文章目录

  • 一、 Service 中的 getApplication() 方法分析
  • 二、 ActivityThread 中的 H 处理 RECEIVER 消息
  • 三、 ActivityThread 中的 handleReceiver 方法
  • 四、 ContextImpl 的 getReceiverRestrictedContext 方法
  • 五、 ReceiverRestrictedContext 封装类
  • 六、 LoadedApk 中的 mApplication 成员
  • 七、 ActivityThread 涉及源码
  • 八、 Instrumentation 涉及源码
  • 九、 LoadedApk 涉及源码

一、 Service 中的 getApplication() 方法分析

在 BroadcastReceiver 中的 onReceive 方法中的 Context context 参数 , 打印出来是 android.app.ReceiverRestrictedContext 类型的 , 调用该对象的 getApplicationContext() 方法 , 获取的 Application , 就是用户自定义的 Application ;

public class MyBroadCastReciver extends BroadcastReceiver {@SuppressLint("LongLogTag")@Overridepublic void onReceive(Context context, Intent intent) {/*验证 Application 是否替换成功打印 Application , ApplicationContext , ApplicationInfo*/Log.i("octopus.MyBroadCastReciver", "reciver:" + context);Log.i("octopus.MyBroadCastReciver", "reciver:" + context.getApplicationContext());Log.i("octopus.MyBroadCastReciver", "reciver:" + context.getApplicationInfo().className);}
}

打印结果 :

octopus.MyBroadCastReciver: reciver:android.app.ReceiverRestrictedContext@8a50e9a
octopus.MyBroadCastReciver: reciver:kim.hsl.dex.MyApplication@b2b81e2
octopus.MyBroadCastReciver: reciver:kim.hsl.dex.MyApplication

ReceiverRestrictedContext 类型的上下文对象 , 是在 ActivityThread 中的 Handler H 处理 RECEIVER 消息时 , 在 handleReceiver() 方法中 , 通过调用 ContextImpl 的 getReceiverRestrictedContext() 方法获得 , 在下面有详细的说明 ;

二、 ActivityThread 中的 H 处理 RECEIVER 消息

在 ActivityThread 中 , 创建并启动一个 Service , H ( Handler 子类 ) 接收到 RECEIVER 消息 , 在相应的处理该 RECEIVER 消息的 handleMessage 方法中 , 调用了 handleReceiver 方法 ;

public final class ActivityThread {private class H extends Handler {public static final int RECEIVER                = 113;public void handleMessage(Message msg) {switch (msg.what) {case RECEIVER:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "broadcastReceiveComp");handleReceiver((ReceiverData)msg.obj);maybeSnapshot();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;} // switch} // handleMessage} // private class H extends Handler}

参考路径 : frameworks/base/core/java/android/app/ActivityThread.java

三、 ActivityThread 中的 handleReceiver 方法

在 handleReceiver 中通过如下方法创建 BroadcastReceiver ,

     // ★ 声明 BroadcastReceiverBroadcastReceiver receiver;// ★ 创建 BroadcastReceiver 对象receiver = (BroadcastReceiver)cl.loadClass(component).newInstance();

然后调用了 BroadcastReceiver 广播接收者的 onReceive 方法 , 注意传入的参数就是 context.getReceiverRestrictedContext() , 这就是我们在之前的广播接收者组件中的 onReceive 方法中打印 Context context 参数类型是 ReceiverRestrictedContext 的原因 ;

         // ★ 调用 BroadcastReceiver 广播接收者的 onReceive 方法// 这里注意传入的参数就是 context.getReceiverRestrictedContext()receiver.onReceive(context.getReceiverRestrictedContext(),data.intent);

