當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

Xposed源码剖析——app_process作用详解

發(fā)布時(shí)間：2025/3/15 编程问答 16 豆豆

生活随笔收集整理的這篇文章主要介紹了 Xposed源码剖析——app_process作用详解小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

Xposed源碼剖析——app_process作用詳解

首先吐槽一下CSDN的改版吧，發(fā)表這篇文章之前其實(shí)我已經(jīng)將此篇文章寫過了兩三次了。就是發(fā)表不成功。而且CSDN將我的文章草稿也一帶>刪除掉了。弄得我現(xiàn)在只有使用sublime寫一次，保證它們刪不掉。

承接上文?http://blog.csdn.net/yzzst/article/details/47659987

上面我們分析Xposed項(xiàng)目的源碼，從XposedInstaller開始說明了Xposed安裝的原理與過程。我們知道，XposedInstaller主要的工作就是：

替換系統(tǒng)的app_process（當(dāng)然，這個(gè)操作需要Root權(quán)限）
將xposed的api文件，XposedBridge.jar文件放置到私有目錄中

至于?
為什么要替換app_process文件？?
系統(tǒng)中的app_process文件有什么作用？?
替換后的app_process為什么能夠幫助我們hook？

下面我們就開始看看，rovo89大神的xposed開源項(xiàng)目。從GitHub上面clone下來xposed項(xiàng)目，我們?cè)谀夸浿锌吹狡淠夸浗Y(jié)構(gòu)，如下所示：

從目錄中，我們能夠清楚的了解到，其中xposed項(xiàng)目現(xiàn)在已經(jīng)支持Dalvik虛擬機(jī)與art虛擬機(jī)的架構(gòu)了。

app_main.cpp 源碼閱讀與對(duì)比

ok這里，我們先從app_process的源碼開始閱讀，打開app_main.cpp文件，估計(jì)大家和我一下，一時(shí)間也看不出來xposed針對(duì)源碼修改了一些什么。

那么，我們就直接拿源碼與xposed中的app_main.cpp進(jìn)行對(duì)比。

源碼地址：/frameworks/base/cmds/app_process/app_main.cpp

發(fā)現(xiàn)了，rovo89針對(duì)了一下幾個(gè)地方進(jìn)行了修改。

atrace_set_tracing_enabled 進(jìn)行了替換修改?

onVmCreated 增加了Xposed的回調(diào)

main函數(shù)中，增加了 xposed 的 options 操作?
?
我們?cè)趚posed.cpp中，能夠看到其handleOptions的具體邏輯，其實(shí)就是處理一些xposed的特殊命令而已。?
如下所示：

<code class="hljs cpp has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">/** Handle special command line options. */ bool handleOptions(int argc, char* const argv[]) {parseXposedProp();if (argc == 2 && strcmp(argv[1], "--xposedversion") == 0) {printf("Xposed version: %s\n", xposedVersion);return true;}if (argc == 2 && strcmp(argv[1], "--xposedtestsafemode") == 0) {printf("Testing Xposed safemode trigger\n");if (detectSafemodeTrigger(shouldSkipSafemodeDelay())) {printf("Safemode triggered\n");} else {printf("Safemode not triggered\n");}return true;}// From Lollipop coding, used to override the process nameargBlockStart = argv[0];uintptr_t start = reinterpret_cast<uintptr_t>(argv[0]);uintptr_t end = reinterpret_cast<uintptr_t>(argv[argc - 1]);end += strlen(argv[argc - 1]) + 1;argBlockLength = end - start;return false; }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li></ul>

* main函數(shù)中，啟動(dòng)的時(shí)候增加了啟動(dòng)一些邏輯 *?

