• 微信公众号:美女很有趣。 工作之余,放松一下,关注即送10G+美女照片!

【VirtualAPP双开系列02】进程管理

互联网 diligentman 2周前 (04-08) 10次浏览

目录:

  • 1. 运行 VirtualAPP,查看进程
  • 2. VirtualAPP 分成四种类型的进程
  • 3. 关于 Stub
  • 4. 关于 ServiceManager

 

1. 运行 VirtualAPP,查看进程

adb shell;
top;

在 VirtualAPP 中打开百度 App, 可以看到如下输出:

PID USER         PR  NI VIRT  RES  SHR S[%CPU] %MEM     TIME+ ARGS                                                                                 

2498 u0_a1809     20   0 1.3G  79M  61M S  0.0   1.4   0:00.48 com.docker:x
2443 u0_a1809     10 -10 1.3G 120M  87M S  0.0   2.1   0:01.19 com.docker
6155 u0_a2009     20   0 1.3G  97M  51M S  8.0   1.7   0:02.66 com.docker:p1
 
922 system       -2   0 343M  18M  12M S 35.6   0.3  92:29.87 surfaceflinger
1214 system       10 -10 8.4G 323M 323M S  1.0   5.7  44:46.97 system_server

5043 u0_a1809     20   0 1.5G 290M  80M S  0.3   5.1   0:09.86 com.baidu.searchbox:loki
5007 u0_a1809     20   0 1.5G 288M  77M S  0.0   5.1   0:08.45 com.baidu.searchbox:titanSandbox

 

2. VirtualAPP 分成四种类型的进程

public class DockerCore {
    /**
     * Process type
     */
    private enum ProcessType {
        /**
         * Server process
         */
        Server,
        /**
         * Virtual app process
         */
        VAppClient,
        /**
         * Main process
         */
        Main,
        /**
         * Child process
         */
        CHILD
    }
}

【VirtualAPP双开系列02】进程管理

 

3. 关于 Stub

【VirtualAPP双开系列02】进程管理

package com.android.dockercore.client.hook.proxies.am;

@Inject(MethodProxies.class)
public class ActivityManagerStub extends MethodInvocationProxy<MethodInvocationStub<IInterface>> {

    public ActivityManagerStub() {
        // 调用 ActivityManagerNative 相关镜像类反射获取 ActivityManagerProxy(IActivityManager 类型) 对象
        super(new MethodInvocationStub<>(ActivityManagerNative.getDefault.call()));
    }

    @Override
    public void inject() throws Throwable {
        if (BuildCompat.isOreo()) {
            Object singleton = ActivityManagerOreo.IActivityManagerSingleton.get();
            Singleton.mInstance.set(singleton, getInvocationStub().getProxyInterface());
        } else {
            if (ActivityManagerNative.gDefault.type() == IActivityManager.TYPE) {
                ActivityManagerNative.gDefault.set(getInvocationStub().getProxyInterface());
            } else if (ActivityManagerNative.gDefault.type() == Singleton.TYPE) {
                Object gDefault = ActivityManagerNative.gDefault.get();
                Singleton.mInstance.set(gDefault, getInvocationStub().getProxyInterface());
            }
        }
        // 构造 IBinder, 传入 ActivityManagerProxy.getBaseInterface(IInterface 类型)
        BinderInvocationStub hookAMBinder = new BinderInvocationStub(getInvocationStub().getBaseInterface());
        hookAMBinder.copyMethodProxies(getInvocationStub());
        // 添加到镜像类 ServiveManager
        ServiceManager.sCache.get().put(Context.ACTIVITY_SERVICE, hookAMBinder);
    }

    @Override
    protected void onBindMethods() {
        super.onBindMethods();

        // 运行 app 启动进程,hook AMS 相关函数
        if (DockerCore.get().isVAppProcess()) {
            addMethodProxy(new StaticMethodProxy("navigateUpTo") {
                @Override
                public Object call(Object who, Method method, Object... args) throws Throwable {
                    return method.invoke(who, args);
                }
            });
            addMethodProxy(new ReplaceLastUidMethodProxy("checkPermissionWithToken"));
            addMethodProxy(new isUserRunning());
            addMethodProxy(new ResultStaticMethodProxy("updateConfiguration", 0));
            addMethodProxy(new ReplaceCallingPkgMethodProxy("setAppLockedVerifying"));
            addMethodProxy(new StaticMethodProxy("checkUriPermission") {
                @Override
                public Object afterCall(Object who, Method method, Object[] args, Object result) throws Throwable {
                    return PackageManager.PERMISSION_GRANTED;
                }
            });
            addMethodProxy(new StaticMethodProxy("getRecentTasks") {
                @Override
                public Object call(Object who, Method method, Object... args) throws Throwable {
                    // ...
                    return _infos;
                }
            });
            addMethodProxy(new StaticMethodProxy("getRunningTasks") {
                @Override
                public Object call(Object who, Method method, Object... args) throws Throwable {
                    // ...
                    return _infos;
                }
            });
        }
    }

