I have learned too much recently and need to record
1. Android system architecture
Kernel layer -> system library layer -> framework layer -> application layer
2. Android startup process
According to this article xposed combined with Zygote analysis,
we can find that the start function of android is app_main.cpp, then our xposed, how did he start
zygote start AndroidRuntime.start(className,bool) mainly in three steps
1.startVm
2. startReg(env): Register the JNI function
3.CallStaticVoidMethod(startClass,startMeth,strArray):startClass=ZygoteInit,startMeth=main, from now on enter the java world
In the last step, xposed and zygote are started
3. So how did he start xposed
#define XPOSED_CLASS_DOTS_ZYGOTE "de.robv.android.xposed.XposedBridge"
runtime.start(isXposedLoaded ? XPOSED_CLASS_DOTS_ZYGOTE : "com.android.internal.os.ZygoteInit",
startSystemServer ? "start-system-server" : "");
好,看样子是启动了xposedbridge,在xposedBridge又启动了zygote
if(startClassName == null) {
ZygoteInit.main(args);
} else {
RuntimeInit.main(args);
}
4. What is the function of zygote
All apps are hatched from zygote
fork(): Create a Zygote process;
forkAndSpecialize(): Create a non-Zygote process; other special processes need to be through Zygote
forkSystemServer(): Create a system service process; namely ServerServer
5. Look at the picture first
It can be seen that xposed base is bound to the app, xposed core is the method of binding our hook, and xposed lib is the callback after the hook.
xposed base is implemented in xposedBridge
6 How does xposed work?
1. xposed will mark the function we want to hook as native, ACC_NATIVE,
2. When the function we want to hook is called, it will enter native, and then the callback will be called back in the native layer
Now you will understand some countermeasures of xposed
to sum up
Reference link 1
Reference link 2
Principle analysis of xposed
1.app_main里启动xposedBridge
2.xposedVriage里启动了zygote
3.Xposed框架核心思想在于将Java层普通函数注册成本地JNI方法,以此来变相实现hook机制(放在文章开头的话很重要哦,记住!)。