hook(3)实现无清单启动Activity,研发4面真题解析(Android岗)
作者:互联网
Instrumentation.ActivityResult ar = mInstrumentation.execStartActivity(…);
mMainThread.sendActivityResult(…);
第一句,
execStartActivity是 对一些参数的合法性校验,如果不合法,那就会直接抛出异常,比如之前的
第二句,sendActivityResult才是真正的跳转动作执行者
先进入第一句Instrumentation.ActivityResult ar = mInstrumentation.execStartActivity看看,既然是合法性校验,且看他是如何校验的。
这是
Instrumentation的execStartActivity方法
结论:它是通过AMS去校验的,AMS startActivity会返回一个int数值,随后,checkStartActivityResult方法会根据这个int值,抛出响应的异常,或者什么都不做.
再进入第二句mMainThread.sendActivityResult看真正的跳转动作是如何执行的:
ps:这里其实有个诀窍,既然我们的终极目标是要骗过系统的Activity Intent检测,那么,跟着Intent这个变量,就不会偏离方向.
既然intent被封装到了ClientTransaction,交给了mAppThread,那么继续:
前方有坑,请注意:androidStudio里并不能直接跳转,所以要手动,找到下图中的方法,这个ClientTransactionHandler是ActivityThread的父类.
上图中,调用了sendMessage(int,Object),在ActivityThread中找到这个方法的实现:
找它的最终实现:
找到另一个关键点:mH,
H类的定义:(太长了,我就不完整截图了,留下关键的信息)
final H mH = new H();
class H extends Handler {
…
public static final int EXECUTE_TRANSACTION = 159;
String codeToString(int code) {
if (DEBUG_MESSAGES) {
switch (code) {
case EXECUTE_TRANSACTION: return “EXECUTE_TRANSACTION”;
case RELAUNCH_ACTIVITY: return “RELAUNCH_ACTIVITY”;
}
}
return Integer.toString(code);
}
public void handleMessage(Message msg) {
if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));
switch (msg.what) {
case EXECUTE_TRANSACTION:
final ClientTransaction transaction = (ClientTransaction) msg.obj;
mTransactionExecutor.execute(transaction);
if (isSystem()) {
// Client transactions inside system process are recycled on the client side
// instead of ClientLifecycleManager to avoid being cleared before this
// message is handled.
transaction.recycle();
}
// TODO(lifecycler): Recycle locally scheduled transactions.
break;
…
}
Object obj = msg.obj;
if (obj instanceof SomeArgs) {
((SomeArgs) obj).recycle();
}
if (DEBUG_MESSAGES) Slog.v(TAG, "<<< done: " + codeToString(msg.what));
}
}
很明显,他就是一个Handler的普通子类,定义了主线程ActivityThread中可能发生的各种事件。
PS: 这里,我留下了case EXECUTE_TRANSACTION:分支,是因为,之前ClientTransactionHandler 抽象类里面,sendMessage(ActivityThread.H.EXECUTE_TRANSACTION, transaction);,就是用的这个 EXECUTE_TRANSACTION常量。
终于找到了startActivity的最终执行代码!
final ClientTransaction transaction = (ClientTransaction) msg.obj;
mTransactionExecutor.execute(transaction);
Ok,就到这里了.(事实上,我本来还想往下追查,Intent被封装到ClientTransaction之后,又被得到了什么样的处理,最后发现居然查到了一个源码中都不存在的类,我表示看不懂了,就到这里吧,不影响我们hook)
##三.hook核心代码
还记得我们的整体思路么?
1.在AMS的hook函数中,将 真实的Intent中的信息,替换成manifest中已有的Activity信息. 骗过系统的检测机制。
2.虽然骗过了系统的检测机制,但是这么一来,每一次的跳转,都会跳到"假"的Activity,这肯定不是我们想要的效果,那么就必须,在真正的跳转时机之前,将 真实的Activity信息,还原回去, 跳到原本该去的Activity.
说通俗一点就是,
第一,伪造一个Intent,骗过Activity Manifest检测。
第二,真正要跳转之前,把原始的Intent还原回去.