主要源码 :

public final class ActivityThread {private class H extends Handler {public static final int LAUNCH_ACTIVITY         = 100;public static final int CREATE_SERVICE          = 114;public static final int RECEIVER                = 113;public void handleMessage(Message msg) {if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));switch (msg.what) {case LAUNCH_ACTIVITY: {Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "activityStart");final ActivityClientRecord r = (ActivityClientRecord) msg.obj;r.packageInfo = getPackageInfoNoCheck(r.activityInfo.applicationInfo, r.compatInfo);// ★ 调用 handleLaunchActivity 方法处理该消息handleLaunchActivity(r, null, "LAUNCH_ACTIVITY");Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);} break;case CREATE_SERVICE:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, ("serviceCreate: " + String.valueOf(msg.obj)));handleCreateService((CreateServiceData)msg.obj);Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;case RECEIVER:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "broadcastReceiveComp");handleReceiver((ReceiverData)msg.obj);maybeSnapshot();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;} // switch} // handleMessage} // private class H extends Handlerprivate void handleLaunchActivity(ActivityClientRecord r, Intent customIntent, String reason) {// ★ 此处创建了一个 ActivityActivity a = performLaunchActivity(r, customIntent);}private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {// System.out.println("##### [" + System.currentTimeMillis() + "] ActivityThread.performLaunchActivity(" + r + ")");ActivityInfo aInfo = r.activityInfo;ContextImpl appContext = createBaseContextForActivity(r);// ★ 声明 ActivityActivity activity = null;try {java.lang.ClassLoader cl = appContext.getClassLoader();// ★ 创建 Activity , 与创建 Application 类似activity = mInstrumentation.newActivity(cl, component.getClassName(), r.intent);} catch (Exception e) {}try {// ★ 这里是传入 Activity attach 方法中的 Application , 赋值给 Activity 中的 mApplication 成员Application app = r.packageInfo.makeApplication(false, mInstrumentation);if (activity != null) {appContext.setOuterContext(activity);// ★ 此处调用了 Activity 的 attach 方法 , 给 Activity 中的 mApplication 成员赋值activity.attach(appContext, this, getInstrumentation(), r.token,r.ident, app, r.intent, r.activityInfo, title, r.parent,r.embeddedID, r.lastNonConfigurationInstances, config,r.referrer, r.voiceInteractor, window, r.configCallback);return activity;}// ★ 创建 Service 组件private void handleCreateService(CreateServiceData data) {LoadedApk packageInfo = getPackageInfoNoCheck(data.info.applicationInfo, data.compatInfo);Service service = null;try {java.lang.ClassLoader cl = packageInfo.getClassLoader();// ★ 创建 Serviceservice = (Service) cl.loadClass(data.info.name).newInstance();} catch (Exception e) {}try {ContextImpl context = ContextImpl.createAppContext(this, packageInfo);context.setOuterContext(service);Application app = packageInfo.makeApplication(false, mInstrumentation);// ★ 调用了 Service 的 attach 方法service.attach(context, this, data.info.name, data.token, app,ActivityManager.getService());service.onCreate();} catch (Exception e) {}}private void handleReceiver(ReceiverData data) {Application app;// ★ 声明 BroadcastReceiverBroadcastReceiver receiver;ContextImpl context;try {app = packageInfo.makeApplication(false, mInstrumentation);context = (ContextImpl) app.getBaseContext();// ★ 创建 BroadcastReceiver 对象receiver = (BroadcastReceiver)cl.loadClass(component).newInstance();} catch (Exception e) {}try {// ★ 调用 BroadcastReceiver 广播接收者的 onReceive 方法// 这里注意传入的参数就是 context.getReceiverRestrictedContext()receiver.onReceive(context.getReceiverRestrictedContext(),data.intent);} catch (Exception e) {} finally {}}}

参考路径 : frameworks/base/core/java/android/app/ActivityThread.java

四、 ContextImpl 的 getReceiverRestrictedContext 方法

查看 ContextImpl 源码 , 分析 getReceiverRestrictedContext() 方法获取的上下文对象 , 在该方法中返回对象创建方式如下 ,

mReceiverRestrictedContext = new ReceiverRestrictedContext(getOuterContext());

getOuterContext() 方法返回的是 Context mOuterContext 成员变量 , 这个成员变量就是在 【Android 安全】DEX 加密 ( Application 替换 | 创建用户自定义 Application | 替换 ContextImpl 对象的 mOuterContext 成员 ) 博客中 , 替换的 ContextImpl 中的 Application ;

