1

我计划对 Android 应用程序进行开箱即用的分析。也就是说,我将在 Android QEMU 模拟器中运行应用程序并执行虚拟机自省 (VMI) 以监控应用程序的行为。为此,我使用 QEMU 模拟器来监控应用程序的 Linux 系统调用和 Binder IPC。

但是,我不确定在监视低级操作时是否能够监视使用意图执行的进程间通信。意图是否与活页夹驱动程序或意图在 Java API 级别运行。

4

2 回答 2

1

几乎所有东西都使用活页夹驱动程序。 startActivity最终将我们带到这里:

public ActivityResult execStartActivity(
    Context who, IBinder contextThread, IBinder token, Activity target,
    Intent intent, int requestCode) {
    IApplicationThread whoThread = (IApplicationThread) contextThread;
    if (mActivityMonitors != null) {
        synchronized (mSync) {
            final int N = mActivityMonitors.size();
            for (int i=0; i<N; i++) {
                final ActivityMonitor am = mActivityMonitors.get(i);
                if (am.match(who, null, intent)) {
                    am.mHits++;
                    if (am.isBlocking()) {
                        return requestCode >= 0 ? am.getResult() : null;
                    }
                    break;
                }
            }
        }
    }
    try {
        int result = ActivityManagerNative.getDefault()
            .startActivity(whoThread, intent,
                    intent.resolveTypeIfNeeded(who.getContentResolver()),
                    null, 0, token, target != null ? target.mEmbeddedID : null,
                    requestCode, false, false);
        checkStartActivityResult(result, intent);
    } catch (RemoteException e) {
    }
    return null;
}

如您所见,Java 层将两个绑定器参数传递给实际启动活动的本机代码。本机代码将使用这些参数使用 binder 驱动程序进行 IPC。

于 2013-07-19T03:04:26.303 回答
0

是的,Intent 必须经过 binder,例如 startActivity、startService、sendBroadcast。

比如sendBroadcast,在https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/ContextImpl.java中 调用了broadcastIntent()

@Override
public void sendBroadcast(Intent intent) {
    warnIfCallingFromSystemProcess();
    String resolvedType = intent.resolveTypeIfNeeded(getContentResolver());
    try {
        intent.prepareToLeaveProcess(this);
        ActivityManager.getService().broadcastIntent(
                mMainThread.getApplicationThread(), intent, resolvedType, null,
                Activity.RESULT_OK, null, null, null, AppOpsManager.OP_NONE, null, false, false,
                getUserId());
    } catch (RemoteException e) {
        throw e.rethrowFromSystemServer();
    }
}

在 ActivityManagerNative.Java 的 broadcastIntent() 中调用 mRemote.transact() 来打扰 binder。

public int broadcastIntent(IApplicationThread caller,
        Intent intent, String resolvedType,  IIntentReceiver resultTo,
        int resultCode, String resultData, Bundle map,
        String requiredPermission, boolean serialized,
        boolean sticky, int userId) throws RemoteException
{
    Parcel data = Parcel.obtain();
    Parcel reply = Parcel.obtain();
    data.writeInterfaceToken(IActivityManager.descriptor);
    data.writeStrongBinder(caller != null ? caller.asBinder() : null);
    intent.writeToParcel(data, 0);
    data.writeString(resolvedType);
    data.writeStrongBinder(resultTo != null ? resultTo.asBinder() : null);
    data.writeInt(resultCode);
    data.writeString(resultData);
    data.writeBundle(map);
    data.writeString(requiredPermission);
    data.writeInt(serialized ? 1 : 0);
    data.writeInt(sticky ? 1 : 0);
    data.writeInt(userId);
    mRemote.transact(BROADCAST_INTENT_TRANSACTION, data, reply, 0);
    reply.readException();
    int res = reply.readInt();
    reply.recycle();
    data.recycle();
    return res;
}
于 2019-05-08T05:17:01.407 回答