?
adb shell;
top;在 VirtualAPP 中打开百度 App, 可以看到如下输出:
PID USER PR NI VIRT RES SHR S[%CPU] %MEM TIME+ ARGS
2498 u0_a1809 20 0 1.3G 79M 61M S 0.0 1.4 0:00.48 com.docker:x
2443 u0_a1809 10 -10 1.3G 120M 87M S 0.0 2.1 0:01.19 com.docker
6155 u0_a2009 20 0 1.3G 97M 51M S 8.0 1.7 0:02.66 com.docker:p1
922 system -2 0 343M 18M 12M S 35.6 0.3 92:29.87 surfaceflinger
1214 system 10 -10 8.4G 323M 323M S 1.0 5.7 44:46.97 system_server
5043 u0_a1809 20 0 1.5G 290M 80M S 0.3 5.1 0:09.86 com.baidu.searchbox:loki
5007 u0_a1809 20 0 1.5G 288M 77M S 0.0 5.1 0:08.45 com.baidu.searchbox:titanSandbox?
public class DockerCore {
/**
* Process type
*/
private enum ProcessType {
/**
* Server process
*/
Server,
/**
* Virtual app process
*/
VAppClient,
/**
* Main process
*/
Main,
/**
* Child process
*/
CHILD
}
}
?
package com.android.dockercore.client.hook.proxies.am;
@Inject(MethodProxies.class)
public class ActivityManagerStub extends MethodInvocationProxy<MethodInvocationStub<IInterface>> {
public ActivityManagerStub() {
// 调用 ActivityManagerNative 相关镜像类反射获取 ActivityManagerProxy(IActivityManager 类型) 对象
super(new MethodInvocationStub<>(ActivityManagerNative.getDefault.call()));
}
@Override
public void inject() throws Throwable {
if (BuildCompat.isOreo()) {
Object singleton = ActivityManagerOreo.IActivityManagerSingleton.get();
Singleton.mInstance.set(singleton, getInvocationStub().getProxyInterface());
} else {
if (ActivityManagerNative.gDefault.type() == IActivityManager.TYPE) {
ActivityManagerNative.gDefault.set(getInvocationStub().getProxyInterface());
} else if (ActivityManagerNative.gDefault.type() == Singleton.TYPE) {
Object gDefault = ActivityManagerNative.gDefault.get();
Singleton.mInstance.set(gDefault, getInvocationStub().getProxyInterface());
}
}
// 构造 IBinder, 传入 ActivityManagerProxy.getBaseInterface(IInterface 类型)
BinderInvocationStub hookAMBinder = new BinderInvocationStub(getInvocationStub().getBaseInterface());
hookAMBinder.copyMethodProxies(getInvocationStub());
// 添加到镜像类 ServiveManager
ServiceManager.sCache.get().put(Context.ACTIVITY_SERVICE, hookAMBinder);
}
@Override
protected void onBindMethods() {
super.onBindMethods();
// 运行 app 启动进程,hook AMS 相关函数
if (DockerCore.get().isVAppProcess()) {
addMethodProxy(new StaticMethodProxy("navigateUpTo") {
@Override
public Object call(Object who, Method method, Object... args) throws Throwable {
return method.invoke(who, args);
}
});
addMethodProxy(new ReplaceLastUidMethodProxy("checkPermissionWithToken"));
addMethodProxy(new isUserRunning());
addMethodProxy(new ResultStaticMethodProxy("updateConfiguration", 0));
addMethodProxy(new ReplaceCallingPkgMethodProxy("setAppLockedVerifying"));
addMethodProxy(new StaticMethodProxy("checkUriPermission") {
@Override
public Object afterCall(Object who, Method method, Object[] args, Object result) throws Throwable {
return PackageManager.PERMISSION_GRANTED;
}
});
addMethodProxy(new StaticMethodProxy("getRecentTasks") {
@Override
public Object call(Object who, Method method, Object... args) throws Throwable {
// ...
return _infos;
}
});
addMethodProxy(new StaticMethodProxy("getRunningTasks") {
@Override
public Object call(Object who, Method method, Object... args) throws Throwable {
// ...
return _infos;
}
});
}
}
//...