开始撸代码,大量反射代码即将到来,注释应该很详尽了,特别注意:看反射代码要对照源代码来看,不然很容易走神:
#####伪造intent,骗过Activity Manifest检测
这里,请对照:ActivityManager.java 的 4125-4137行
hook核心代码如下
/**
- 这里对AMS进行hook
- @param context
*/
private static void hookAMS(Context context) {
try {
Class<?> ActivityManagerClz;
final Object IActivityManagerObj;//这个就是AMS实例
Method getServiceMethod;
Field IActivityManagerSingletonField;
if (ifSdkOverIncluding26()) {//26,27,28的ams获取方式是通过ActivityManager.getService()
ActivityManagerClz = Class.forName(“android.app.ActivityManager”);
getServiceMethod = ActivityManagerClz.getDeclaredMethod(“getService”);
IActivityManagerSingletonField = ActivityManagerClz.getDeclaredField(“IActivityManagerSingleton”);//单例类成员的名字也不一样
} else {//25往下,是ActivityManagerNative.getDefault()
ActivityManagerClz = Class.forName(“android.app.ActivityManagerNative”);
getServiceMethod = ActivityManagerClz.getDeclaredMethod(“getDefault”);
IActivityManagerSingletonField = ActivityManagerClz.getDeclaredField(“gDefault”);//单例类成员的名字也不一样
}
IActivityManagerObj = getServiceMethod.invoke(null);//OK,已经取得这个系统自己的AMS实例
// 2.现在创建我们的AMS实例
// 由于IActivityManager是一个接口,那么其实我们可以使用Proxy类来进行代理对象的创建
// 结果被摆了一道,IActivityManager这玩意居然还是个AIDL,动态生成的类,编译器还不认识这个类,怎么办?反射咯
Class<?> IActivityManagerClz = Class.forName(“android.app.IActivityManager”);
// 构建代理类需要两个东西用于创建伪装的Intent
String packageName = Util.getPMName(context);
String clz = Util.getHostClzName(context, packageName);
Object proxyIActivityManager =
Proxy.newProxyInstance(
Thread.currentThread().getContextClassLoader(),
new Class[]{IActivityManagerClz},
new ProxyInvocation(IActivityManagerObj, packageName, clz));
//3.拿到AMS实例,然后用代理的AMS换掉真正的AMS,代理的AMS则是用 假的Intent骗过了 activity manifest检测.
//偷梁换柱
IActivityManagerSingletonField.setAccessible(true);
Object IActivityManagerSingletonObj = IActivityManagerSingletonField.get(null);
Class<?> SingletonClz = Class.forName(“android.util.Singleton”);//反射创建一个Singleton的class
Field mInstanceField = SingletonClz.getDeclaredField(“mInstance”);
mInstanceField.setAccessible(true);
mInstanceField.set(IActivityManagerSingletonObj, proxyIActivityManager);
} catch (Exception e) {
e.printStackTrace();
}
}
private static final String ORI_INTENT_TAG = “origin_intent”;
/**
- 把InvocationHandler的实现类提取出来,因为这里包含了核心技术逻辑,最好独立,方便维护
*/
private static class ProxyInvocation implements InvocationHandler {
Object amsObj;
String packageName;//这两个String是用来构建Intent的ComponentName的
String clz;
public ProxyInvocation(Object amsInstance, String packageName, String clz) {
this.amsObj = amsInstance;
this.packageName = packageName;
this.clz = clz;
}
@Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
//proxy是创建出来的代理类,method是接口中的方法,args是接口执行时的实参
if (method.getName().equals(“startActivity”)) {
Log.d(“GlobalActivityHook”, “全局hook 到了 startActivity”);
Intent currentRealIntent = null;//侦测到startActivity动作之后,把intent存到这里
int intentIndex = -1;
//遍历参数,找到Intent
for (int i = 0; i < args.length; i++) {
Object temp = args[i];
if (temp instanceof Intent) {
currentRealIntent = (Intent) temp;//这是原始的Intent,存起来,后面用得着
intentIndex = i;
break;
}
}
//构造自己的Intent,这是为了绕过manifest检测(这个Intent是伪造的!只是为了让通过manifest检测)
Intent proxyIntent = new Intent();
ComponentName componentName = new ComponentName(packageName, clz);//用ComponentName重新创建一个intent
proxyIntent.setComponent(componentName);
proxyIntent.putExtra(ORI_INTENT_TAG, currentRealIntent);//将真正的proxy作为参数,存放到extras中,后面会拿出来还原
args[intentIndex] = proxyIntent;//替换掉intent
//哟,已经成功绕过了manifest清单检测. 那么,我不能老让它跳到 伪装的Activity啊,我要给他还原回去,那么,去哪里还原呢?
