forked from prife/VirtualAppDoc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathVAStartActivity.puml
141 lines (115 loc) · 5.72 KB
/
VAStartActivity.puml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
@startuml
box "Main process" #LightBlue
participant Hook_StartActivity
participant VirtualCore
participant VActivityManager
participant Activity
end box
box "Server process" #LightGreen
participant VActivityManagerService
participant VPackageManagerService
participant ProviderCaller
end box
box "App Client process" #Gray
participant StubContentProvider
participant ActivityThread
participant HCallbackHook
end box
[-> Hook_StartActivity : onHook
activate Hook_StartActivity
Hook_StartActivity -> VirtualCore : resolveActivityInfo
activate VirtualCore
deactivate VirtualCore
Hook_StartActivity -> VRedirectActRequest : new VRedirectActRequest
activate VRedirectActRequest
Hook_StartActivity <-- VRedirectActRequest : req
deactivate VRedirectActRequest
Hook_StartActivity -> VActivityManager : redirectTargetActivity
activate VActivityManager
VActivityManager -> VActivityManagerService : redirectTargetActivity
activate VActivityManagerService
VActivityManagerService -> VActivityManagerService : redirectTargetActivityLocked
activate VActivityManagerService
VActivityManagerService -> VActivityManagerService : startProcessLocked
activate VActivityManagerService
VActivityManagerService -> VActivityManagerService : queryFreeStubForProcess
activate VActivityManagerService
deactivate VActivityManagerService
VActivityManagerService -> VActivityManagerService : performStartProcessLocked
activate VActivityManagerService
VActivityManagerService -> VPackageManagerService : querySharedPackages
VActivityManagerService <-- VPackageManagerService : sharedPackages : List<String>
VActivityManagerService -> VPackageManagerService : queryContentProviders
VActivityManagerService <-- VPackageManagerService : providers : List<ProviderInfo>
VActivityManagerService -> VPackageManagerService : getSharedLibraries
VActivityManagerService <-- VPackageManagerService : usesLibraries : List<String>
VActivityManagerService -> ProviderCaller : call(MethodConstants.INIT_PROCESS)
activate ProviderCaller
ProviderCaller -> StubContentProvider : call
activate StubContentProvider
StubContentProvider -> StubContentProvider : initProcess
activate StubContentProvider
deactivate StubContentProvider
deactivate StubContentProvider
note over ProviderCaller
StubContentProvider.java中定义了20个静态内部类C1到C20,都
是StubContentProvider的子类。并且在AndroidManifest.xml
中声明了process字段,与对应的StubActivity一致。
VA的服务进程取出一个空的stubContentProvider,
借助Android ContentProvider机制,系统会创建一个新进程出来,
稍后被作为双开应用的容身之所。这个偷梁换柱的过程由VA服务进程
完成。
endnote
deactivate ProviderCaller
deactivate VActivityManagerService
deactivate VActivityManagerService
VActivityManagerService -> VActivityManagerService : fetchStubActivityInfo
activate VActivityManagerService
deactivate VActivityManagerService
VActivityManagerService <-- VActRedirectResult : result = new VActRedirectResult
deactivate VActivityManagerService
deactivate VActivityManagerService
note over Hook_StartActivity
前面的步骤已经为双开应用创建了一个桩进程,
接下来在该进程里启动双开应用的Activity,
下面这一句对应的是onHook方法的最后一行
return method.invoke(who, args);
这里Activity.startActivity最终触发了
ActivityThread.scheduleLaunchActivity
这个过程中涉及到AMS(system_process进程)、
应用进程的交互,为了简化逻辑,省略AMS调用时序
endnote
Hook_StartActivity -> Activity : startActivity
activate Activity
Activity -> ActivityThread : scheduleLaunchActivity
activate ActivityThread
ActivityThread -> ActivityThread : sendMessage(LAUNCH_ACTIVITY)
activate ActivityThread
deactivate ActivityThread
note over ActivityThread
注意,这里由于桩进程的ActivityThread.mH对象的
mCallback已经被hook为HCallbackHook对象,因此
这个消息接下来会走到HCallbackHook.handleMessage里
endnote
ActivityThread -> HCallbackHook : handleMessage
activate HCallbackHook
HCallbackHook -> HCallbackHook : handleLaunchActivity
activate HCallbackHook
deactivate HCallbackHook
deactivate HCallbackHook
ActivityThread -> ActivityThread : handleLaunchActivity
activate ActivityThread
deactivate ActivityThread
note over ActivityThread, HCallbackHook
handleLaunchActivity里会将讲偷梁换柱的StubActivity
再设置待双开应用需要的intent/component/pkgname/
ClassLoader等等,接下来流程继续执行
ActivityThread.handleLaunchActivity,创建真正的
双开应用的Activity,并调用其onCreate方法。
**<color red><size:18>这样就启动了被双开应用的Activity</size></color>**
endnote
deactivate ActivityThread
deactivate Activity
deactivate VActivityManager
deactivate Hook_StartActivity
@enduml