绑定驱动程序在Intents中的参与(IPC的一种形式)

时间:2013-07-13 17:37:03

标签: android android-intent android-emulator ipc android-binder

我计划对Android应用程序进行开箱即用的分析。也就是说,我将在Android QEMU模拟器中运行该应用程序,并执行虚拟机内省(VMI)来监控应用程序的行为。为此,我已经检测了QEMU仿真器来监视应用程序的Linux系统调用和Binder IPC。

但是,我不确定我是否能够监控使用意图进行的进程间通信,因为我正在监视低级操作。意图与绑定程序驱动程序或意图进行对话是否在Java API级别运行。

2 个答案:

答案 0 :(得分:1)

几乎所有东西都使用了binder驱动程序。 startActivity最终将我们带到了这里:

public ActivityResult execStartActivity(
    Context who, IBinder contextThread, IBinder token, Activity target,
    Intent intent, int requestCode) {
    IApplicationThread whoThread = (IApplicationThread) contextThread;
    if (mActivityMonitors != null) {
        synchronized (mSync) {
            final int N = mActivityMonitors.size();
            for (int i=0; i<N; i++) {
                final ActivityMonitor am = mActivityMonitors.get(i);
                if (am.match(who, null, intent)) {
                    am.mHits++;
                    if (am.isBlocking()) {
                        return requestCode >= 0 ? am.getResult() : null;
                    }
                    break;
                }
            }
        }
    }
    try {
        int result = ActivityManagerNative.getDefault()
            .startActivity(whoThread, intent,
                    intent.resolveTypeIfNeeded(who.getContentResolver()),
                    null, 0, token, target != null ? target.mEmbeddedID : null,
                    requestCode, false, false);
        checkStartActivityResult(result, intent);
    } catch (RemoteException e) {
    }
    return null;
}

如您所见,Java层将两个绑定器参数传递给实际启动活动的本机代码。本机代码将使用这些参数来使用binder驱动程序进行IPC。

答案 1 :(得分:0)

是的,Intent必须经过绑定程序,例如startActivity,startService,sendBroadcast。

例如,https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/ContextImpl.java中的sendBroadcast 它调用broadcastIntent()

@Override
public void sendBroadcast(Intent intent) {
    warnIfCallingFromSystemProcess();
    String resolvedType = intent.resolveTypeIfNeeded(getContentResolver());
    try {
        intent.prepareToLeaveProcess(this);
        ActivityManager.getService().broadcastIntent(
                mMainThread.getApplicationThread(), intent, resolvedType, null,
                Activity.RESULT_OK, null, null, null, AppOpsManager.OP_NONE, null, false, false,
                getUserId());
    } catch (RemoteException e) {
        throw e.rethrowFromSystemServer();
    }
}

在ActivityManagerNative.Java的broadcastIntent()中 它会调用mRemote.transact()来打扰活页夹。

public int broadcastIntent(IApplicationThread caller,
        Intent intent, String resolvedType,  IIntentReceiver resultTo,
        int resultCode, String resultData, Bundle map,
        String requiredPermission, boolean serialized,
        boolean sticky, int userId) throws RemoteException
{
    Parcel data = Parcel.obtain();
    Parcel reply = Parcel.obtain();
    data.writeInterfaceToken(IActivityManager.descriptor);
    data.writeStrongBinder(caller != null ? caller.asBinder() : null);
    intent.writeToParcel(data, 0);
    data.writeString(resolvedType);
    data.writeStrongBinder(resultTo != null ? resultTo.asBinder() : null);
    data.writeInt(resultCode);
    data.writeString(resultData);
    data.writeBundle(map);
    data.writeString(requiredPermission);
    data.writeInt(serialized ? 1 : 0);
    data.writeInt(sticky ? 1 : 0);
    data.writeInt(userId);
    mRemote.transact(BROADCAST_INTENT_TRANSACTION, data, reply, 0);
    reply.readException();
    int res = reply.readInt();
    reply.recycle();
    data.recycle();
    return res;
}
相关问题
最新问题