//继续看源码。
}
return method.invoke(amsObj, args);
}
}
#####真正要跳转之前,把原始的Intent还原回去
PS: 这里hookmh的手段,并不是针对mh本身做代理,而是对mh的mCallback成员.
因为:
public class Handler {
…
public void dispatchMessage(Message msg) {
if (msg.callback != null) {
handleCallback(msg);
} else {
if (mCallback != null) {
if (mCallback.handleMessage(msg)) {
return;
}
}
handleMessage(msg);
}
}
}
handler的dispatchMessage逻辑,是 先执行mCallback的handlerMessage,然后根据它的返回值决定要不要执行handler本身的handlerMessage函数.
我们的目的是还原Intent,并不需要对ActivityThread原本的mH做出逻辑修改,所以,hook mCallback,加入还原Intent的逻辑,即可.
这次hook,对照的源码是(源码太长了,我就直接截取了ActivityThread里面一些关键的代码):
下面是Hook Mh的完整代码:
//下面进行ActivityThread的mH的hook,这是针对SDK28做的hook
private static void hookActivityThread_mH_After28() {
try {
//确定hook点,ActivityThread类的mh
// 先拿到ActivityThread
Class<?> ActivityThreadClz = Class.forName(“android.app.ActivityThread”);
Field field = ActivityThreadClz.getDeclaredField(“sCurrentActivityThread”);
field.setAccessible(true);
Object ActivityThreadObj = field.get(null);//OK,拿到主线程实例
//现在拿mH
Field mHField = ActivityThreadClz.getDeclaredField(“mH”);
mHField.setAccessible(true);
Handler mHObj = (Handler) mHField.get(ActivityThreadObj);//ok,当前的mH拿到了
//再拿它的mCallback成员
Field mCallbackField = Handler.class.getDeclaredField(“mCallback”);
mCallbackField.setAccessible(true);
//2.现在,造一个代理mH,
// 他就是一个简单的Handler子类
ProxyHandlerCallback proxyMHCallback = new ProxyHandlerCallback();//错,不需要重写全部mH,只需要对mH的callback进行重新定义
//3.替换
//将Handler的mCallback成员,替换成创建出来的代理HandlerCallback
mCallbackField.set(mHObj, proxyMHCallback);
} catch (Exception e) {
e.printStackTrace();
}
}
private static class ProxyHandlerCallback implements Handler.Callback {
private int EXECUTE_TRANSACTION = 159;//这个值,是android.app.ActivityThread的内部类H 中定义的常量EXECUTE_TRANSACTION
@Override
public boolean handleMessage(Message msg) {
boolean result = false;//返回值,请看Handler的源码,dispatchMessage就会懂了
//Handler的dispatchMessage有3个callback优先级,首先是msg自带的callback,其次是Handler的成员mCallback,最后才是Handler类自身的handlerMessage方法,
//它成员mCallback.handleMessage的返回值为true,则不会继续往下执行 Handler.handlerMessage
//我们这里只是要hook,插入逻辑,所以必须返回false,让Handler原本的handlerMessage能够执行.
if (msg.what == EXECUTE_TRANSACTION) {//这是跳转的时候,要对intent进行还原
try {
//先把相关@hide的类都建好
Class<?> ClientTransactionClz = Class.forName(“android.app.servertransaction.ClientTransaction”);
Class<?> LaunchActivityItemClz = Class.forName(“android.app.servertransaction.LaunchActivityItem”);
Field mActivityCallbacksField = ClientTransactionClz.getDeclaredField(“mActivityCallbacks”);//ClientTransaction的成员
mActivityCallbacksField.setAccessible(true);
//类型判定,好习惯
if (!ClientTransactionClz.isInstance(msg.obj)) return true;
Object mActivityCallbacksObj = mActivityCallbacksField.get(msg.obj);//根据源码,在这个分支里面,msg.obj就是 ClientTransaction类型,所以,直接用
//拿到了ClientTransaction的List mActivityCallbacks;
List list = (List) mActivityCallbacksObj;
if (list.size() == 0) return true;
Object LaunchActivityItemObj = list.get(0);//所以这里直接就拿到第一个就好了
if (!LaunchActivityItemClz.isInstance(LaunchActivityItemObj)) return true;
//这里必须判定 LaunchActivityItemClz,
// 因为 最初的ActivityResultItem传进去之后都被转化成了这LaunchActivityItemClz的实例
Field mIntentField = La
《Android学习笔记总结+最新移动架构视频+大厂安卓面试真题+项目实战源码讲义》
unchActivityItemClz.getDeclaredField(“mIntent”);
mIntentField.setAccessible(true);
Intent mIntent = (Intent) mIntentField.get(LaunchActivityItemObj);
Intent oriIntent = (Intent) mIntent.getExtras().get(ORI_INTENT_TAG);
//那么现在有了最原始的intent,应该怎么处理呢?
