BinderHook
Hook机制之Binder Hook -- http://weishu.me/2016/02/16/understand-plugin-framework-binder-hook/
Install / Use
/learn @pinggle/BinderHookREADME
HOOK系统服务的机制 <=> Binder Hook;
系统的各个远程 service 对象都是以 Binder 的形式存在的, 而这些 Binder 有一个管理者, 那就是 ServiceManager.
// 应用层获取服务对象; // public static final String ACTIVITY_SERVICE = "activity"; (Context.java) ActivityManager am = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);
// 从 SYSTEM_SERVICE_FETCHERS 里面获取服务对象; @Override public Object ContextImpl::getSystemService(String name) { return SystemServiceRegistry.getSystemService(this, name); }
/**
* Gets a system service from a given context.
*/
public static Object SystemServiceRegistry::getSystemService(ContextImpl ctx, String name) {
ServiceFetcher<?> fetcher = SYSTEM_SERVICE_FETCHERS.get(name);
return fetcher != null ? fetcher.getService(ctx) : null;
}
// SYSTEM_SERVICE_FETCHERS 对象的初始化追踪; // SystemServiceRegistry.java 中注册的 Service: static { registerService(Context.ACCESSIBILITY_SERVICE, AccessibilityManager.class, new CachedServiceFetcher<AccessibilityManager>() { @Override public AccessibilityManager createService(ContextImpl ctx) { return AccessibilityManager.getInstance(ctx); }});
registerService(Context.CAPTIONING_SERVICE, CaptioningManager.class,
new CachedServiceFetcher<CaptioningManager>() {
@Override
public CaptioningManager createService(ContextImpl ctx) {
return new CaptioningManager(ctx);
}});
registerService(Context.ACCOUNT_SERVICE, AccountManager.class,
new CachedServiceFetcher<AccountManager>() {
@Override
public AccountManager createService(ContextImpl ctx) {
IBinder b = ServiceManager.getService(Context.ACCOUNT_SERVICE);
IAccountManager service = IAccountManager.Stub.asInterface(b);
return new AccountManager(ctx, service);
}});
registerService(Context.ACTIVITY_SERVICE, ActivityManager.class,
new CachedServiceFetcher<ActivityManager>() {
@Override
public ActivityManager createService(ContextImpl ctx) {
return new ActivityManager(ctx.getOuterContext(), ctx.mMainThread.getHandler());
}});
registerService(Context.ALARM_SERVICE, AlarmManager.class,
new CachedServiceFetcher<AlarmManager>() {
@Override
public AlarmManager createService(ContextImpl ctx) {
IBinder b = ServiceManager.getService(Context.ALARM_SERVICE);
IAlarmManager service = IAlarmManager.Stub.asInterface(b);
return new AlarmManager(service, ctx);
}});
registerService(Context.AUDIO_SERVICE, AudioManager.class,
new CachedServiceFetcher<AudioManager>() {
@Override
public AudioManager createService(ContextImpl ctx) {
return new AudioManager(ctx);
}});
registerService(Context.MEDIA_ROUTER_SERVICE, MediaRouter.class,
new CachedServiceFetcher<MediaRouter>() {
@Override
public MediaRouter createService(ContextImpl ctx) {
return new MediaRouter(ctx);
}});
registerService(Context.BLUETOOTH_SERVICE, BluetoothManager.class,
new CachedServiceFetcher<BluetoothManager>() {
@Override
public BluetoothManager createService(ContextImpl ctx) {
return new BluetoothManager(ctx);
}});
registerService(Context.HDMI_CONTROL_SERVICE, HdmiControlManager.class,
new StaticServiceFetcher<HdmiControlManager>() {
@Override
public HdmiControlManager createService() {
IBinder b = ServiceManager.getService(Context.HDMI_CONTROL_SERVICE);
return new HdmiControlManager(IHdmiControlService.Stub.asInterface(b));
}});
registerService(Context.CLIPBOARD_SERVICE, ClipboardManager.class,
new CachedServiceFetcher<ClipboardManager>() {
@Override
public ClipboardManager createService(ContextImpl ctx) {
return new ClipboardManager(ctx.getOuterContext(),
ctx.mMainThread.getHandler());
}});
// The clipboard service moved to a new package. If someone asks for the old
// interface by class then we want to redirect over to the new interface instead
// (which extends it).
