName; Application oldApplication = (Application) javaRef.getFieldValue("android.app.ActivityThread", "mInitialApplication", currentActivityThread); ArrayList mAllApplications = (ArrayList) javaRef.getFieldValue("android.app.ActivityThread", "mAllApplications", currentActivityThread); mAllApplications.remove(oldApplication); Application realApp = (Application) javaRef.invokeMethod("android.app.LoadedApk", "makeApplication", loadedApk , new Class[]{boolean.class, Instrumentation.class}, new Object[]{false, null}); realApp.onCreate(); javaRef.setFieldValue("com.android.ActivityThread", "mInitialApplication", currentActivityThread, realApp);

 

转载于:https://www.cnblogs.com/lyxin/p/10052313.html