• 关于apk加壳之动态加载dex文件


     由于自己之前做了一个关于手机令牌的APK软件,在实现的过程中尽管使用了native so进行一定的逻辑算法保护,但是在自己逆向破解的过程中发现我的手机令牌关键数据能够“轻易地”暴露出来,所以我就想进一步的对其进行加固。于是,我使用的网上常用的梆梆加固、爱加密和阿里的聚安全应用来对我的apk进行一个加固保护。加固后,出于好奇心,我想对这些加固的原理进行一个了解,便于我自己能够实现这个加固的方法。于是开始了网上关于这方面的学习,我将这些加固的大致原理进行了一个总结,发现它们实现的最主要的方法就是利用了dex文件动态加载,将主逻辑的dex文件经过加密隐藏在壳程序的dex中,并在运行时通过so进行解密,并从内存读取dex数据,直接在native层进行一个动态加载。这样的实现有几个关键点:

    1. dex文件不存储在设备的物理存储区域而是将文件的数据加密存储在壳程序的dex数据区域(关于dex的结构就在此不再解释);
    2. 从内存中获取dex数据,动态加载到进程空间中;
    3. 壳程序的application重定向加载到原程序的application对象;

          下面我就对这几个问题进行一一的学习之旅。

          关于第一个问题,其实经历了我很长时间的学习,主要是我在最开始学习的过程中,一直在dex的动态加载上面打转,由于关于dex的加载问题主要涉及到一个

          DexClassLoder(String dexPath, String optimizedDirectory,String libraryPath ,ClassLoader parent)方法,所以我必须得有个dex的路径方法啊,这点让我真的很抓狂,所以只能硬着头皮写咯。

          于是在http://blog.csdn.net/androidsecurity/article/details/8809542的帮助下完成了壳程序加载dex数据的方法。

    DexClassLoder-> BaseDexClassLoader->DexPathList->makeDexElements-> loadDexFile-> loadDex->DexFile(String fileName)

          