SYSTEM_SERVICE_NAMES.put(android.text.ClipboardManager.class, Context.CLIPBOARD_SERVICE);
registerService(Context.CONNECTIVITY_SERVICE, ConnectivityManager.class,
new StaticOuterContextServiceFetcher<ConnectivityManager>() {
@Override
public ConnectivityManager createService(Context context) {
IBinder b = ServiceManager.getService(Context.CONNECTIVITY_SERVICE);
IConnectivityManager service = IConnectivityManager.Stub.asInterface(b);
return new ConnectivityManager(context, service);
}});
registerService(Context.COUNTRY_DETECTOR, CountryDetector.class,
new StaticServiceFetcher<CountryDetector>() {
@Override
public CountryDetector createService() {
IBinder b = ServiceManager.getService(Context.COUNTRY_DETECTOR);
return new CountryDetector(ICountryDetector.Stub.asInterface(b));
}});
registerService(Context.DEVICE_POLICY_SERVICE, DevicePolicyManager.class,
new CachedServiceFetcher<DevicePolicyManager>() {
@Override
public DevicePolicyManager createService(ContextImpl ctx) {
return DevicePolicyManager.create(ctx, ctx.mMainThread.getHandler());
}});
registerService(Context.DOWNLOAD_SERVICE, DownloadManager.class,
new CachedServiceFetcher<DownloadManager>() {
@Override
public DownloadManager createService(ContextImpl ctx) {
return new DownloadManager(ctx.getContentResolver(), ctx.getPackageName());
}});
registerService(Context.BATTERY_SERVICE, BatteryManager.class,
new StaticServiceFetcher<BatteryManager>() {
@Override
public BatteryManager createService() {
return new BatteryManager();
}});
registerService(Context.NFC_SERVICE, NfcManager.class,
new CachedServiceFetcher<NfcManager>() {
@Override
public NfcManager createService(ContextImpl ctx) {
return new NfcManager(ctx);
}});
registerService(Context.DROPBOX_SERVICE, DropBoxManager.class,
new StaticServiceFetcher<DropBoxManager>() {
@Override
public DropBoxManager createService() {
IBinder b = ServiceManager.getService(Context.DROPBOX_SERVICE);
IDropBoxManagerService service = IDropBoxManagerService.Stub.asInterface(b);
if (service == null) {
// Don't return a DropBoxManager that will NPE upon use.
// This also avoids caching a broken DropBoxManager in
// getDropBoxManager during early boot, before the
// DROPBOX_SERVICE is registered.
return null;
}
return new DropBoxManager(service);
}});
registerService(Context.INPUT_SERVICE, InputManager.class,
new StaticServiceFetcher<InputManager>() {
@Override
public InputManager createService() {
return InputManager.getInstance();
}});
registerService(Context.DISPLAY_SERVICE, DisplayManager.class,
new CachedServiceFetcher<DisplayManager>() {
@Override
public DisplayManager createService(ContextImpl ctx) {
return new DisplayManager(ctx.getOuterContext());
}});
registerService(Context.INPUT_METHOD_SERVICE, InputMethodManager.class,
new StaticServiceFetcher<InputMethodManager>() {
@Override
public InputMethodManager createService() {
return InputMethodManager.getInstance();
}});
registerService(Context.TEXT_SERVICES_MANAGER_SERVICE, TextServicesManager.class,
new StaticServiceFetcher<TextServicesManager>() {
@Override
public TextServicesManager createService() {
return TextServicesManager.getInstance();
}});
registerService(Context.KEYGUARD_SERVICE, KeyguardManager.class,
new StaticServiceFetcher<KeyguardManager>() {
@Override
public KeyguardManager createService() {
return new KeyguardManager();
}});
registerService(Context.LAYOUT_INFLATER_SERVICE, LayoutInflater.class,
new CachedServiceFetcher<LayoutInflater>() {
@Override
public LayoutInflater createService(ContextImpl ctx) {
return new PhoneLayoutInflater(ctx.getOuterContext());
}});
registerService(Context.LOCATION_SERVICE, LocationManager.class,
new CachedServiceFetcher<LocationManager>() {
@Override
public LocationManager createService(ContextImpl ctx) {
IBinder b = ServiceManager.getService(Context.LOCATION_SERVICE);
return new LocationManager(ctx, ILocationManager.Stub.asInterface(b));
}});
registerService(Context.NETWORK_POLICY_SERVICE, NetworkPolicyManager.class,
new CachedServiceFetcher<NetworkPolicyManager>() {
@Override
public NetworkPoli