由此可见 , 该获取的 Application 是替换成功的 , 已经将代理 Application 类 ProxyApplication 替换成了自定义 Application 类 MyApplication ;

ContextImpl 相关源码 :

class ContextImpl extends Context {private Context mOuterContext;final Context getReceiverRestrictedContext() {if (mReceiverRestrictedContext != null) {return mReceiverRestrictedContext;}return mReceiverRestrictedContext = new ReceiverRestrictedContext(getOuterContext());}final Context getOuterContext() {return mOuterContext;}}

参考源码路径 : frameworks/base/core/java/android/app/ContextImpl.java

五、 ReceiverRestrictedContext 封装类

ReceiverRestrictedContext 封装类 , 重写了 registerReceiver , registerReceiverAsUser , bindService 333 个函数 ;

广播接收者 中 不能注册广播接收者 , 不能绑定服务 ;

一旦发现在其中注册广播接收者 , 或者绑定服务 , 立刻 抛出异常 ;

ReceiverRestrictedContext 源码 :

class ReceiverRestrictedContext extends ContextWrapper {ReceiverRestrictedContext(Context base) {super(base);}@Overridepublic Intent registerReceiver(BroadcastReceiver receiver, IntentFilter filter) {return registerReceiver(receiver, filter, null, null);}@Overridepublic Intent registerReceiver(BroadcastReceiver receiver, IntentFilter filter,String broadcastPermission, Handler scheduler) {if (receiver == null) {// Allow retrieving current sticky broadcast; this is safe since we// aren't actually registering a receiver.return super.registerReceiver(null, filter, broadcastPermission, scheduler);} else {throw new ReceiverCallNotAllowedException("BroadcastReceiver components are not allowed to register to receive intents");}}@Overridepublic Intent registerReceiverAsUser(BroadcastReceiver receiver, UserHandle user,IntentFilter filter, String broadcastPermission, Handler scheduler) {if (receiver == null) {// Allow retrieving current sticky broadcast; this is safe since we// aren't actually registering a receiver.return super.registerReceiverAsUser(null, user, filter, broadcastPermission, scheduler);} else {throw new ReceiverCallNotAllowedException("BroadcastReceiver components are not allowed to register to receive intents");}}@Overridepublic boolean bindService(Intent service, ServiceConnection conn, int flags) {throw new ReceiverCallNotAllowedException("BroadcastReceiver components are not allowed to bind to services");}
}

参考源码路径 : frameworks/base/core/java/android/app/ContextImpl.java

六、 LoadedApk 中的 mApplication 成员

LoadedApk 中的 mApplication 成员已经替换成了自定义的 Application , 不再是代理的 Application , 因此从 Service 组件中获取的 Application 是已经替换后的用户自定义的 Application , 不是代理 Application ;

Application 已经执行完毕 , Application 替换操作是在 Application 的 onCreate 方法中执行的 , 此处的 Activity 执行肯定在 Application 创建完毕之后执行的 ;

主要源码 :

public final class LoadedApk {public Application makeApplication(boolean forceDefaultAppClass,Instrumentation instrumentation) {// ★ 如果之前创建过 Application , 就直接使用if (mApplication != null) {return mApplication;}}
}