Log.d(“1”, “2”);
mIntentField.set(LaunchActivityItemObj, oriIntent);
return result;
} catch (Exception e) {
e.printStackTrace();
}
}
return result;
}
}
PS:这里有个坑(请看上面
if (!LaunchActivityItemClz.isInstance(LaunchActivityItemObj)) return true;, 我为什么要加这个判断?因为,我通过debug,发现,从mH里面的msg.what得到的ClientTransaction,它有这么一个成员List<ClientTransactionItem> mActivityCallbacks;注意看,从list里面拿到的ClientTransactionItem的实际类型是:LaunchActivityItem.
)
之前我索引源码的时候,追查Intent的去向,只知道它最后被封装成了一个ClientTransaction
但是,最后我从mH的switch case EXECUTE_TRANSACTION分支,去debug(因为无法继续往下查源码)的时候,###发现 原本塞进去的
ActivityResultItem的list,居然变成了LaunchActivityItem的list,而我居然查了半天,查不到是在源码何处发生的变化.而 LaunchActivityItem 和 ActivityResultItem 他们两个都是ClientTransaction的子类
public class LaunchActivityItem extends ClientTransactionItem
public class ActivityResultItem extends ClientTransactionItem
###emmmm…也是很尴尬。=_ =!
不过,最后能够确定,从mH的switch case EXECUTE_TRANSACTION分支得到的transaction,就是包含了Intent的包装对象,所以只需要解析这个对象,就可以拿到intent,进行还原.
OK,大功告成,安装好 android 9.0 SDK 28的模拟器,启动起来,运行程序,看看能不能无清单跳转:
结果,脸一黑:报错!***
一份大礼:
2019-02-27 18:20:12.287 28253-28253/study.hank.com.activityhookdemo E/AndroidRuntime: FATAL EXCEPTION: main
Process: study.hank.com.activityhookdemo, PID: 28253
java.lang.RuntimeException: Unable to start activity ComponentInfo{study.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activity}: java.lang.IllegalArgumentException: android.content.pm.PackageManager
N
a
m
e
N
o
t
F
o
u
n
d
E
x
c
e
p
t
i
o
n
:
C
o
m
p
o
n
e
n
t
I
n
f
o
s
t
u
d
y
.
h
a
n
k
.
c
o
m
.
a
c
t
i
v
i
t
y
h
o
o
k
d
e
m
o
/
s
t
u
d
y
.
h
a
n
k
.
c
o
m
.
a
c
t
i
v
i
t
y
h
o
o
k
d
e
m
o
.
m
e
t
h
o
d
A
.
M
a
i
n
2
A
c
t
i
v
i
t
y
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
p
e
r
f
o
r
m
L
a
u
n
c
h
A
c
t
i
v
i
t
y
(
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
j
a
v
a
:
2913
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
h
a
n
d
l
e
L
a
u
n
c
h
A
c
t
i
v
i
t
y
(
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
j
a
v
a
:
3048
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
s
e
r
v
e
r
t
r
a
n
s
a
c
t
i
o
n
.
L
a
u
n
c
h
A
c
t
i
v
i
t
y
I
t
e
m
.
e
x
e
c
u
t
e
(
L
a
u
n
c
h
A
c
t
i
v
i
t
y
I
t
e
m
.
j
a
v
a
:
78
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
s
e
r
v
e
r
t
r
a
n
s
a
c
t
i
o
n
.
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
e
x
e
c
u
t
e
C
a
l
l
b
a
c
k
s
(
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
j
a
v
a
:
108
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
s
e
r
v
e
r
t
r
a
n
s
a
c
t
i
o
n
.
