由於自己之前做了一個關於手機令牌的APK軟件,在實現的過程中儘管使用了native so進行一定的邏輯算法保護,但是在自己逆向破解的過程中發現我的手機令牌關鍵數據能夠“輕易地”暴露出來,所以我就想進一步的對其進行加固。於是,我使用的網上常用的梆梆加固、愛加密和阿里的聚安全應用來對我的apk進行一個加固保護。加固後,出於好奇心,我想對這些加固的原理進行一個瞭解,便於我自己能夠實現這個加固的方法。於是開始了網上關於這方面的學習,我將這些加固的大致原理進行了一個總結,發現它們實現的最主要的方法就是利用了dex文件動態加載,將主邏輯的dex文件經過加密隱藏在殼程序的dex中,並在運行時通過so進行解密,並從內存讀取dex數據,直接在native層進行一個動態加載。這樣的實現有幾個關鍵點:
- dex文件不存儲在設備的物理存儲區域而是將文件的數據加密存儲在殼程序的dex數據區域(關於dex的結構就在此不再解釋);
- 從內存中獲取dex數據,動態加載到進程空間中;
- 殼程序的application重定向加載到原程序的application對象;
下面我就對這幾個問題進行一一的學習之旅。
關於第一個問題,其實經歷了我很長時間的學習,主要是我在最開始學習的過程中,一直在dex的動態加載上面打轉,由於關於dex的加載問題主要涉及到一個
DexClassLoder(String dexPath, String optimizedDirectory,String libraryPath ,ClassLoader parent)方法,所以我必須得有個dex的路徑方法啊,這點讓我真的很抓狂,所以只能硬着頭皮寫咯。
於是在http://blog.csdn.net/androidsecurity/article/details/8809542的幫助下完成了殼程序加載dex數據的方法。
DexClassLoder-> BaseDexClassLoader->DexPathList->makeDexElements-> loadDexFile-> loadDex->DexFile(String fileName)
1 package com.unshell.test; 2 3 import android.app.Application; 4 import java.io.BufferedInputStream; 5 import java.io.ByteArrayInputStream; 6 import java.io.ByteArrayOutputStream; 7 import java.io.DataInputStream; 8 import java.io.File; 9 import java.io.FileInputStream; 10 import java.io.FileOutputStream; 11 import java.io.IOException; 12 import java.lang.ref.WeakReference; 13 import java.util.ArrayList; 14 import java.util.HashMap; 15 import java.util.Iterator; 16 import java.util.zip.ZipEntry; 17 import java.util.zip.ZipInputStream; 18 19 import dalvik.system.DexClassLoader; 20 import android.app.Instrumentation; 21 import android.content.Context; 22 import android.content.pm.ApplicationInfo; 23 import android.content.pm.PackageManager; 24 import android.content.pm.PackageManager.NameNotFoundException; 25 import android.os.Bundle; 26 27 public class ProxyApplication extends Application{ 28 private static final String appkey = "APPLICATION_CLASS_NAME"; 29 private String apkFileName; 30 private String odexPath; 31 private String libPath; 32 33 //這是context 賦值 34 @Override 35 protected void attachBaseContext(Context base) { 36 super.attachBaseContext(base); 37 try { 38 //創建兩個文件夾payload_odex,payload_lib 私有的,可寫的文件目錄 39 File odex = this.getDir("payload_odex", MODE_PRIVATE); 40 File libs = this.getDir("payload_lib", MODE_PRIVATE); 41 odexPath = odex.getAbsolutePath(); 42 libPath = libs.getAbsolutePath(); 43 apkFileName = odex.getAbsolutePath() + "/payload.apk"; 44 File dexFile = new File(apkFileName); 45 if (!dexFile.exists()) 46 { 47 dexFile.createNewFile(); //在payload_odex文件夾內,創建payload.apk 48 // 讀取程序classes.dex文件 49 byte[] dexdata = this.readDexFileFromApk(); 50 // 分離出解殼後的apk文件已用於動態加載 51 this.splitPayLoadFromDex(dexdata); 52 } 53 // 配置動態加載環境 54 Object currentActivityThread = RefInvoke.invokeStaticMethod( 55 "android.app.ActivityThread", "currentActivityThread", 56 new Class[] {}, new Object[] {});//獲取主線程對象 http://blog.csdn.net/myarrow/article/details/14223493 57 String packageName = this.getPackageName();//當前apk的包名 58 //下面兩句不是太理解 59 HashMap mPackages = (HashMap) RefInvoke.getFieldOjbect( 60 "android.app.ActivityThread", currentActivityThread, 61 "mPackages"); 62 WeakReference wr = (WeakReference) mPackages.get(packageName); 63 //創建被加殼apk的DexClassLoader對象 加載apk內的類和本地代碼(c/c++代碼) 64 DexClassLoader dLoader = new DexClassLoader(apkFileName, odexPath, 65 libPath, (ClassLoader) RefInvoke.getFieldOjbect( 66 "android.app.LoadedApk", wr.get(), "mClassLoader")); 67 //base.getClassLoader(); 是不是就等同於 (ClassLoader) RefInvoke.getFieldOjbect()? 