参考路径 : frameworks/base/core/java/android/app/LoadedApk.java

七、 ActivityThread 涉及源码

public final class ActivityThread {private class H extends Handler {public static final int LAUNCH_ACTIVITY         = 100;public static final int CREATE_SERVICE          = 114;public static final int RECEIVER                = 113;public void handleMessage(Message msg) {if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));switch (msg.what) {case LAUNCH_ACTIVITY: {Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "activityStart");final ActivityClientRecord r = (ActivityClientRecord) msg.obj;r.packageInfo = getPackageInfoNoCheck(r.activityInfo.applicationInfo, r.compatInfo);// ★ 调用 handleLaunchActivity 方法处理该消息handleLaunchActivity(r, null, "LAUNCH_ACTIVITY");Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);} break;case CREATE_SERVICE:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, ("serviceCreate: " + String.valueOf(msg.obj)));handleCreateService((CreateServiceData)msg.obj);Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;case RECEIVER:Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "broadcastReceiveComp");handleReceiver((ReceiverData)msg.obj);maybeSnapshot();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);break;} // switch} // handleMessage} // private class H extends Handlerprivate void handleLaunchActivity(ActivityClientRecord r, Intent customIntent, String reason) {// If we are getting ready to gc after going to the background, well// we are back active so skip it.unscheduleGcIdler();mSomeActivitiesChanged = true;if (r.profilerInfo != null) {mProfiler.setProfiler(r.profilerInfo);mProfiler.startProfiling();}// Make sure we are running with the most recent config.handleConfigurationChanged(null, null);if (localLOGV) Slog.v(TAG, "Handling launch of " + r);// Initialize before creating the activityWindowManagerGlobal.initialize();// ★ 此处创建了一个 ActivityActivity a = performLaunchActivity(r, customIntent);if (a != null) {r.createdConfig = new Configuration(mConfiguration);reportSizeConfigurations(r);Bundle oldState = r.state;handleResumeActivity(r.token, false, r.isForward,!r.activity.mFinished && !r.startsNotResumed, r.lastProcessedSeq, reason);if (!r.activity.mFinished && r.startsNotResumed) {// The activity manager actually wants this one to start out paused, because it// needs to be visible but isn't in the foreground. We accomplish this by going// through the normal startup (because activities expect to go through onResume()// the first time they run, before their window is displayed), and then pausing it.// However, in this case we do -not- need to do the full pause cycle (of freezing// and such) because the activity manager assumes it can just retain the current// state it has.performPauseActivityIfNeeded(r, reason);// We need to keep around the original state, in case we need to be created again.// But we only do this for pre-Honeycomb apps, which always save their state when// pausing, so we can not have them save their state when restarting from a paused// state. For HC and later, we want to (and can) let the state be saved as the// normal part of stopping the activity.if (r.isPreHoneycomb()) {r.state = oldState;}}} else {// If there was an error, for any reason, tell the activity manager to stop us.try {ActivityManager.getService().finishActivity(r.token, Activity.RESULT_CANCELED, null,Activity.DONT_FINISH_TASK_WITH_ACTIVITY);} catch (RemoteException ex) {throw ex.rethrowFromSystemServer();}}}private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {// System.out.println("##### [" + System.currentTimeMillis() + "] ActivityThread.performLaunchActivity(" + r + ")");ActivityInfo aInfo = r.activityInfo;if (r.packageInfo == null) {r.packageInfo = getPackageInfo(aInfo.applicationInfo, r.compatInfo,Context.CONTEXT_INCLUDE_CODE);}ComponentName component = r.intent.getComponent();if (component == null) {component = r.intent.resolveActivity(mInitialApplication.getPackageManager());r.intent.setComponent(component);}if (r.activityInfo.targetActivity != null) {component = new ComponentName(r.activityInfo.packageName,r.activityInfo.targetActivity);}ContextImpl appContext = createBaseContextForActivity(r);// ★ 声明 ActivityActivity activity = null;try {java.lang.ClassLoader cl = appContext.getClassLoader();// ★ 创建 Activity , 与创建 Application 类似activity = mInstrumentation.newActivity(cl, component.getClassName(), r.intent);StrictMode.incrementExpectedActivityCount(activity.getClass());r.intent.setExtrasClassLoader(cl);r.intent.prepareToEnterProcess();if (r.state != null) {r.state.setClassLoader(cl);}} catch (Exception e) {if (!mInstrumentation.onException(activity, e)) {throw new RuntimeException("Unable to instantiate activity " + component+ ": " + e.toString(), e);}}try {// ★ 这里是传入 Activity attach 方法中的 Application , 赋值给 Activity 中的 mApplication 成员Application app = r.packageInfo.makeApplication(false, mInstrumentation);if (localLOGV) Slog.v(TAG, "Performing launch of " + r);if (localLOGV) Slog.v(TAG, r + ": app=" + app+ ", appName=" + app.getPackageName()+ ", pkg=" + r.packageInfo.getPackageName()+ ", comp=" + r.intent.getComponent().toShortString()+ ", dir=" + r.packageInfo.getAppDir());if (activity != null) {CharSequence title = r.activityInfo.loadLabel(appContext.getPackageManager());Configuration config = new Configuration(mCompatConfiguration);if (r.overrideConfig != null) {config.updateFrom(r.overrideConfig);}if (DEBUG_CONFIGURATION) Slog.v(TAG, "Launching activity "+ r.activityInfo.name + " with config " + config);Window window = null;if (r.mPendingRemoveWindow != null && r.mPreserveWindow) {window = r.mPendingRemoveWindow;r.mPendingRemoveWindow = null;r.mPendingRemoveWindowManager = null;}appContext.setOuterContext(activity);// ★ 此处调用了 Activity 的 attach 方法 , 给 Activity 中的 mApplication 成员赋值activity.attach(appContext, this, getInstrumentation(), r.token,r.ident, app, r.intent, r.activityInfo, title, r.parent,r.embeddedID, r.lastNonConfigurationInstances, config,r.referrer, r.voiceInteractor, window, r.configCallback);if (customIntent != null) {activity.mIntent = customIntent;}r.lastNonConfigurationInstances = null;checkAndBlockForNetworkAccess();activity.mStartedActivity = false;int theme = r.activityInfo.getThemeResource();if (theme != 0) {activity.setTheme(theme);}activity.mCalled = false;if (r.isPersistable()) {mInstrumentation.callActivityOnCreate(activity, r.state, r.persistentState);} else {mInstrumentation.callActivityOnCreate(activity, r.state);}if (!activity.mCalled) {throw new SuperNotCalledException("Activity " + r.intent.getComponent().toShortString() +" did not call through to super.onCreate()");}r.activity = activity;r.stopped = true;if (!r.activity.mFinished) {activity.performStart();r.stopped = false;}if (!r.activity.mFinished) {if (r.isPersistable()) {if (r.state != null || r.persistentState != null) {mInstrumentation.callActivityOnRestoreInstanceState(activity, r.state,r.persistentState);}} else if (r.state != null) {mInstrumentation.callActivityOnRestoreInstanceState(activity, r.state);}}if (!r.activity.mFinished) {activity.mCalled = false;if (r.isPersistable()) {mInstrumentation.callActivityOnPostCreate(activity, r.state,r.persistentState);} else {mInstrumentation.callActivityOnPostCreate(activity, r.state);}if (!activity.mCalled) {throw new SuperNotCalledException("Activity " + r.intent.getComponent().toShortString() +" did not call through to super.onPostCreate()");}}}r.paused = true;mActivities.put(r.token, r);} catch (SuperNotCalledException e) {throw e;} catch (Exception e) {if (!mInstrumentation.onException(activity, e)) {throw new RuntimeException("Unable to start activity " + component+ ": " + e.toString(), e);}}return activity;}// ★ 创建 Service 组件private void handleCreateService(CreateServiceData data) {// If we are getting ready to gc after going to the background, well// we are back active so skip it.unscheduleGcIdler();LoadedApk packageInfo = getPackageInfoNoCheck(data.info.applicationInfo, data.compatInfo);Service service = null;try {java.lang.ClassLoader cl = packageInfo.getClassLoader();// ★ 创建 Serviceservice = (Service) cl.loadClass(data.info.name).newInstance();} catch (Exception e) {if (!mInstrumentation.onException(service, e)) {throw new RuntimeException("Unable to instantiate service " + data.info.name+ ": " + e.toString(), e);}}try {if (localLOGV) Slog.v(TAG, "Creating service " + data.info.name);ContextImpl context = ContextImpl.createAppContext(this, packageInfo);context.setOuterContext(service);Application app = packageInfo.makeApplication(false, mInstrumentation);// ★ 调用了 Service 的 attach 方法service.attach(context, this, data.info.name, data.token, app,ActivityManager.getService());service.onCreate();mServices.put(data.token, service);try {ActivityManager.getService().serviceDoneExecuting(data.token, SERVICE_DONE_EXECUTING_ANON, 0, 0);} catch (RemoteException e) {throw e.rethrowFromSystemServer();}} catch (Exception e) {if (!mInstrumentation.onException(service, e)) {throw new RuntimeException("Unable to create service " + data.info.name+ ": " + e.toString(), e);}}}private void handleReceiver(ReceiverData data) {// If we are getting ready to gc after going to the background, well// we are back active so skip it.unscheduleGcIdler();String component = data.intent.getComponent().getClassName();LoadedApk packageInfo = getPackageInfoNoCheck(data.info.applicationInfo, data.compatInfo);IActivityManager mgr = ActivityManager.getService();Application app;// ★ 声明 BroadcastReceiverBroadcastReceiver receiver;ContextImpl context;try {app = packageInfo.makeApplication(false, mInstrumentation);context = (ContextImpl) app.getBaseContext();if (data.info.splitName != null) {context = (ContextImpl) context.createContextForSplit(data.info.splitName);}java.lang.ClassLoader cl = context.getClassLoader();data.intent.setExtrasClassLoader(cl);data.intent.prepareToEnterProcess();data.setExtrasClassLoader(cl);// ★ 创建 BroadcastReceiver 对象receiver = (BroadcastReceiver)cl.loadClass(component).newInstance();} catch (Exception e) {if (DEBUG_BROADCAST) Slog.i(TAG,"Finishing failed broadcast to " + data.intent.getComponent());data.sendFinished(mgr);throw new RuntimeException("Unable to instantiate receiver " + component+ ": " + e.toString(), e);}try {if (localLOGV) Slog.v(TAG, "Performing receive of " + data.intent+ ": app=" + app+ ", appName=" + app.getPackageName()+ ", pkg=" + packageInfo.getPackageName()+ ", comp=" + data.intent.getComponent().toShortString()+ ", dir=" + packageInfo.getAppDir());sCurrentBroadcastIntent.set(data.intent);receiver.setPendingResult(data);// ★ 调用 BroadcastReceiver 广播接收者的 onReceive 方法// 这里注意传入的参数就是 context.getReceiverRestrictedContext()receiver.onReceive(context.getReceiverRestrictedContext(),data.intent);} catch (Exception e) {if (DEBUG_BROADCAST) Slog.i(TAG,"Finishing failed broadcast to " + data.intent.getComponent());data.sendFinished(mgr);if (!mInstrumentation.onException(receiver, e)) {throw new RuntimeException("Unable to start receiver " + component+ ": " + e.toString(), e);}} finally {sCurrentBroadcastIntent.set(null);}if (receiver.getPendingResult() != null) {data.finish();}}}