      1 package com.unshell.test;
      2 
      3 import android.app.Application;
      4 import java.io.BufferedInputStream;
      5 import java.io.ByteArrayInputStream;
      6 import java.io.ByteArrayOutputStream;
      7 import java.io.DataInputStream;
      8 import java.io.File;
      9 import java.io.FileInputStream;
     10 import java.io.FileOutputStream;
     11 import java.io.IOException;
     12 import java.lang.ref.WeakReference;
     13 import java.util.ArrayList;
     14 import java.util.HashMap;
     15 import java.util.Iterator;
     16 import java.util.zip.ZipEntry;
     17 import java.util.zip.ZipInputStream;
     18 
     19 import dalvik.system.DexClassLoader;
     20 import android.app.Instrumentation;
     21 import android.content.Context;
     22 import android.content.pm.ApplicationInfo;
     23 import android.content.pm.PackageManager;
     24 import android.content.pm.PackageManager.NameNotFoundException;
     25 import android.os.Bundle;
     26 
     27 public class ProxyApplication extends Application{
     28     private static final String appkey = "APPLICATION_CLASS_NAME";
     29     private String apkFileName;
     30     private String odexPath;
     31     private String libPath;
     32 
     33     //这是context 赋值
     34     @Override
     35     protected void attachBaseContext(Context base) {
     36         super.attachBaseContext(base);
     37         try {
     38             //创建两个文件夹payload_odex,payload_lib 私有的,可写的文件目录
     39             File odex = this.getDir("payload_odex", MODE_PRIVATE);
     40             File libs = this.getDir("payload_lib", MODE_PRIVATE);
     41             odexPath = odex.getAbsolutePath();
     42             libPath = libs.getAbsolutePath();
     43             apkFileName = odex.getAbsolutePath() + "/payload.apk";
     44             File dexFile = new File(apkFileName);
     45             if (!dexFile.exists())
     46             {
     47                 dexFile.createNewFile();  //在payload_odex文件夹内,创建payload.apk
     48                 // 读取程序classes.dex文件
     49                 byte[] dexdata = this.readDexFileFromApk();
     50                 // 分离出解壳后的apk文件已用于动态加载
     51                 this.splitPayLoadFromDex(dexdata);
     52             }
     53             // 配置动态加载环境
     54             Object currentActivityThread = RefInvoke.invokeStaticMethod(
     55                     "android.app.ActivityThread", "currentActivityThread",
     56                     new Class[] {}, new Object[] {});//获取主线程对象 http://blog.csdn.net/myarrow/article/details/14223493
     57             String packageName = this.getPackageName();//当前apk的包名
     58             //下面两句不是太理解
     59             HashMap mPackages = (HashMap) RefInvoke.getFieldOjbect(
     60                     "android.app.ActivityThread", currentActivityThread,
     61                     "mPackages");
     62             WeakReference wr = (WeakReference) mPackages.get(packageName);
     63             //创建被加壳apk的DexClassLoader对象   加载apk内的类和本地代码(c/c++代码)
     64             DexClassLoader dLoader = new DexClassLoader(apkFileName, odexPath,
     65                     libPath, (ClassLoader) RefInvoke.getFieldOjbect(
     66                             "android.app.LoadedApk", wr.get(), "mClassLoader"));
     67             //base.getClassLoader(); 是不是就等同于 (ClassLoader) RefInvoke.getFieldOjbect()? 有空验证下//?
     68             //把当前进程的DexClassLoader 设置成了被加壳apk的DexClassLoader  ----有点c++中进程环境的意思~~
     69             RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader",
     70                     wr.get(), dLoader);
     71             
     72 
     73         } catch (Exception e) {
     74             // TODO Auto-generated catch block
     75             e.printStackTrace();
     76         }
     77     }
     78 
     79     @Override
     80     public void onCreate() {
     81         {
     82             // 如果源应用配置有Appliction对象,则替换为源应用Applicaiton,以便不影响源程序逻辑。
     83             String appClassName = null;
     84             //获取xml文件里配置的被加壳apk的Applicaiton
     85             try {
     86                 ApplicationInfo ai = this.getPackageManager()
     87                         .getApplicationInfo(this.getPackageName(),