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
e
x
e
c
u
t
e
(
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
j
a
v
a
:
68
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
T
h
r
e
a
d
NameNotFoundException: ComponentInfo{study.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activity} at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2913) at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3048) at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78) at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108) at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68) at android.app.ActivityThread
NameNotFoundException:ComponentInfostudy.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activityatandroid.app.ActivityThread.performLaunchActivity(ActivityThread.java:2913)atandroid.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3048)atandroid.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78)atandroid.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108)atandroid.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68)atandroid.app.ActivityThreadH.handleMessage(ActivityThread.java:1808)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:193)
at android.app.ActivityThread.main(ActivityThread.java:6669)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit
M
e
t
h
o
d
A
n
d
A
r
g
s
C
a
l
l
e
r
.
r
u
n
(
R
u
n
t
i
m
e
I
n
i
t
.
j
a
v
a
:
493
)
a
t
c
o
m
.
a
n
d
r
o
i
d
.
i
n
t
e
r
n
a
l
.
o
s
.
Z
y
g
o
t
e
I
n
i
t
.
m
a
i
n
(
Z
y
g
o
t
e
I
n
i
t
.
j
a
v
a
:
858
)
C
a
u
s
e
d
b
y
:
j
a
v
a
.
l
a
n
g
.
I
l
l
e
g
a
l
A
r
g
u
m
e
n
t
E
x
c
e
p
t
i
o
n
:
a
n
d
r
o
i
d
.
c
o
n
t
e
n
t
.
p
m
.
P
a
c
k
a
g
e
M
a
n
a
g
e
r
MethodAndArgsCaller.run(RuntimeInit.java:493) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858) Caused by: java.lang.IllegalArgumentException: android.content.pm.PackageManager
MethodAndArgsCaller.run(RuntimeInit.java:493)atcom.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)Causedby:java.lang.IllegalArgumentException:android.content.pm.PackageManagerNameNotFoundException: ComponentInfo{study.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activity}
at android.support.v4.app.NavUtils.getParentActivityName(NavUtils.java:222)
at android.support.v7.app.AppCompatDelegateImplV9.onCreate(AppCompatDelegateImplV9.java:155)
at android.support.v7.app.AppCompatDelegateImplV14.onCreate(AppCompatDelegateImplV14.java:61)
at android.support.v7.app.AppCompatActivity.onCreate(AppCompatActivity.java:72)
at study.hank.com.activityhookdemo.methodA.Main2Activity.onCreate(Main2Activity.java:14)
at android.app.Activity.performCreate(Activity.java:7136)
at android.app.Activity.performCreate(Activity.java:7127)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1271)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2893)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3048)
at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78)
at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68)
at android.app.ActivityThread
H
.
h
a
n
d
l
e
M
e
s
s
a
g
e
(
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
j
a
v
a
:
1808
)
a
t
a
n
d
r
o
i
d
.
o
s
.
H
a
n
d
l
e
r
.
d
i
s
p
a
t
c
h
M
e
s
s
a
g
e
(
H
a
n
d
l
e
r
.
j
a
v
a
:
106
)
a
t
a
n
d
r
o
i
d
.
o
s
.
L
o
o
p
e
r
.
l
o
o
p
(
L
o
o
p
e
r
.
j
a
v
a
:
193
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
m
a
i
n
(
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
j
a
v
a
:
6669
)
a
t
j
a
v
a
.
l
a
n
g
.
r
e
f
l
e
c
t
.
M
e
t
h
o
d
.
i
n
v
o
k
e
(
N
a
t
i
v
e
M
e
t
h
o
d
)
a
t
c
o
m
.
a
n
d
r
o
i
d
.
i
n
t
e
r
n
a
l
.
o
s
.
R
u
n
t
i
m
e
I
n
i
t
H.handleMessage(ActivityThread.java:1808) at android.os.Handler.dispatchMessage(Handler.java:106) at android.os.Looper.loop(Looper.java:193) at android.app.ActivityThread.main(ActivityThread.java:6669) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit
H.handleMessage(ActivityThread.java:1808)atandroid.os.Handler.dispatchMessage(Handler.java:106)atandroid.os.Looper.loop(Looper.java:193)atandroid.app.ActivityThread.main(ActivityThread.java:6669)atjava.lang.reflect.Method.invoke(NativeMethod)atcom.android.internal.os.RuntimeInitMethodAndArgsCaller.run(RuntimeInit.java:493)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
Caused by: android.content.pm.PackageManager
N
a
m
e
N
o
t
F
o
u
n
d
E
x
c
e
p
t
i
o
n
:
C
o
m
p
o
n
e
n
t
I
n
f
o
s
t
u
d
y
.
h
a
n
k
.
c
o
m
.
a
c
t
i
v
i
t
y
h
o
o
k
d
e
m
o
/
s
t
u
d
y
.
h
a
n
k
.
c
o
m
.
a
c
t
i
v
i
t
y
h
o
o
k
d
e
m
o
.
m
e
t
h
o
d
A
.