参考路径 : frameworks/base/core/java/android/app/ActivityThread.java

八、 Instrumentation 涉及源码

Instrumentation 中创建 Activity 的 newActivity 方法 ;

public class Instrumentation {/*** Perform instantiation of an {@link Activity} object.  This method is intended for use with* unit tests, such as android.test.ActivityUnitTestCase.  The activity will be useable* locally but will be missing some of the linkages necessary for use within the system.* * @param clazz The Class of the desired Activity* @param context The base context for the activity to use* @param token The token for this activity to communicate with* @param application The application object (if any)* @param intent The intent that started this Activity* @param info ActivityInfo from the manifest* @param title The title, typically retrieved from the ActivityInfo record* @param parent The parent Activity (if any)* @param id The embedded Id (if any)* @param lastNonConfigurationInstance Arbitrary object that will be* available via {@link Activity#getLastNonConfigurationInstance()* Activity.getLastNonConfigurationInstance()}.* @return Returns the instantiated activity* @throws InstantiationException* @throws IllegalAccessException*/public Activity newActivity(Class<?> clazz, Context context, IBinder token, Application application, Intent intent, ActivityInfo info, CharSequence title, Activity parent, String id,Object lastNonConfigurationInstance) throws InstantiationException, IllegalAccessException {Activity activity = (Activity)clazz.newInstance();ActivityThread aThread = null;activity.attach(context, aThread, this, token, 0 /* ident */, application, intent,info, title, parent, id,(Activity.NonConfigurationInstances)lastNonConfigurationInstance,new Configuration(), null /* referrer */, null /* voiceInteractor */,null /* window */, null /* activityConfigCallback */);return activity;}}

参考路径 : frameworks/base/core/java/android/app/Instrumentation.java

九、 LoadedApk 涉及源码

LoadedApk 中相关源码 :

public final class LoadedApk {public Application makeApplication(boolean forceDefaultAppClass,Instrumentation instrumentation) {// ★ 如果之前创建过 Application , 就直接使用if (mApplication != null) {return mApplication;}Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "makeApplication");Application app = null;String appClass = mApplicationInfo.className;if (forceDefaultAppClass || (appClass == null)) {appClass = "android.app.Application";}try {java.lang.ClassLoader cl = getClassLoader();if (!mPackageName.equals("android")) {Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER,"initializeJavaContextClassLoader");initializeJavaContextClassLoader();Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);}ContextImpl appContext = ContextImpl.createAppContext(mActivityThread, this);app = mActivityThread.mInstrumentation.newApplication(cl, appClass, appContext);appContext.setOuterContext(app);} catch (Exception e) {if (!mActivityThread.mInstrumentation.onException(app, e)) {Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);throw new RuntimeException("Unable to instantiate application " + appClass+ ": " + e.toString(), e);}}mActivityThread.mAllApplications.add(app);mApplication = app;if (instrumentation != null) {try {instrumentation.callApplicationOnCreate(app);} catch (Exception e) {if (!instrumentation.onException(app, e)) {Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);throw new RuntimeException("Unable to create application " + app.getClass().getName()+ ": " + e.toString(), e);}}}// Rewrite the R 'constants' for all library apks.SparseArray<String> packageIdentifiers = getAssets().getAssignedPackageIdentifiers();final int N = packageIdentifiers.size();for (int i = 0; i < N; i++) {final int id = packageIdentifiers.keyAt(i);if (id == 0x01 || id == 0x7f) {continue;}rewriteRValues(getClassLoader(), packageIdentifiers.valueAt(i), id);}Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);return app;}}

参考路径 : frameworks/base/core/java/android/app/LoadedApk.java

【Android 安全】DEX 加密 ( Application 替换 | 分析 BroadcastReceiver 组件中调用 getApplication() 获取的 Application )相关推荐

  1. 【Android 安全】DEX 加密 ( Application 替换 | 分析 ContentProvider 组件中调用 getApplication() 获取的 Application 二 )

    文章目录 一. ActivityThread 中的 installProvider 方法 ( 创建 ContentProvider 内容提供者 ) 二. installProvider 方法的第三分支 ...

  2. 【Android 安全】DEX 加密 ( Application 替换 | 分析 ContentProvider 组件中调用 getApplication() 获取的 Application )

    文章目录 一. ContentProvider 创建过程分析 二. ActivityThread 中的 H 处理 BIND_APPLICATION 消息 三. ActivityThread 中的 ha ...

  3. 【Android 安全】DEX 加密 ( Application 替换 | 分析 Service 组件中调用 getApplication() 获取的 Application 是否替换成功 )

    文章目录 一. Service 中的 getApplication() 方法分析 二. ActivityThread 中的 H 处理 CREATE_SERVICE 消息 三. ActivityThre ...