}
?
VirtualAPP 镜像类 ServiceManager:
package mirror.android.os;
import android.os.IBinder;
import android.os.IInterface;
import java.util.Map;
import mirror.RefClass;
import mirror.MethodParams;
import mirror.RefStaticObject;
import mirror.RefStaticMethod;
public class ServiceManager {
// 映射到 Java 层真实的 android.os.ServiceManager,内部会通过 binder 调用到 framework(c++ 的 ServiceManager)
public static Class<?> TYPE = RefClass.load(ServiceManager.class, "android.os.ServiceManager");
@MethodParams({String.class, IBinder.class})
public static RefStaticMethod<Void> addService;
public static RefStaticMethod<IBinder> checkService;
public static RefStaticMethod<IInterface> getIServiceManager;
public static RefStaticMethod<IBinder> getService;
public static RefStaticMethod<String[]> listServices;
public static RefStaticObject<Map<String, IBinder>> sCache;
}看看 android.os.ServiceManager 的实现:
/*
* Copyright (C) 2007 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.os;
import com.android.internal.os.BinderInternal;
import android.util.Log;
import java.util.HashMap;
import java.util.Map;
/** @hide */
public final class ServiceManager {
private static final String TAG = "ServiceManager";
private static IServiceManager sServiceManager;
private static HashMap<String, IBinder> sCache = new HashMap<String, IBinder>();
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
// 采用了单例模式获取ServiceManager getIServiceManager()返回的是ServiceManagerProxy(简称SMP)对象
sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());
return sServiceManager;
}
/**
* 关于getIServiceManager(),等价于new ServiceManagerProxy(new BinderProxy())。
* 其中sCache = new HashMap<String, IBinder>()以hashmap格式缓存已组成的名称。请求获取服务过程中,先从缓存中查询是否存在,
* 如果缓存中不存在的话,再通过binder交互来查询相应的服务
*/
public static IBinder getService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return getIServiceManager().getService(name);
}
} catch (RemoteException e) {
Log.e(TAG, "error in getService", e);
}
return null;
}
public static void addService(String name, IBinder service) {
try {
// 先获取SMP对象,则执行注册服务操作
getIServiceManager().addService(name, service, false);
} catch (RemoteException e) {
Log.e(TAG, "error in addService", e);
}
}
public static void addService(String name, IBinder service, boolean allowIsolated) {
try {
getIServiceManager().addService(name, service, allowIsolated);
} catch (RemoteException e) {
Log.e(TAG, "error in addService", e);
}
}
public static IBinder checkService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return getIServiceManager().checkService(name);
}
} catch (RemoteException e) {
Log.e(TAG, "error in checkService", e);
return null;
}
}
public static String[] listServices() {
try {
return getIServiceManager().listServices();
} catch (RemoteException e) {
Log.e(TAG, "error in listServices", e);
return null;
}
}
public static void initServiceCache(Map<String, IBinder> cache) {
if (sCache.size() != 0) {
throw new IllegalStateException("setServiceCache may only be called once");
}
sCache.putAll(cache);
}
}?
在 2021 年,人们喜欢 Linux 的理由比以往任何时候都多。在这个系列中,我将分享...
php实现微信支付 微信支付文档地址: https://pay.weixin.qq.com/wiki/doc/api/i...
本文转载自微信公众号「程序员历小冰」,转载本文请联系程序员历小冰公众号。 疫...
背景 该问题来自某客户,据描述,他们在部署 MySQL 主从复制时,有时候仅在主库...
文章目录 关系数据库 关系数据库简介 关系数据结构及形式化定义 关系 关系模式 ...
六、XML展望 任何一项新技术的产生都是有其需求背景的,XML的诞生是在HTML遇到不...
前言 我们在使用ajax异步的提交多选框得到需要操作的对象的id,这时我们可以把每...
下面是ajax代码和Controller层代码,期初以为是后台程序写错了。 $("#sourcefile...
微软官方博客于 2 月初再次发布提示,将会在 3 月 9 日停止对经典版 Edge 浏览器...
struts json 类型异常返回到js弹框问题解决办法 当struts 框架配置了异常时 例如...