M
a
i
n
2
A
c
t
i
v
i
t
y
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
p
p
l
i
c
a
t
i
o
n
P
a
c
k
a
g
e
M
a
n
a
g
e
r
.
g
e
t
A
c
t
i
v
i
t
y
I
n
f
o
(
A
p
p
l
i
c
a
t
i
o
n
P
a
c
k
a
g
e
M
a
n
a
g
e
r
.
j
a
v
a
:
435
)
a
t
a
n
d
r
o
i
d
.
s
u
p
p
o
r
t
.
v
4.
a
p
p
.
N
a
v
U
t
i
l
s
.
g
e
t
P
a
r
e
n
t
A
c
t
i
v
i
t
y
N
a
m
e
(
N
a
v
U
t
i
l
s
.
j
a
v
a
:
240
)
a
t
a
n
d
r
o
i
d
.
s
u
p
p
o
r
t
.
v
4.
a
p
p
.
N
a
v
U
t
i
l
s
.
g
e
t
P
a
r
e
n
t
A
c
t
i
v
i
t
y
N
a
m
e
(
N
a
v
U
t
i
l
s
.
j
a
v
a
:
219
)
a
t
a
n
d
r
o
i
d
.
s
u
p
p
o
r
t
.
v
7.
a
p
p
.
A
p
p
C
o
m
p
a
t
D
e
l
e
g
a
t
e
I
m
p
l
V
9.
o
n
C
r
e
a
t
e
(
A
p
p
C
o
m
p
a
t
D
e
l
e
g
a
t
e
I
m
p
l
V
9.
j
a
v
a
:
155
)
a
t
a
n
d
r
o
i
d
.
s
u
p
p
o
r
t
.
v
7.
a
p
p
.
A
p
p
C
o
m
p
a
t
D
e
l
e
g
a
t
e
I
m
p
l
V
14.
o
n
C
r
e
a
t
e
(
A
p
p
C
o
m
p
a
t
D
e
l
e
g
a
t
e
I
m
p
l
V
14.
j
a
v
a
:
61
)
a
t
a
n
d
r
o
i
d
.
s
u
p
p
o
r
t
.
v
7.
a
p
p
.
A
p
p
C
o
m
p
a
t
A
c
t
i
v
i
t
y
.
o
n
C
r
e
a
t
e
(
A
p
p
C
o
m
p
a
t
A
c
t
i
v
i
t
y
.
j
a
v
a
:
72
)
a
t
s
t
u
d
y
.
h
a
n
k
.
c
o
m
.
a
c
t
i
v
i
t
y
h
o
o
k
d
e
m
o
.
m
e
t
h
o
d
A
.
M
a
i
n
2
A
c
t
i
v
i
t
y
.
o
n
C
r
e
a
t
e
(
M
a
i
n
2
A
c
t
i
v
i
t
y
.
j
a
v
a
:
14
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
.
p
e
r
f
o
r
m
C
r
e
a
t
e
(
A
c
t
i
v
i
t
y
.
j
a
v
a
:
7136
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
.
p
e
r
f
o
r
m
C
r
e
a
t
e
(
A
c
t
i
v
i
t
y
.
j
a
v
a
:
7127
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
I
n
s
t
r
u
m
e
n
t
a
t
i
o
n
.
c
a
l
l
A
c
t
i
v
i
t
y
O
n
C
r
e
a
t
e
(
I
n
s
t
r
u
m
e
n
t
a
t
i
o
n
.
j
a
v
a
:
1271
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
p
e
r
f
o
r
m
L
a
u
n
c
h
A
c
t
i
v
i
t
y
(
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
j
a
v
a
:
2893
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
h
a
n
d
l
e
L
a
u
n
c
h
A
c
t
i
v
i
t
y
(
A
c
t
i
v
i
t
y
T
h
r
e
a
d
.
j
a
v
a
:
3048
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
s
e
r
v
e
r
t
r
a
n
s
a
c
t
i
o
n
.