有空驗證下//? 68 //把當前進程的DexClassLoader 設置成了被加殼apk的DexClassLoader ----有點c++中進程環境的意思~~ 69 RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader", 70 wr.get(), dLoader); 71 72 73 } catch (Exception e) { 74 // TODO Auto-generated catch block 75 e.printStackTrace(); 76 } 77 } 78 79 @Override 80 public void onCreate() { 81 { 82 // 如果源應用配置有Appliction對象,則替換爲源應用Applicaiton,以便不影響源程序邏輯。 83 String appClassName = null; 84 //獲取xml文件裏配置的被加殼apk的Applicaiton 85 try { 86 ApplicationInfo ai = this.getPackageManager() 87 .getApplicationInfo(this.getPackageName(), 88 PackageManager.GET_META_DATA); 89 Bundle bundle = ai.metaData; 90 if (bundle != null 91 && bundle.containsKey("APPLICATION_CLASS_NAME")) { 92 appClassName = bundle.getString("APPLICATION_CLASS_NAME");//className 是配置在xml文件中的。 93 } else { 94 return; 95 } 96 } catch (NameNotFoundException e) { 97 // TODO Auto-generated catch block 98 e.printStackTrace(); 99 } 100 //有值的話調用該Applicaiton 101 Object currentActivityThread = RefInvoke.invokeStaticMethod( 102 "android.app.ActivityThread", "currentActivityThread", 103 new Class[] {}, new Object[] {}); 104 Object mBoundApplication = RefInvoke.getFieldOjbect( 105 "android.app.ActivityThread", currentActivityThread, 106 "mBoundApplication"); 107 Object loadedApkInfo = RefInvoke.getFieldOjbect( 108 "android.app.ActivityThread$AppBindData", 109 mBoundApplication, "info"); 110 //把當前進程的mApplication 設置成了null 111 RefInvoke.setFieldOjbect("android.app.LoadedApk", "mApplication", 112 loadedApkInfo, null); 113 Object oldApplication = RefInvoke.getFieldOjbect( 114 "android.app.ActivityThread", currentActivityThread, 115 "mInitialApplication"); 117 ArrayList<Application> mAllApplications = (ArrayList<Application>) RefInvoke 118 .getFieldOjbect("android.app.ActivityThread", 119 currentActivityThread, "mAllApplications"); 120 mAllApplications.remove(oldApplication);//刪除oldApplication 121 122 ApplicationInfo appinfo_In_LoadedApk = (ApplicationInfo) RefInvoke 123 .getFieldOjbect("android.app.LoadedApk", loadedApkInfo, 124 "mApplicationInfo"); 125 ApplicationInfo appinfo_In_AppBindData = (ApplicationInfo) RefInvoke 126 .getFieldOjbect("android.app.ActivityThread$AppBindData", 127 mBoundApplication, "appInfo"); 128 appinfo_In_LoadedApk.className = appClassName; 129 appinfo_In_AppBindData.className = appClassName; 130 Application app = (Application) RefInvoke.invokeMethod( 131 "android.app.LoadedApk", "makeApplication", loadedApkInfo, 132 new Class[] { boolean.class, Instrumentation.class }, 133 new Object[] { false, null });//執行 makeApplication(false,null) 134 RefInvoke.setFieldOjbect("android.app.ActivityThread", 135 "mInitialApplication", currentActivityThread, app); 136 137 138 HashMap mProviderMap = (HashMap) RefInvoke.getFieldOjbect( 139 "android.app.ActivityThread", currentActivityThread, 140 "mProviderMap"); 141 Iterator it = mProviderMap.values().iterator(); 142 while (it.hasNext()) { 143 Object providerClientRecord = it.next(); 144 Object localProvider = RefInvoke.getFieldOjbect( 145 "android.app.ActivityThread$ProviderClientRecord", 146 providerClientRecord, "mLocalProvider"); 147 RefInvoke.setFieldOjbect("android.content.ContentProvider", 148 "mContext", localProvider, app); 149 } 150 app.onCreate(); 151 } 152 } 153 154 /** 155 * 釋放被加殼的apk文件,so文件 156 * @param data 157 * @throws IOException 158 */ 159 private void splitPayLoadFromDex(byte[] data) throws IOException { 160 161 int ablen = apkdata.length; 162 //取被加殼apk的長度 這裏的長度取值,對應加殼時長度的賦值都可以做些簡化 163 byte[] dexlen = new byte[4]; 164 System.arraycopy(apkdata, ablen - 4, dexlen, 0, 4); 165 ByteArrayInputStream bais = new ByteArrayInputStream(dexlen); 166 DataInputStream in = new DataInputStream(bais); 167 int readInt = in.readInt(); 168 System.out.println(Integer.toHexString(readInt)); 169 byte[] newdex = new byte[readInt]; 170 //把被加殼apk內容拷貝到newdex中 171 System.arraycopy(apkdata, ablen - 4 - readInt, newdex, 0, readInt); 172 //這裏應該加上對於apk的解密操作,若加殼是加密處理的話 173 //?byte[] apkdata = decrypt(newdex); //解殼程序的dex並沒有加密,所以也不需要解密 174 //寫入apk文件 175 File file = new File(apkFileName); 176 try { 177 FileOutputStream localFileOutputStream = new FileOutputStream(file); 178 localFileOutputStream.write(newdex); 179 localFileOutputStream.close(); 180 181 182 } catch (IOException localIOException) { 183 throw new RuntimeException(localIOException); 184 } 185 186 //分析被加殼的apk文件 187 ZipInputStream localZipInputStream = new ZipInputStream( 188 new BufferedInputStream(new FileInputStream(file))); 189 while (true) { 190 ZipEntry localZipEntry = localZipInputStream.getNextEntry();//不瞭解這個是否也遍歷子目錄,看樣子應該是遍歷的 191 if (localZipEntry == null) { 192 localZipInputStream.close(); 193 break; 194 } 195 //取出被加殼apk用到的so文件,放到 libPath中(data/data/包名/payload_lib) 196 String name = localZipEntry.getName(); 197 if (name.startsWith("lib/") && name.endsWith(".so")) { 198 File storeFile = new File(libPath + "/" 199 + name.substring(name.lastIndexOf('/'))); 200 storeFile.createNewFile(); 201 FileOutputStream fos = new FileOutputStream(storeFile); 202 byte[] arrayOfByte = new byte[1024]; 203 while (true) { 204 int i = localZipInputStream.read(arrayOfByte); 205 if (i == -1) 206 break; 207 fos.write(arrayOfByte, 0, i); 208 } 209 fos.flush(); 210 fos.close(); 211 } 212 localZipInputStream.closeEntry(); 213 } 214 localZipInputStream.close(); 215 216 217 } 218 219 /** 220 * 從apk包裏面獲取dex文件內容(byte) 221 * @return 222 * @throws IOException 223 */ 224 private byte[] readDexFileFromApk() throws IOException { 225 ByteArrayOutputStream dexByteArrayOutputStream = new ByteArrayOutputStream(); 226 ZipInputStream localZipInputStream = new ZipInputStream( 227 new BufferedInputStream(new FileInputStream( 228 this.getApplicationInfo().sourceDir))); 229 while (true) { 230 ZipEntry localZipEntry = localZipInputStream.getNextEntry(); 231 if (localZipEntry == null) { 232 localZipInputStream.close(); 233 break; 234 } 235 if (localZipEntry.getName().equals("classes.dex")) { 236 byte[] arrayOfByte = new byte[1024]; 237 while (true) { 238 int i = localZipInputStream.read(arrayOfByte); 239 if (i == -1) 240 break; 241 dexByteArrayOutputStream.write(arrayOfByte, 0, i); 242 } 243 } 244 localZipInputStream.closeEntry(); 245 } 246 localZipInputStream.close(); 247 return dexByteArrayOutputStream.toByteArray(); 248 } 249 250 251 // //直接返回數據,讀者可以添加自己解密方法 252 private byte[] decrypt(byte[] data) { 253 return data; 254 } 255 }
接着我們就要解決從內存dex的動態加載問題,於是根據我在看雪論壇上面學習的這幾篇文章
http://blog.csdn.net/androidsecurity/article/details/9674251
http://www.kanxue.com/bbs/showthread.php?t=195865
實現了dex的讀取數據
Jni關鍵代碼基本都在譯文博客中了,我們要做的是讓它通過編譯、得到so庫。本地代碼當然要有與之對應的java代碼去加載才能用,通過上面對因爲的總結,可以先這樣定義 本地方法:
static native int loadDex(byte[] dex,long dexlen);
生成好對應的.h、.c文件之後把譯文中給出的核心代碼填上,下面纔是難題,許多類型都是unknown的,ndk編譯器會告訴你它不認識這些亂七八糟的玩意兒。接下來就是挨個補充定義了。
看着u4、u1這些從java程序猿眼中怪怪的類型我不禁長出一口氣——幸虧當年是C出身的。溯本清源,在源碼 /dalvik/vm/Common.h 類中找到了這羣貨的宏定義,於是照葫蘆畫瓢,在jni目錄里弄了一個僞造版的Common.h,搜刮了一下所有需要定義的類型之後,這個文件基本上是這個樣子的:
1 #ifndef DALVIK_COMMON_H_ 2 #define DALVIK_COMMON_H_ 3 4 #include <stdbool.h> 5 #include <stdint.h> 6 #include <stdio.h> 7 #include <assert.h> 8 9 static union { char c[4]; unsigned long mylong; }endian_test = {{ 'l', '?', '?', 'b' } }; 10 #define ENDIANNESS ((char)endian_test.mylong) 11 12 //#if ENDIANNESS == "l" 13 #define HAVE_LITTLE_ENDIAN 14 //#else 15 //#define HAVE_BIG_ENDIAN 16 //#endif 17 18 #if defined(HAVE_ENDIAN_H) 19 # include <endian.h> 20 #else /*not HAVE_ENDIAN_H*/ 21 # define __BIG_ENDIAN 4321 22 # define __LITTLE_ENDIAN 1234 23 # if defined(HAVE_LITTLE_ENDIAN) 24 # define __BYTE_ORDER __LITTLE_ENDIAN 25 # else 26 # define __BYTE_ORDER __BIG_ENDIAN 27 # endif 28 #endif /*not HAVE_ENDIAN_H*/ 29 30 #if !defined(NDEBUG) && defined(WITH_DALVIK_ASSERT) 31 # undef assert 32 # define assert(x) \ 33 ((x) ? ((void)0) : (ALOGE("ASSERT FAILED (%s:%d): %s", \ 34 __FILE__, __LINE__, #x), *(int*)39=39, (void)0) ) 35 #endif 36 37 #define MIN(x,y) (((x) < (y)) ? (x) : (y)) 38 #define MAX(x,y) (((x) > (y)) ? (x) : (y)) 39 40 #define LIKELY(exp) (__builtin_expect((exp) != 0, true)) 41 #define UNLIKELY(exp) (__builtin_expect((exp) != 0, false)) 42 43 #define ALIGN_UP(x, n) (((size_t)(x) + (n) - 1) & ~((n) - 1)) 44 #define ALIGN_DOWN(x, n) ((size_t)(x) & -(n)) 45 #define ALIGN_UP_TO_PAGE_SIZE(p) ALIGN_UP(p, SYSTEM_PAGE_SIZE) 46 #define ALIGN_DOWN_TO_PAGE_SIZE(p) ALIGN_DOWN(p, SYSTEM_PAGE_SIZE) 47 48 #define CLZ(x) __builtin_clz(x) 49 50 /* 51 * If "very verbose" logging is enabled, make it equivalent to ALOGV. 52 * Otherwise, make it disappear. 53 * 54 * Define this above the #include "Dalvik.h" to enable for only a 55 * single file. 56 */ 57 /* #define VERY_VERBOSE_LOG */ 58 #if defined(VERY_VERBOSE_LOG) 59 # define LOGVV ALOGV 60 # define IF_LOGVV() IF_ALOGV() 61 #else 62 # define LOGVV(...) ((void)0) 63 # define IF_LOGVV() if (false) 64 #endif 65 66 67 /* 68 * These match the definitions in the VM specification. 