  4. 【Android 安全】DEX 加密 ( Application 替换 | 分析 Activity 组件中获取的 Application | ActivityThread | LoadedApk )

    文章目录 一. Activity 中的 getApplication() 方法分析 二. ActivityThread 中的 H 处理 消息及 handleLaunchActivity 方法操作 三. ...

  5. Delphi XE2中调用DLL窗体传递Application句柄

    传统调用DLL窗体,为了达到DLL窗体与主程序融为一体的效果,通常会把主程序的Application传递到DLL工程中,类似如下方法: procedure SynAPP(App: THandle); ...

  6. Android中调用ANE获取设备ID

    相应工具或SDK http:// 1.Flex Builder 4.6 2.Android SDK 3.JDK 一.创建Android扩展 运行FLEX BUILDER 选择文件新建->其它-& ...

  7. 【Android 安全】DEX 加密 ( Application 替换 | 兼容 ContentProvider 操作 | 源码资源 )

    文章目录 一. 命中 ActivityThread 中 installProvider 方法的分支三 1. 原理分析 2. 代码实现 二. 在 ContextImpl 的 createPackageC ...

  8. 【Android 应用开发】 Application 使用分析

    博客地址 : http://blog.csdn.net/shulianghan/article/details/40737419 代码下载 : Android 应用 Application 经典用法; ...

  9. 【Android 插件化】Hook 插件化框架 ( Hook Activity 启动流程 | 主线程创建 Activity 实例之前使用插件 Activity 类替换占位的组件 )

    Android 插件化系列文章目录 [Android 插件化]插件化简介 ( 组件化与插件化 ) [Android 插件化]插件化原理 ( JVM 内存数据 | 类加载流程 ) [Android 插件 ...

最新文章

  1. Error:The SDK Build Tools revision (23.0.3) is too low for project ':app'. Minimum required is 25.0.
  2. 正确导入svn拉取的工程
  3. 创业公司Starry拟推1G网速的无线宽带服务
  4. Error 200 fault:SOAP-ENV:Client [no subcode]
  5. CV:人工智能之计算机视觉方向的简介(CV发展史+常用数据集+CV职位)、传统方法对比CNN类算法、计算机视觉十大应用(知识导图+经典案例)之详细攻略
  6. CentOS 下安装
  7. c++ 与 java_Java与C++比较
  8. 【二分】防具布置/秦腾与教学评估(ybtoj 二分-1-2/jzoj 1253/luogu 4403)
  9. 第五十期:工作强度超996,失业半年即出局,硅谷为何如此“嗜血”?
  10. 【2】Docker数据卷
  11. 基于Keras的卷积神经网络(CNN)可视化
  12. java-io流理解
  13. iOS-保存图片到(自定义)相册步骤
  14. 感想篇:11)只怀了1/4的才是不够的
  15. html+css模拟京东商城登陆首页
  16. 伺服电机功率计算选型与伺服电机惯量匹配
  17. html控制萤石云摄像头转动,怎么控制云台转动 ?
  18. 云计算机技术与应用学什么的,云计算技术与应用专业学什么 主要课程
  19. java计算机毕业设计企业固定资产管理系统源码+系统+数据库+lw文档+mybatis+运行部署
  20. CefSharp截取完整网页图片,网页截图

热门文章

  1. 移动Web开发图片自适应两种常见情况解决方案
  2. 设置winfrom窗体透明度,拖动,任务栏中显示窗体
  3. 后盾网lavarel视频项目---lavarel多表关联一对多操作实例
  4. IIS6.0打开ASP文件,出现500错误或404错误解决方法
  5. 从零开始学习Kafka
  6. Bootstrap4 网格系统
  7. [2018.3.30集训]path-对偶图-最小割
  8. Selenium 3 + BrowserMobProxy 2.1.4 模拟浏览器访问 (含趟坑)
  9. p,v原语解决和尚挑水问题
  10. 【BZOJ1123】 [POI2008]BLO (tarjan)