     88                                 PackageManager.GET_META_DATA);
     89                 Bundle bundle = ai.metaData;
     90                 if (bundle != null
     91                         && bundle.containsKey("APPLICATION_CLASS_NAME")) {
     92                     appClassName = bundle.getString("APPLICATION_CLASS_NAME");//className 是配置在xml文件中的。
     93                 } else {
     94                     return;
     95                 }
     96             } catch (NameNotFoundException e) {
     97                 // TODO Auto-generated catch block
     98                 e.printStackTrace();
     99             }
    100             //有值的话调用该Applicaiton
    101             Object currentActivityThread = RefInvoke.invokeStaticMethod(
    102                     "android.app.ActivityThread", "currentActivityThread",
    103                     new Class[] {}, new Object[] {});
    104             Object mBoundApplication = RefInvoke.getFieldOjbect(
    105                     "android.app.ActivityThread", currentActivityThread,
    106                     "mBoundApplication");
    107             Object loadedApkInfo = RefInvoke.getFieldOjbect(
    108                     "android.app.ActivityThread$AppBindData",
    109                     mBoundApplication, "info");
    110             //把当前进程的mApplication 设置成了null
    111             RefInvoke.setFieldOjbect("android.app.LoadedApk", "mApplication",
    112                     loadedApkInfo, null);
    113             Object oldApplication = RefInvoke.getFieldOjbect(
    114                     "android.app.ActivityThread", currentActivityThread,
    115                     "mInitialApplication");
    117             ArrayList<Application> mAllApplications = (ArrayList<Application>) RefInvoke
    118                     .getFieldOjbect("android.app.ActivityThread",
    119                             currentActivityThread, "mAllApplications");
    120             mAllApplications.remove(oldApplication);//删除oldApplication
    121             
    122             ApplicationInfo appinfo_In_LoadedApk = (ApplicationInfo) RefInvoke
    123                     .getFieldOjbect("android.app.LoadedApk", loadedApkInfo,
    124                             "mApplicationInfo");
    125             ApplicationInfo appinfo_In_AppBindData = (ApplicationInfo) RefInvoke
    126                     .getFieldOjbect("android.app.ActivityThread$AppBindData",
    127                             mBoundApplication, "appInfo");
    128             appinfo_In_LoadedApk.className = appClassName;
    129             appinfo_In_AppBindData.className = appClassName;
    130             Application app = (Application) RefInvoke.invokeMethod(
    131                     "android.app.LoadedApk", "makeApplication", loadedApkInfo,
    132                     new Class[] { boolean.class, Instrumentation.class },
    133                     new Object[] { false, null });//执行 makeApplication(false,null)
    134             RefInvoke.setFieldOjbect("android.app.ActivityThread",
    135                     "mInitialApplication", currentActivityThread, app);
    136 
    137 
    138             HashMap mProviderMap = (HashMap) RefInvoke.getFieldOjbect(
    139                     "android.app.ActivityThread", currentActivityThread,
    140                     "mProviderMap");
    141             Iterator it = mProviderMap.values().iterator();
    142             while (it.hasNext()) {
    143                 Object providerClientRecord = it.next();
    144                 Object localProvider = RefInvoke.getFieldOjbect(
    145                         "android.app.ActivityThread$ProviderClientRecord",
    146                         providerClientRecord, "mLocalProvider");
    147                 RefInvoke.setFieldOjbect("android.content.ContentProvider",
    148                         "mContext", localProvider, app);
    149             }
    150             app.onCreate();
    151         }
    152     }
    153 
    154     /**
    155      * 释放被加壳的apk文件,so文件
    156      * @param data
    157      * @throws IOException
    158      */
    159     private void splitPayLoadFromDex(byte[] data) throws IOException {
    160         
    161         int ablen = apkdata.length;
    162         //取被加壳apk的长度   这里的长度取值,对应加壳时长度的赋值都可以做些简化