    //...
}

 

4. 关于 ServiceManager

【VirtualAPP双开系列02】进程管理

 

VirtualAPP 镜像类 ServiceManager:

package mirror.android.os;

import android.os.IBinder;
import android.os.IInterface;

import java.util.Map;

import mirror.RefClass;
import mirror.MethodParams;
import mirror.RefStaticObject;
import mirror.RefStaticMethod;

public class ServiceManager {
    // 映射到 Java 层真实的 android.os.ServiceManager,内部会通过 binder 调用到 framework(c++ 的 ServiceManager)
    public static Class<?> TYPE = RefClass.load(ServiceManager.class, "android.os.ServiceManager");
    @MethodParams({String.class, IBinder.class})
    public static RefStaticMethod<Void> addService;
    public static RefStaticMethod<IBinder> checkService;
    public static RefStaticMethod<IInterface> getIServiceManager;
    public static RefStaticMethod<IBinder> getService;
    public static RefStaticMethod<String[]> listServices;
    public static RefStaticObject<Map<String, IBinder>> sCache;
}

看看 android.os.ServiceManager 的实现:

/*
 * Copyright (C) 2007 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package android.os;

import com.android.internal.os.BinderInternal;

import android.util.Log;

import java.util.HashMap;
import java.util.Map;

/** @hide */
public final class ServiceManager {
    private static final String TAG = "ServiceManager";

    private static IServiceManager sServiceManager;
    private static HashMap<String, IBinder> sCache = new HashMap<String, IBinder>();

    private static IServiceManager getIServiceManager() {
        if (sServiceManager != null) {
            return sServiceManager;
        }

        // 采用了单例模式获取ServiceManager getIServiceManager()返回的是ServiceManagerProxy(简称SMP)对象
        sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());
        return sServiceManager;
    }

    /**
     * 关于getIServiceManager(),等价于new ServiceManagerProxy(new BinderProxy())。
     * 其中sCache = new HashMap<String, IBinder>()以hashmap格式缓存已组成的名称。请求获取服务过程中,先从缓存中查询是否存在,
     * 如果缓存中不存在的话,再通过binder交互来查询相应的服务
     */
    public static IBinder getService(String name) {
        try {
            IBinder service = sCache.get(name);
            if (service != null) {
                return service;
            } else {
                return getIServiceManager().getService(name);
            }
        } catch (RemoteException e) {
            Log.e(TAG, "error in getService", e);
        }
        return null;
    }

    public static void addService(String name, IBinder service) {
        try {
            // 先获取SMP对象,则执行注册服务操作
            getIServiceManager().addService(name, service, false);
        } catch (RemoteException e) {
            Log.e(TAG, "error in addService", e);
        }
    }

    public static void addService(String name, IBinder service, boolean allowIsolated) {
        try {
            getIServiceManager().addService(name, service, allowIsolated);
        } catch (RemoteException e) {
            Log.e(TAG, "error in addService", e);
        }
    }
   
    public static IBinder checkService(String name) {
        try {
            IBinder service = sCache.get(name);
            if (service != null) {
                return service;
            } else {
                return getIServiceManager().checkService(name);
            }
        } catch (RemoteException e) {
            Log.e(TAG, "error in checkService", e);
            return null;
        }
    }

    public static String[] listServices() {
        try {
            return getIServiceManager().listServices();
        } catch (RemoteException e) {
            Log.e(TAG, "error in listServices", e);
            return null;
        }
    }

    public static void initServiceCache(Map<String, IBinder> cache) {
        if (sCache.size() != 0) {
            throw new IllegalStateException("setServiceCache may only be called once");
        }
        sCache.putAll(cache);
    }
}

 


程序员灯塔
转载请注明原文链接:【VirtualAPP双开系列02】进程管理
喜欢 (0)