69 */ 70 typedef uint8_t u1; 71 typedef uint16_tu2; 72 typedef uint32_tu4; 73 typedef uint64_tu8; 74 typedef int8_t s1; 75 typedef int16_t s2; 76 typedef int32_t s4; 77 typedef int64_t s8; 78 79 /* 80 * Storage for primitive types and object references. 81 * 82 * Some parts of the code (notably object field access) assume that values 83 * are "left aligned", i.e. given "JValue jv", "jv.i" and "*((s4*)&jv)" 84 * yield the same result. This seems to be guaranteed by gcc on big- and 85 * little-endian systems. 86 */ 87 88 #define OFFSETOF_MEMBER(t, f) \ 89 (reinterpret_cast<char*>( \ 90 &reinterpret_cast<t*>(16)->f) - \ 91 reinterpret_cast<char*>(16)) 92 93 #define NELEM(x) ((int) (sizeof(x) / sizeof((x)[0]))) 94 95 union JValue { 96 #if defined(HAVE_LITTLE_ENDIAN) 97 u1 z; 98 s1 b; 99 u2 c; 100 s2 s; 101 s4 i; 102 s8 j; 103 float f; 104 double d; 105 void* l; 106 #endif 107 #if defined(HAVE_BIG_ENDIAN) 108 struct { 109 u1_z[3]; 110 u1z; 111 }; 112 struct { 113 s1_b[3]; 114 s1b; 115 }; 116 struct { 117 u2_c; 118 u2c; 119 }; 120 struct { 121 s2_s; 122 s2s; 123 }; 124 s4 i; 125 s8 j; 126 float f; 127 double d; 128 void* l; 129 #endif 130 }; 131 132 /* 133 * Array objects have these additional fields. 134 * 135 * We don't currently store the size of each element. Usually it's implied 136 * by the instruction. If necessary, the width can be derived from 137 * the first char of obj->clazz->descriptor. 138 */ 139 typedef struct { 140 void*clazz; 141 u4 lock; 142 u4 length; 143 u1* contents; 144 }ArrayObject ; 145 146 #endif // DALVIK_COMMON_H_
這裏面還有個大小端的問題,不過爲求實驗先通過就先定義死,過了再說。
還有個值得一提的結構就是最後面的ArrayObject,這玩意定義在源碼的/dalvik/vm/oo/Object.h 中,原本的定義是這樣的:
1 struct Object { 2 ClassObject*clazz; 3 u4 lock; 4 }; 5 6 struct ArrayObject : Object { 7 u4 length; 8 u8 contents[1]; 9 };
如果還實實在在的去弄一個ClassObject,那就是java中毒已深的表現,根據看雪裏面的相關討論(就是文首提到的兩篇),直接如上定義了。得到最後的C代碼如下:
1 #include "com_android_dexunshell_NativeTool.h" 2 #include <stdlib.h> 3 #include <dlfcn.h> 4 #include <stdio.h> 5 6 JNINativeMethod *dvm_dalvik_system_DexFile; 7 void (*openDexFile)(const u4* args,union JValue* pResult); 8 9 int lookup(JNINativeMethod *table, const char *name, const char *sig, 10 void (**fnPtrout)(u4 const *, union JValue *)) 11 { 12 int i = 0; 13 while (table[i].name != NULL) 14 { 15 LOGI("lookup %d %s" ,i,table[i].name); 16 if ((strcmp(name, table[i].name) == 0) 17 && (strcmp(sig, table[i].signature) == 0)) 18 { 19 *fnPtrout = table[i].fnPtr; 20 return 1; 21 } 22 i++; 23 } 24 return 0; 25 } 26 27 /* This function will be call when the library first be load. 28 * You can do some init in the libray. return which version jni it support. 29 */ 30 JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) 31 { 32 void *ldvm = (void*) dlopen("libdvm.so", RTLD_LAZY); 33 dvm_dalvik_system_DexFile = (JNINativeMethod*) dlsym(ldvm, 34 "dvm_dalvik_system_DexFile"); 35 if(0 == lookup(dvm_dalvik_system_DexFile, "openDexFile", "([B)I", 36 &openDexFile)) 37 { 38 openDexFile = NULL; 39 LOGE("method does not found "); 40 }else 41 { 42 LOGI("method found ! HAVE_BIG_ENDIAN"); 43 } 44 LOGI("ENDIANNESS is %c" ,ENDIANNESS ); 45 void *venv; 46 