    163         byte[] dexlen = new byte[4];
    164         System.arraycopy(apkdata, ablen - 4, dexlen, 0, 4);
    165         ByteArrayInputStream bais = new ByteArrayInputStream(dexlen);
    166         DataInputStream in = new DataInputStream(bais);
    167         int readInt = in.readInt();
    168         System.out.println(Integer.toHexString(readInt));
    169         byte[] newdex = new byte[readInt];
    170         //把被加壳apk内容拷贝到newdex中
    171         System.arraycopy(apkdata, ablen - 4 - readInt, newdex, 0, readInt);
    172         //这里应该加上对于apk的解密操作,若加壳是加密处理的话
    173         //?byte[] apkdata = decrypt(newdex);  //解壳程序的dex并没有加密,所以也不需要解密
    174         //写入apk文件   
    175         File file = new File(apkFileName);
    176         try {
    177             FileOutputStream localFileOutputStream = new FileOutputStream(file);
    178             localFileOutputStream.write(newdex);
    179             localFileOutputStream.close();
    180 
    181 
    182         } catch (IOException localIOException) {
    183             throw new RuntimeException(localIOException);
    184         }
    185         
    186         //分析被加壳的apk文件
    187         ZipInputStream localZipInputStream = new ZipInputStream(
    188                 new BufferedInputStream(new FileInputStream(file)));
    189         while (true) {
    190             ZipEntry localZipEntry = localZipInputStream.getNextEntry();//不了解这个是否也遍历子目录,看样子应该是遍历的
    191             if (localZipEntry == null) {
    192                 localZipInputStream.close();
    193                 break;
    194             }
    195             //取出被加壳apk用到的so文件,放到 libPath中(data/data/包名/payload_lib)
    196             String name = localZipEntry.getName();
    197             if (name.startsWith("lib/") && name.endsWith(".so")) {
    198                 File storeFile = new File(libPath + "/"
    199                         + name.substring(name.lastIndexOf('/')));
    200                 storeFile.createNewFile();
    201                 FileOutputStream fos = new FileOutputStream(storeFile);
    202                 byte[] arrayOfByte = new byte[1024];
    203                 while (true) {
    204                     int i = localZipInputStream.read(arrayOfByte);
    205                     if (i == -1)
    206                         break;
    207                     fos.write(arrayOfByte, 0, i);
    208                 }
    209                 fos.flush();
    210                 fos.close();
    211             }
    212             localZipInputStream.closeEntry();
    213         }
    214         localZipInputStream.close();
    215 
    216 
    217     }
    218 
    219     /**
    220      * 从apk包里面获取dex文件内容(byte)
    221      * @return
    222      * @throws IOException
    223      */
    224     private byte[] readDexFileFromApk() throws IOException {
    225         ByteArrayOutputStream dexByteArrayOutputStream = new ByteArrayOutputStream();
    226         ZipInputStream localZipInputStream = new ZipInputStream(
    227                 new BufferedInputStream(new FileInputStream(
    228                         this.getApplicationInfo().sourceDir)));
    229         while (true) {
    230             ZipEntry localZipEntry = localZipInputStream.getNextEntry();
    231             if (localZipEntry == null) {
    232                 localZipInputStream.close();
    233                 break;
    234             }
    235             if (localZipEntry.getName().equals("classes.dex")) {
    236                 byte[] arrayOfByte = new byte[1024];
    237                 while (true) {
    238                     int i = localZipInputStream.read(arrayOfByte);
    239                     if (i == -1)
    240                         break;
    241                     dexByteArrayOutputStream.write(arrayOfByte, 0, i);
    242                 }
    243             }
    244             localZipInputStream.closeEntry();
    245         }
    246         localZipInputStream.close();
    247         return dexByteArrayOutputStream.toByteArray();
    248     }
    249 
    250 
    251     // //直接返回数据,读者可以添加自己解密方法
    252     private byte[] decrypt(byte[] data) {
    253         return data;
    254     }
    255 }