L
a
u
n
c
h
A
c
t
i
v
i
t
y
I
t
e
m
.
e
x
e
c
u
t
e
(
L
a
u
n
c
h
A
c
t
i
v
i
t
y
I
t
e
m
.
j
a
v
a
:
78
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
s
e
r
v
e
r
t
r
a
n
s
a
c
t
i
o
n
.
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
e
x
e
c
u
t
e
C
a
l
l
b
a
c
k
s
(
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
j
a
v
a
:
108
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
s
e
r
v
e
r
t
r
a
n
s
a
c
t
i
o
n
.
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
e
x
e
c
u
t
e
(
T
r
a
n
s
a
c
t
i
o
n
E
x
e
c
u
t
o
r
.
j
a
v
a
:
68
)
a
t
a
n
d
r
o
i
d
.
a
p
p
.
A
c
t
i
v
i
t
y
T
h
r
e
a
d
NameNotFoundException: ComponentInfo{study.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activity} at android.app.ApplicationPackageManager.getActivityInfo(ApplicationPackageManager.java:435) at android.support.v4.app.NavUtils.getParentActivityName(NavUtils.java:240) at android.support.v4.app.NavUtils.getParentActivityName(NavUtils.java:219) at android.support.v7.app.AppCompatDelegateImplV9.onCreate(AppCompatDelegateImplV9.java:155) at android.support.v7.app.AppCompatDelegateImplV14.onCreate(AppCompatDelegateImplV14.java:61) at android.support.v7.app.AppCompatActivity.onCreate(AppCompatActivity.java:72) at study.hank.com.activityhookdemo.methodA.Main2Activity.onCreate(Main2Activity.java:14) at android.app.Activity.performCreate(Activity.java:7136) at android.app.Activity.performCreate(Activity.java:7127) at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1271) at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2893) at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3048) at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78) at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108) at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68) at android.app.ActivityThread
NameNotFoundException:ComponentInfostudy.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activityatandroid.app.ApplicationPackageManager.getActivityInfo(ApplicationPackageManager.java:435)atandroid.support.v4.app.NavUtils.getParentActivityName(NavUtils.java:240)atandroid.support.v4.app.NavUtils.getParentActivityName(NavUtils.java:219)atandroid.support.v7.app.AppCompatDelegateImplV9.onCreate(AppCompatDelegateImplV9.java:155)atandroid.support.v7.app.AppCompatDelegateImplV14.onCreate(AppCompatDelegateImplV14.java:61)atandroid.support.v7.app.AppCompatActivity.onCreate(AppCompatActivity.java:72)atstudy.hank.com.activityhookdemo.methodA.Main2Activity.onCreate(Main2Activity.java:14)atandroid.app.Activity.performCreate(Activity.java:7136)atandroid.app.Activity.performCreate(Activity.java:7127)atandroid.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1271)atandroid.app.ActivityThread.performLaunchActivity(ActivityThread.java:2893)atandroid.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3048)atandroid.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78)atandroid.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108)atandroid.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68)atandroid.app.ActivityThreadH.handleMessage(ActivityThread.java:1808)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:193)
at android.app.ActivityThread.main(ActivityThread.java:6669)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
提取关键信息:
Caused by: java.lang.IllegalArgumentException: android.content.pm.PackageManager$NameNotFoundException: ComponentInfo{study.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activity}
at android.support.v4.app.NavUtils.getParentActivityName(NavUtils.java:222)
居然找不到包?
问题出在:
NavUtils.getParentActivityName
还是被谷歌摆了一道,查原因啊,进去
NavUtils.getParentActivityName()去看看:
看来就是这里报的错,继续:
找到可疑点:
onentInfo{study.hank.com.activityhookdemo/study.hank.com.activityhookdemo.methodA.Main2Activity}
at android.support.v4.app.NavUtils.getParentActivityName(NavUtils.java:222)
居然找不到包?
问题出在:
NavUtils.getParentActivityName
还是被谷歌摆了一道,查原因啊,进去
NavUtils.getParentActivityName()去看看:
[外链图片转存中…(img-cjE0PUsh-1637213127052)]看来就是这里报的错,继续:
[外链图片转存中…(img-lMOsVij7-1637213127053)]
找到可疑点:
标签:java,app,ActivityThread,面真题,hook,Intent,Activity,android,com 来源: https://blog.csdn.net/m0_64319455/article/details/121398614