LOGI("dufresne----->JNI_OnLoad!"); 47 if ((*vm)->GetEnv(vm, (void**) &venv, JNI_VERSION_1_4) != JNI_OK) 48 { 49 LOGE("dufresne--->ERROR: GetEnv failed"); 50 return -1; 51 } 52 return JNI_VERSION_1_4; 53 } 54 55 JNIEXPORT jint JNICALL Java_com_android_dexunshell_NativeTool_loadDex( 56 JNIEnv * env, jclass jv, jbyteArray dexArray, jlong dexLen) 57 { 58 // header+dex content 59 u1 * olddata = (u1*)(*env)-> GetByteArrayElements(env,dexArray, NULL); 60 char* arr; 61 arr=(char*)malloc(16+dexLen); 62 ArrayObject *ao=(ArrayObject*)arr; 63 ao->length=dexLen; 64 memcpy(arr+16,olddata,dexLen); 65 u4 args[] = { (u4) ao }; 66 union JValue pResult; 67 jint result; 68 LOGI("call openDexFile 33..." ); 69 if(openDexFile != NULL) 70 { 71 openDexFile(args,&pResult); 72 } 73 else 74 { 75 result = -1; 76 } 77 78 result = (jint) pResult.l; 79 LOGI("Java_com_android_dexunshell_NativeTool_loadDex %d" , result); 80 return result; 81 }
Java層
底層代碼基本瞭然,也就是說譯文提供的思路基本實現,剩下其他加殼的事兒還要自己動腦筋補上。現在java層我們有一個可以使用的以byte數組爲參數的加載dex的接口了:
static native int loadDex(byte[] dex,long dexlen);
要知道我們花這麼大力氣實現的這個方法,實際意義在於讓源程序的dex數據在內存中傳遞,而不是必須保存在某個地方、以文件的方式。也就是說,我們需要一個新的DexClassLoader,去替換在上一篇提到的基礎加殼方案中自定義Application—— ProxyApplication 類,通過反射設置到”android.app.LoadedApk”中mClassLoder屬性的那個系統DexClassLoader,即至少那一段應該改成這樣:
1 DynamicDexClassLoder dLoader = new DynamicDexClassLoder(base,srcdata, 2 libPath, (ClassLoader) RefInvoke.getFieldOjbect( 3 "android.app.LoadedApk", wr.get(), "mClassLoader"), 4 getPackageResourcePath(),getDir(".dex", MODE_PRIVATE).getAbsolutePath() ); 5 6 RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader", wr.get(), dLoader);
沒錯,DynamicDexClassLoder 它的構造參數中應當去接收源程序的dex數據,以byte數組的形式,這樣、相關把dex數組保存爲文件那段代碼可以刪除,/data/data 中相關目錄就找不到緩存dex文件的身影了;
替換DexClassLoader,要知道相對於系統版本的加載器我們的少了什麼,又多出了什麼,在一一對接上,就沒問題了。少了什麼呢?是dex文件路徑、多出了什麼呢?是dex byte數組,考慮到已經實現的jni庫,那就是多了一個加載好的dex文件對應的cookie值。那麼,這個
Cookie 是否能夠完成替換呢?這需要到源碼中找答案。
源碼路徑:libcore/dalvik/src/main/java/dalvik/system ,生成類圖,取出DexClassLoader相關的一部分:
走讀幾遍代碼基本就能瞭解,對於dex文件加載而言,DynamicDexClassLoder需要做的實際上只有一件事,複寫findClass方法,使APK運行時能夠找到和加載源程序dex中的類,至於如何實現,從類圖上就可以看出,最後實際上追溯到DexFile類,可以利用到jni加載到的cookie,通過反射DexFile中的方法,實現我們的預期,具體實現如下:
package com.android.dexunshell; import java.io.IOException; import java.net.URL; import java.util.Enumeration; import com.eebbk.mingming.k7utils.ReflectUtils; import android.content.Context; import android.util.Log; import android.view.LayoutInflater; import dalvik.system.DexClassLoader; import dalvik.system.DexFile; public class DynamicDexClassLoder extends DexClassLoader { private static final String TAG = DynamicDexClassLoder.class.getName(); private int cookie; private Context mContext; /** * 原構造 * * @param dexPath * @param optimizedDirectory * @param libraryPath * @param parent */ public DynamicDexClassLoder(String dexPath, String optimizedDirectory, String libraryPath, ClassLoader parent) { super(dexPath, optimizedDirectory, libraryPath, parent); } /** * 直接從內存加載 新構造 * * @param dexBytes * @param libraryPath * @param parent * @throws Exception */ public DynamicDexClassLoder(Context context, byte[] dexBytes, String