360手机助手使用的 Droidplugin,它是360手机助手团队在AndroID系统上实现了一种插件机制。它可以在无需安装、修改的情况下运行APK文件,此机制对改进大型APP的架构,实现多团队协作开发具有一定的好处。
它是一种新的插件机制,一种免安装的运行机制
github地址:https://github.com/DroidpluginTeam/Droidplugin
参考博客:http://blog.csdn.net/hejjunlin/article/details/52124397
Droidplugin的的基本原理:
共享进程:为androID提供一个进程运行多个apk的机制,通过API欺骗机制瞒过系统
占坑:通过预先占坑的方式实现不用在manifest注册,通过一带多的方式实现服务管理
Hook机制:动态代理实现函数hook,Binder代理绕过部分系统服务限制,IO重定向(先获取原始Object-->Read,然后动态代理Hook Object后-->Write回去,达到瞒天过海的目的)
public abstract class Hook { private boolean mEnable = false;//能否hook protected Context mHostContext;//宿主context,外部传入 protected BaseHookHandle mHookHandles; public voID setEnable(boolean enable,boolean reInstallHook) { this.mEnable = enable; } public final voID setEnable(boolean enable) { setEnable(enable,false); } public boolean isEnable() { return mEnable; } protected Hook(Context hostContext) { mHostContext = hostContext; mHookHandles = createHookHandle(); } protected abstract BaseHookHandle createHookHandle();//用于子类创建Hook机制 protected abstract voID onInstall(ClassLoader classLoader) throws Throwable;//插件安装 protected voID onUnInstall(ClassLoader classLoader) throws Throwable {//插件卸载 }}public class HookedMethodHandler {//Hook方法 private static final String TAG = HookedMethodHandler.class.getSimplename(); protected final Context mHostContext; /** * 调用方法的时候会到AppOpsService进行判断uID(宿主apk)和插件的包名是否匹配,此处是不匹配的 * 此时就可以经过转换欺骗系统让程序认为是宿主apk调过来的(这样的前提就需要宿主把所有的权限都申请了) * 因为系统只会去检测宿主apk * **/ private Object mFakedResult = null;//用于欺骗系统 private boolean mUseFakedResult = false; public HookedMethodHandler(Context hostContext) { this.mHostContext = hostContext; } public synchronized Object doHookInner(Object receiver,Method method,Object[] args) throws Throwable { long b = System.currentTimeMillis(); try { mUseFakedResult = false; mFakedResult = null; boolean suc = beforeInvoke(receiver,method,args); Object invokeResult = null; if (!suc) {//false执行原始方法 invokeResult = method.invoke(receiver,args); } afterInvoke(receiver,args,invokeResult); if (mUseFakedResult) {//true返回欺骗结果,false返回正常的调用方法 return mFakedResult; } else { return invokeResult; } } finally { long time = System.currentTimeMillis() - b; if (time > 5) { Log.i(TAG,"doHookInner method(%s.%s) cost %s ms",method.getDeclaringClass().getname(),method.getname(),time); } } } public voID setFakedResult(Object fakedResult) { this.mFakedResult = fakedResult; mUseFakedResult = true; } /** * 在某个方法被调用之前执行,如果返回true,则不执行原始的方法,否则执行原始方法 */ protected boolean beforeInvoke(Object receiver,Object[] args) throws Throwable { return false; } protected voID afterInvoke(Object receiver,Object[] args,Object invokeResult) throws Throwable { } public boolean isFakedResult() { return mUseFakedResult; } public Object getFakedResult() { return mFakedResult; }}abstract class BinderHook extends Hook implements InvocationHandler { private Object moldobj; public BinderHook(Context hostContext) { super(hostContext); } @OverrIDe public Object invoke(Object proxy,Object[] args) throws Throwable { try { if (!isEnable()) {//如果不能Hook,执行原方法 return method.invoke(moldobj,args); } HookedMethodHandler hookedMethodHandler = mHookHandles.getHookedMethodHandler(method); if (hookedMethodHandler != null) { return hookedMethodHandler.doHookInner(moldobj,args); } else { return method.invoke(moldobj,args); } } catch (InvocationTargetException e) { Throwable cause = e.getTargetException(); if (cause != null && MyProxy.isMethodDeclaredThrowable(method,cause)) { throw cause; } else if (cause != null) { RuntimeException runtimeException = !TextUtils.isEmpty(cause.getMessage()) ? new RuntimeException(cause.getMessage()) : new RuntimeException(); runtimeException.initCause(cause); throw runtimeException; } else { RuntimeException runtimeException = !TextUtils.isEmpty(e.getMessage()) ? new RuntimeException(e.getMessage()) : new