          接着我们就要解决从内存dex的动态加载问题,于是根据我在看雪论坛上面学习的这几篇文章

          http://blog.csdn.net/androidsecurity/article/details/9674251

          http://www.kanxue.com/bbs/showthread.php?t=195865  

          实现了dex的读取数据

          Jni关键代码基本都在译文博客中了,我们要做的是让它通过编译、得到so库。本地代码当然要有与之对应的java代码去加载才能用,通过上面对因为的总结,可以先这样定义       本地方法:
              static native int loadDex(byte[] dex,long dexlen);
           生成好对应的.h、.c文件之后把译文中给出的核心代码填上,下面才是难题,许多类型都是unknown的,ndk编译器会告诉你它不认识这些乱七八糟的玩意儿。接下来就是挨个补充定义了。
            看着u4、u1这些从java程序猿眼中怪怪的类型我不禁长出一口气——幸亏当年是C出身的。溯本清源,在源码 /dalvik/vm/Common.h 类中找到了这群货的宏定义,于是照葫芦画瓢,在jni目录里弄了一个伪造版的Common.h,搜刮了一下所有需要定义的类型之后,这个文件基本上是这个样子的:

          

      1 #ifndef DALVIK_COMMON_H_
      2 #define DALVIK_COMMON_H_
      3 
      4 #include <stdbool.h>
      5 #include <stdint.h>
      6 #include <stdio.h>
      7 #include <assert.h>
      8 
      9 static union { char c[4]; unsigned long mylong; }endian_test = {{ 'l', '?', '?', 'b' } };
     10 #define ENDIANNESS  ((char)endian_test.mylong)
     11 
     12 //#if ENDIANNESS == "l"
     13 #define HAVE_LITTLE_ENDIAN
     14 //#else
     15 //#define HAVE_BIG_ENDIAN
     16 //#endif
     17 
     18 #if defined(HAVE_ENDIAN_H)
     19 # include <endian.h>
     20 #else /*not HAVE_ENDIAN_H*/
     21 # define __BIG_ENDIAN 4321
     22 # define __LITTLE_ENDIAN 1234
     23 # if defined(HAVE_LITTLE_ENDIAN)
     24 #  define __BYTE_ORDER __LITTLE_ENDIAN
     25 # else
     26 #  define __BYTE_ORDER __BIG_ENDIAN
     27 # endif
     28 #endif /*not HAVE_ENDIAN_H*/
     29 
     30 #if !defined(NDEBUG) && defined(WITH_DALVIK_ASSERT)
     31 # undef assert
     32 # define assert(x) 
     33 ((x) ? ((void)0) : (ALOGE("ASSERT FAILED (%s:%d): %s", 
     34 __FILE__, __LINE__, #x), *(int*)39=39, (void)0) )
     35 #endif
     36 
     37 #define MIN(x,y) (((x) < (y)) ? (x) : (y))
     38 #define MAX(x,y) (((x) > (y)) ? (x) : (y))
     39 
     40 #define LIKELY(exp) (__builtin_expect((exp) != 0, true))
     41 #define UNLIKELY(exp) (__builtin_expect((exp) != 0, false))
     42 
     43 #define ALIGN_UP(x, n) (((size_t)(x) + (n) - 1) & ~((n) - 1))
     44 #define ALIGN_DOWN(x, n) ((size_t)(x) & -(n))
     45 #define ALIGN_UP_TO_PAGE_SIZE(p) ALIGN_UP(p, SYSTEM_PAGE_SIZE)
     46 #define ALIGN_DOWN_TO_PAGE_SIZE(p) ALIGN_DOWN(p, SYSTEM_PAGE_SIZE)
     47 
     48 #define CLZ(x) __builtin_clz(x)
     49 
     50 /*
     51  * If "very verbose" logging is enabled, make it equivalent to ALOGV.
     52  * Otherwise, make it disappear.
     53  *
     54  * Define this above the #include "Dalvik.h" to enable for only a
     55  * single file.
     56  */
     57 /* #define VERY_VERBOSE_LOG */
     58 #if defined(VERY_VERBOSE_LOG)
     59 # define LOGVV  ALOGV
     60 # define IF_LOGVV() IF_ALOGV()
     61 #else
     62 # define LOGVV(...) ((void)0)
     63 # define IF_LOGVV() if (false)
     64 #endif
     65 
     66 
     67 /*
     68  * These match the definitions in the VM specification.
     69  */
     70 typedef uint8_t u1;
     71 typedef uint16_tu2;
     72 typedef uint32_tu4;
     73 typedef uint64_tu8;
     74 typedef int8_t  s1;
     75 typedef int16_t s2;
     76 typedef int32_t s4;
     77 typedef int64_t s8;
     78 
     79 /*
     80  * Storage for primitive types and object references.
     81  *
     82  * Some parts of the code (notably object field access) assume that values
     83  * are "left aligned", i.e. given "JValue jv", "jv.i" and "*((s4*)&jv)"
     84  * yield the same result.  This seems to be guaranteed by gcc on big- and
     85  * little-endian systems.
     86  */
     87 
     88 #define OFFSETOF_MEMBER(t, f) 
     89   (reinterpret_cast<char*>(   
     90  &reinterpret_cast<t*>(16)->f) -  
     91    reinterpret_cast<char*>(16))
     92 
     93 #define NELEM(x) ((int) (sizeof(x) / sizeof((x)[0])))
     94 
     95 union JValue {
     96 #if defined(HAVE_LITTLE_ENDIAN)
     97     u1  z;
     98     s1  b;
     99     u2  c;
    100     s2  s;
    101     s4  i;
    102     s8  j;
    103     float   f;
    104     double  d;
    105     void* l;
    106 #endif
    107 #if defined(HAVE_BIG_ENDIAN)
    108     struct {
    109         u1_z[3];
    110         u1z;
    111     };
    112     struct {
    113         s1_b[3];
    114         s1b;
    115     };
    116     struct {
    117         u2_c;
    118         u2c;
    119     };
    120     struct {
    121         s2_s;
    122         s2s;
    123     };
    124     s4  i;
    125     s8  j;
    126     float   f;
    127     double  d;
    128     void*   l;
    129 #endif
    130 };
    131 
    132 /*
    133  * Array objects have these additional fields.
    134  *
    135  * We don't currently store the size of each element.  Usually it's implied
    136  * by the instruction.  If necessary, the width can be derived from
    137  * the first char of obj->clazz->descriptor.
    138  */
    139 typedef struct   {
    140    void*clazz;
    141    u4  lock;
    142    u4  length;
    143    u1*  contents;
    144 }ArrayObject ;
    145 
    146 #endif  // DALVIK_COMMON_H_