具體的，我們可以看到。runtime.start那一段。做出了一個(gè)啟動(dòng)。

<code class="language-java hljs has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"> isXposedLoaded = xposed::initialize(zygote, startSystemServer, className, argc, argv);if (zygote) {// 當(dāng)xposed成功啟動(dòng)的時(shí)候，start XPOSED_CLASS_DOTS_ZYGOTE這個(gè)類runtime.start(isXposedLoaded ? XPOSED_CLASS_DOTS_ZYGOTE : "com.android.internal.os.ZygoteInit",startSystemServer ? "start-system-server" : "");} else if (className) {// Remainder of args get passed to startup class main()runtime.mClassName = className;runtime.mArgC = argc - i;runtime.mArgV = argv + i;// 當(dāng)xposed成功啟動(dòng)的時(shí)候，start XPOSED_CLASS_DOTS_ZYGOTE這個(gè)類runtime.start(isXposedLoaded ? XPOSED_CLASS_DOTS_TOOLS : "com.android.internal.os.RuntimeInit",application ? "application" : "tool");} else {fprintf(stderr, "Error: no class name or --zygote supplied.\n");app_usage();LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");return 10;}</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li></ul>

這里的我們看到，在main函數(shù)中啟動(dòng)了邏輯，

<code class="hljs sql has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">runtime.start(isXposedLoaded ? XPOSED_CLASS_DOTS_ZYGOTE : "com.android.internal.os.ZygoteInit",startSystemServer ? "start-system-server" : "");</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li></ul>

其中，XPOSED_CLASS_DOTS_ZYGOTE 變量在，xposed.h頭文件中有定義，如下所示：

<code class="hljs cs has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">#define XPOSED_CLASS_DOTS_ZYGOTE "de.robv.android.xposed.XposedBridge"</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li></ul>

發(fā)現(xiàn)，其實(shí)這個(gè)類就是我們之前向私有目錄防止的XposedBridge項(xiàng)目的包名。

而runtime.start這個(gè)包名有什么作用呢？我們?cè)贏ndroidRuntime中找到start方法的具體邏輯?
在源代碼中/frameworks/base/core/jni/AndroidRuntime.cpp中看到

<code class="hljs applescript has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">/** Start the Android runtime. This involves starting the virtual machine* and calling the "static void main(String[] args)" method in the class* named by "className".** Passes the main function two arguments, the class name and the specified* options string.*/ void AndroidRuntime::start(const char* className, const char* options)</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li></ul>

系統(tǒng)源碼對(duì)start方法的定義，就是啟動(dòng)對(duì)應(yīng)類的 start void main入口函數(shù)。這里，就將三個(gè)項(xiàng)目的邏輯連接起來了。

XposedBridge.java

我們?cè)赬posedBridge.java代碼中，看到其main方法，如下所示：

<code class="language-java hljs has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"> /*** Called when native methods and other things are initialized, but before preloading classes etc.*/protected static void main(String[] args) {// Initialize the Xposed framework and modulestry {SELinuxHelper.initOnce();SELinuxHelper.initForProcess(null);runtime = getRuntime();if (initNative()) {XPOSED_BRIDGE_VERSION = getXposedVersion();if (isZygote) {startsSystemServer = startsSystemServer();// 為啟動(dòng)一個(gè)新的 zygote做好 hook準(zhǔn)備initForZygote();}// 載入Xposed的一些modulesloadModules();} else {log("Errors during native Xposed initialization");}} catch (Throwable t) {log("Errors during Xposed initialization");log(t);disableHooks = true;}// 調(diào)用系統(tǒng)原來的啟動(dòng)方法if (isZygote)ZygoteInit.main(args);elseRuntimeInit.main(args);}</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li><li style="box-sizing: border-box; padding: 0px 5px;">34</li></ul>

ok，那么，整個(gè)app_process的復(fù)制hook邏輯，到這里我們已經(jīng)清楚了。邏輯如下圖所示。

那么，xposed具體怎么實(shí)現(xiàn)系統(tǒng)api邏輯的replace和inject我們下次在做分析。

原文地址： http://blog.csdn.net/yzzst/article/details/47829657

總結(jié)

以上是生活随笔為你收集整理的Xposed源码剖析——app_process作用详解的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： Xposed源码剖析——概述
下一篇： Xposed源码剖析——Xposed初始