libraryPath, ClassLoader parent, String oriPath, String fakePath) { super(oriPath, fakePath, libraryPath, parent); setContext(context); setCookie(NativeTool.loadDex(dexBytes, dexBytes.length)); } private void setCookie(int kie) { cookie = kie; } private void setContext(Context context) { mContext = context; } private String[] getClassNameList(int cookie) { return (String[]) ReflectUtils.invokeStaticMethod(DexFile.class, "getClassNameList", new Class[] { int.class }, new Object[] { cookie }); } private Class defineClass(String name, ClassLoader loader, int cookie) { return (Class) ReflectUtils.invokeStaticMethod(DexFile.class, "defineClass", new Class[] { String.class, ClassLoader.class, int.class }, new Object[] { name, loader, cookie }); } @Override protected Class<?> findClass(String name) throws ClassNotFoundException { Log.d(TAG, "findClass-" + name); Class<?> cls = null; String as[] = getClassNameList(cookie); for (int z = 0; z < as.length; z++) { if (as[z].equals(name)) { cls = defineClass(as[z].replace('.', '/'), mContext.getClassLoader(), cookie); } else { defineClass(as[z].replace('.', '/'), mContext.getClassLoader(), cookie); } } if (null == cls) { cls = super.findClass(name); } return cls; } @Override protected URL findResource(String name) { Log.d(TAG, "findResource-" + name); return super.findResource(name); } @Override protected Enumeration<URL> findResources(String name) { Log.d(TAG, "findResources ssss-" + name); return super.findResources(name); } @Override protected synchronized Package getPackage(String name) { Log.d(TAG, "getPackage-" + name); return super.getPackage(name); } @Override protected Class<?> loadClass(String className, boolean resolve) throws ClassNotFoundException { Log.d(TAG, "loadClass-" + className + " resolve " + resolve); Class<?> clazz = super.loadClass(className, resolve); if (null == clazz) { Log.e(TAG, "loadClass fail,maybe get a null-point exception."); } return clazz; } @Override protected Package[] getPackages() { Log.d(TAG, "getPackages sss-"); return super.getPackages(); } @Override protected Package definePackage(String name, String specTitle, String specVersion, String specVendor, String implTitle, String implVersion, String implVendor, URL sealBase) throws IllegalArgumentException { Log.d(TAG, "definePackage" + name); return super.definePackage(name, specTitle, specVersion, specVendor, implTitle, implVersion, implVendor, sealBase); }
它的啓動過程就是:
但是有一個地方我確實很難理解就是爲什麼自己寫了一個loadDex的方法爲什麼在它的前面還是要有
super(oriPath, fakePath, libraryPath, parent);
於是就有了我進一步的跟蹤DexClassLoader的這一些方法的過程了,它的調用關係如下:
DexClassLoder-> BaseDexClassLoader->DexPathList->makeDexElements-> loadDexFile-> loadDex->DexFile(String fileName)
而且在
1 private static DexFile loadDexFile(File file, File optimizedDirectory) 2 throws IOException { 3 if (optimizedDirectory == null) { 4 return new DexFile(file); 5 } else { 6 String optimizedPath = optimizedPathFor(file, optimizedDirectory); 7 return DexFile.loadDex(file.getPath(), optimizedPath, 0); 8 } 9 }
我就明白了,原來DexLoader也實現了DexFile操作,但是這些操作的實現在這個過程中不僅僅只是完成了dex的一個加載,另外也實現了class的映射方便上層去調用底層的方法。