            这里面还有个大小端的问题,不过为求实验先通过就先定义死,过了再说。
            还有个值得一提的结构就是最后面的ArrayObject,这玩意定义在源码的/dalvik/vm/oo/Object.h 中,原本的定义是这样的:

    1 struct Object {
    2     ClassObject*clazz;
    3     u4  lock;
    4 };
    5 
    6 struct ArrayObject : Object {
    7     u4  length;
    8     u8  contents[1];
    9 };

         如果还实实在在的去弄一个ClassObject,那就是java中毒已深的表现,根据看雪里面的相关讨论(就是文首提到的两篇),直接如上定义了。得到最后的C代码如下:

     1 #include "com_android_dexunshell_NativeTool.h"
     2 #include <stdlib.h>
     3 #include <dlfcn.h>
     4 #include <stdio.h>
     5 
     6 JNINativeMethod *dvm_dalvik_system_DexFile;
     7 void (*openDexFile)(const u4* args,union  JValue* pResult);
     8 
     9 int lookup(JNINativeMethod *table, const char *name, const char *sig,
    10    void (**fnPtrout)(u4 const *, union JValue *)) 
    11 {
    12     int i = 0;
    13     while (table[i].name != NULL) 
    14     {
    15         LOGI("lookup %d %s" ,i,table[i].name);
    16         if ((strcmp(name, table[i].name) == 0)
    17                && (strcmp(sig, table[i].signature) == 0)) 
    18         {
    19             *fnPtrout = table[i].fnPtr;
    20             return 1;
    21            }
    22            i++;
    23     }
    24      return 0;
    25 }
    26 
    27 /* This function will be call when the library first be load.
    28  * You can do some init in the libray. return which version jni it support.
    29  */
    30 JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) 
    31 {
    32     void *ldvm = (void*) dlopen("libdvm.so", RTLD_LAZY);
    33     dvm_dalvik_system_DexFile = (JNINativeMethod*) dlsym(ldvm,
    34            "dvm_dalvik_system_DexFile");
    35     if(0 == lookup(dvm_dalvik_system_DexFile, "openDexFile", "([B)I",
    36         &openDexFile))
    37      {
    38            openDexFile = NULL;
    39            LOGE("method does not found ");
    40     }else
    41     {
    42         LOGI("method found ! HAVE_BIG_ENDIAN");
    43      }
    44      LOGI("ENDIANNESS is %c" ,ENDIANNESS );
    45      void *venv;
    46      LOGI("dufresne----->JNI_OnLoad!");
    47      if ((*vm)->GetEnv(vm, (void**) &venv, JNI_VERSION_1_4) != JNI_OK) 
    48     {
    49            LOGE("dufresne--->ERROR: GetEnv failed");
    50            return -1;
    51      }
    52      return JNI_VERSION_1_4;
    53 }
    54 
    55 JNIEXPORT jint JNICALL Java_com_android_dexunshell_NativeTool_loadDex(
    56    JNIEnv * env, jclass jv, jbyteArray dexArray, jlong dexLen)
    57 {
    58     // header+dex content
    59     u1 * olddata = (u1*)(*env)-> GetByteArrayElements(env,dexArray,   NULL);
    60     char* arr;
    61      arr=(char*)malloc(16+dexLen);
    62      ArrayObject *ao=(ArrayObject*)arr;
    63      ao->length=dexLen;
    64      memcpy(arr+16,olddata,dexLen);
    65       u4 args[] = { (u4) ao };
    66     union JValue pResult;
    67     jint result;
    68     LOGI("call openDexFile 33..." );
    69     if(openDexFile != NULL)
    70     {
    71         openDexFile(args,&pResult);
    72     }
    73     else
    74     {
    75         result = -1;
    76     }
    77 
    78     result = (jint) pResult.l;
    79     LOGI("Java_com_android_dexunshell_NativeTool_loadDex %d" , result);
    80     return result;
    81 }