RuntimeException(); runtimeException.initCause(e); throw runtimeException; } } catch (IllegalArgumentException e) { try { StringBuilder sb = new StringBuilder(); sb.append(" DROIdplUGIN{"); if (method != null) { sb.append("method[").append(method.toString()).append("]"); } else { sb.append("method[").append("NulL").append("]"); } if (args != null) { sb.append("args[").append(Arrays.toString(args)).append("]"); } else { sb.append("args[").append("NulL").append("]"); } sb.append("}"); String message = e.getMessage() + sb.toString(); throw new IllegalArgumentException(message,e); } catch (Throwable e1) { throw e; } } catch (Throwable e) { if (MyProxy.isMethodDeclaredThrowable(method,e)) { throw e; } else { RuntimeException runtimeException = !TextUtils.isEmpty(e.getMessage()) ? new RuntimeException(e.getMessage()) : new RuntimeException(); runtimeException.initCause(e); throw runtimeException; } } } abstract Object getoldobj() throws Exception; voID setoldobj(Object moldobj) { this.moldobj = moldobj; } public abstract String getServicename();//具体Hook哪一个service /** * 先调用ServiceManagerCacheBinderHook的onInstall()方法更新一下service cache * 然后生成一个新的代理对象放到mProxIEdobjcache里。这样下次不管是从cache里取,还是直接通过binder调用,就都会返回我们的代理对象。 * **/ @OverrIDe protected voID onInstall(ClassLoader classLoader) throws Throwable { new ServiceManagerCacheBinderHook(mHostContext,getServicename()).onInstall(classLoader); moldobj = getoldobj(); Class<?> clazz = moldobj.getClass();//得到class List<Class<?>> interfaces = Utils.getAllinterfaces(clazz); Class[] ifs = interfaces != null && interfaces.size() > 0 ? interfaces.toArray(new Class[interfaces.size()]) : new Class[0]; //用原始对象的classloader传入动态代理,得到代理对象 Object proxIEdobj = MyProxy.newProxyInstance(clazz.getClassLoader(),ifs,this); MyServiceManager.addProxIEdobj(getServicename(),proxIEdobj); }}结论就是读取插件apk,和宿主的uID对比,然后进行包替换,在利用binder代理Hook,启动插件,这概括很是大概,不过涉及太复杂
然后是使用了,结束和使用都很多资料,很详细,不过自己研究了一翻记录下心得,也能加深理解和印象
public class MainActivity extends AppCompatActivity { private String filepath = null,packagename = "cn.liuzhen.plugin"; private TextVIEw tv_val; private Context context; @OverrIDe protected voID onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentVIEw(R.layout.activity_main); context = MainActivity.this; tv_val = (TextVIEw)findVIEwByID(R.ID.tv_val); filepath = Environment.getExternalStorageDirectory().getabsolutePath().concat("/test.apk"); } public voID click(VIEw vIEw) { if (filepath == null){ Toast.makeText(context,"filepath is null",Toast.LENGTH_SHORT).show(); return; } String result = null; int code = -1; try { switch (vIEw.getID()) { case R.ID.btn_install: code = PluginManager.getInstance().installPackage(filepath,PackageManagerCompat.INSTALL_REPLACE_EXISTING); result = "install"; switch (code) { case PluginManager.INSTALL_Failed_NO_REQUESTEDPERMISSION: result = "安装失败,文件请求的权限太多"; break; case PackageManagerCompat.INSTALL_Failed_NOT_SUPPORT_ABI: result = "宿主不支持插件的abi环境,可能宿主运行时为64位,但插件只支持32位"; break; case PackageManagerCompat.INSTALL_SUCCEEDED: result = "安装完成"; break; } break; case R.ID.btn_del: PluginManager.getInstance().deletePackage(packagename,0); result = "del"; break; case R.ID.btn_open: PackageManager pm = getPackageManager(); Intent intent = pm.getLaunchIntentForPackage("cn.liuzhen.plugin"); if (intent == null){ result = "intent is null"; }else startActivity(intent); break; } } catch (remoteexception e) { result = "安装失败 "+e.getMessage(); } tv_val.setText(result); }}运行程序成功,然后把运行的apk复制一份,我上面的名称是写死的,test.apk,然后放在根目录,点击安装,显示成功后在点击打开,就能见到跳转到插件界面了,插件化通了。
接下来就是看自己怎么设计和开发了,什么东西也不能随便使用,得好好考虑,个人觉得插件化不宜大范围使用,适合小菜单的集成,毕竟都是反射的,而且还得考虑好安全问题。
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持编程小技巧。
总结以上是内存溢出为你收集整理的Android系统实现DroidPlugin插件机制全部内容,希望文章能够帮你解决Android系统实现DroidPlugin插件机制所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)