    Java层

    底层代码基本了然,也就是说译文提供的思路基本实现,剩下其他加壳的事儿还要自己动脑筋补上。现在java层我们有一个可以使用的以byte数组为参数的加载dex的接口了:
    static native int loadDex(byte[] dex,long dexlen);
    要知道我们花这么大力气实现的这个方法,实际意义在于让源程序的dex数据在内存中传递,而不是必须保存在某个地方、以文件的方式。也就是说,我们需要一个新的DexClassLoader,去替换在上一篇提到的基础加壳方案中自定义Application—— ProxyApplication 类,通过反射设置到”android.app.LoadedApk”中mClassLoder属性的那个系统DexClassLoader,即至少那一段应该改成这样:

    1 DynamicDexClassLoder dLoader = new DynamicDexClassLoder(base,srcdata,
    2    libPath, (ClassLoader) RefInvoke.getFieldOjbect(
    3  "android.app.LoadedApk", wr.get(), "mClassLoader"),
    4  getPackageResourcePath(),getDir(".dex", MODE_PRIVATE).getAbsolutePath() );
    5 
    6 RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader",  wr.get(), dLoader);

    没错,DynamicDexClassLoder 它的构造参数中应当去接收源程序的dex数据,以byte数组的形式,这样、相关把dex数组保存为文件那段代码可以删除,/data/data 中相关目录就找不到缓存dex文件的身影了;

    替换DexClassLoader,要知道相对于系统版本的加载器我们的少了什么,又多出了什么,在一一对接上,就没问题了。少了什么呢?是dex文件路径、多出了什么呢?是dex byte数组,考虑到已经实现的jni库,那就是多了一个加载好的dex文件对应的cookie值。那么,这个
    Cookie 是否能够完成替换呢?这需要到源码中找答案。
    源码路径:libcore/dalvik/src/main/java/dalvik/system ,生成类图,取出DexClassLoader相关的一部分:

    走读几遍代码基本就能了解,对于dex文件加载而言,DynamicDexClassLoder需要做的实际上只有一件事,复写findClass方法,使APK运行时能够找到和加载源程序dex中的类,至于如何实现,从类图上就可以看出,最后实际上追溯到DexFile类,可以利用到jni加载到的cookie,通过反射DexFile中的方法,实现我们的预期,具体实现如下:

    package com.android.dexunshell;
    
    import java.io.IOException;
    import java.net.URL;
    import java.util.Enumeration;
    
    import com.eebbk.mingming.k7utils.ReflectUtils;
    
    import android.content.Context;
    import android.util.Log;
    import android.view.LayoutInflater;
    
    import dalvik.system.DexClassLoader;
    import dalvik.system.DexFile;
    
    public class DynamicDexClassLoder extends DexClassLoader {
         private static final String TAG = DynamicDexClassLoder.class.getName();
         private int cookie;
         private Context mContext;
    
         /**
          * 原构造
          *
          * @param dexPath
          * @param optimizedDirectory
          * @param libraryPath
          * @param parent
          */
         public DynamicDexClassLoder(String dexPath, String optimizedDirectory,
                            String libraryPath, ClassLoader parent) {
                   super(dexPath, optimizedDirectory, libraryPath, parent);
         }
    
         /**
          * 直接从内存加载 新构造
          *
          * @param dexBytes
          * @param libraryPath
          * @param parent
          * @throws Exception
          */
    
         public DynamicDexClassLoder(Context context, byte[] dexBytes,
                            String libraryPath, ClassLoader parent, String oriPath,
                            String fakePath) {
                   super(oriPath, fakePath, libraryPath, parent);
                   setContext(context);
                   setCookie(NativeTool.loadDex(dexBytes, dexBytes.length));
         }
    
         private void setCookie(int kie) {
                   cookie = kie;
         }
    
         private void setContext(Context context) {
                   mContext = context;
         }
    
         private String[] getClassNameList(int cookie) {
                   return (String[]) ReflectUtils.invokeStaticMethod(DexFile.class,
                                     "getClassNameList", new Class[] { int.class },
                                     new Object[] { cookie });
         }
    
         private Class defineClass(String name, ClassLoader loader, int cookie) {
                   return (Class) ReflectUtils.invokeStaticMethod(DexFile.class,
                                     "defineClass", new Class[] { String.class, ClassLoader.class,
                                                        int.class }, new Object[] { name, loader, cookie });
         }
    
         @Override
         protected Class<?> findClass(String name) throws ClassNotFoundException {
                   Log.d(TAG, "findClass-" + name);
                   Class<?> cls = null;
    
                   String as[] = getClassNameList(cookie);
                   for (int z = 0; z < as.length; z++) {
                            if (as[z].equals(name)) {
                                     cls = defineClass(as[z].replace('.', '/'),
                                                        mContext.getClassLoader(), cookie);
                            } else {
                                     defineClass(as[z].replace('.', '/'), mContext.getClassLoader(),
                                                        cookie);
                            }
                   }
    
                   if (null == cls) {
                            cls = super.findClass(name);
                   }
    
                   return cls;
         }
    
         @Override
         protected URL findResource(String name) {
                   Log.d(TAG, "findResource-" + name);
                   return super.findResource(name);
         }
    
         @Override
         protected Enumeration<URL> findResources(String name) {
                   Log.d(TAG, "findResources ssss-" + name);
                   return super.findResources(name);
         }
    
         @Override
         protected synchronized Package getPackage(String name) {
                   Log.d(TAG, "getPackage-" + name);
                   return super.getPackage(name);
         }
    
         @Override
         protected Class<?> loadClass(String className, boolean resolve)
                            throws ClassNotFoundException {
                   Log.d(TAG, "loadClass-" + className + " resolve " + resolve);
                   Class<?> clazz = super.loadClass(className, resolve);
                   if (null == clazz) {
                            Log.e(TAG, "loadClass fail,maybe get a null-point exception.");
                   }
                   return clazz;
         }
    
         @Override
         protected Package[] getPackages() {
                   Log.d(TAG, "getPackages sss-");
                   return super.getPackages();
         }
    
         @Override
         protected Package definePackage(String name, String specTitle,
                            String specVersion, String specVendor, String implTitle,
                            String implVersion, String implVendor, URL sealBase)
                            throws IllegalArgumentException {
                   Log.d(TAG, "definePackage" + name);
                  return super.definePackage(name, specTitle, specVersion, specVendor,
                                     implTitle, implVersion, implVendor, sealBase);
         }

    它的启动过程就是:

    基本流程

    但是有一个地方我确实很难理解就是为什么自己写了一个loadDex的方法为什么在它的前面还是要有

    super(oriPath, fakePath, libraryPath, parent);

    于是就有了我进一步的跟踪DexClassLoader的这一些方法的过程了,它的调用关系如下:
    DexClassLoder-> BaseDexClassLoader->DexPathList->makeDexElements-> loadDexFile-> loadDex->DexFile(String fileName)
    而且在
    1 private static DexFile loadDexFile(File file, File optimizedDirectory)
    2             throws IOException {
    3         if (optimizedDirectory == null) {
    4             return new DexFile(file);
    5         } else {
    6             String optimizedPath = optimizedPathFor(file, optimizedDirectory);
    7             return DexFile.loadDex(file.getPath(), optimizedPath, 0);
    8         }
    9     }

     我就明白了,原来DexLoader也实现了DexFile操作,但是这些操作的实现在这个过程中不仅仅只是完成了dex的一个加载,另外也实现了class的映射方便上层去调用底层的方法。



  • 相关阅读:
    QGhappy小组第三次作业第四天会议完成情况
    DeepLearning 学习资料
    matrix derivatives
    back propogation 的线代描述
    Tag recommendaion... 论文中的小例子,使用HOSVD算法推荐
    funk_SVD 个人理解
    PCA 学习笔记
    《机器学习实战》6.2小节,KKT条件代码理解
    KNN算法python实现
    vimrc 我的专属vim配置
  • 原文地址:https://www.cnblogs.com/twlqx/p/4314563.html
Copyright © 2020-2023  润新知