NDK--app卸載監(jiān)聽

當我們app被卸載,一些流氓軟件還能夠在后臺做操作,對于root過的手機,甚至可以重新安裝回來,今天介紹一種在沒有root過的手機中監(jiān)聽自身app被卸載的方法。

核心思路:當app被卸載,相應的進程也被中斷,無論是廣播還是線程,都將不復存在。但我們可以開啟一個進程,不斷監(jiān)聽文件夾變化。當app被安裝時,會在/data/data/目錄下新建相應包名的文件夾,而java中有一個工具類:FileObserver,可以監(jiān)聽文件和文件夾的變化,我們利用在native層調用FileObserver的方法
首先查看FileObserver的源碼發(fā)現(xiàn),它內部就是一個線程
    static {
        s_observerThread = new ObserverThread();
        s_observerThread.start();
    }


private static class ObserverThread extends Thread {
        private HashMap<Integer, WeakReference> m_observers = new HashMap<Integer, WeakReference>();
        private int m_fd;

        public ObserverThread() {
            super("FileObserver");
            m_fd = init();
        }

        public void run() {
            observe(m_fd);
        }

        public int[] startWatching(List<File> files,
                @NotifyEventType int mask, FileObserver observer) {
            final int count = files.size();
            final String[] paths = new String[count];
            for (int i = 0; i < count; ++i) {
                paths[i] = files.get(i).getAbsolutePath();
            }
            final int[] wfds = new int[count];
            Arrays.fill(wfds, -1);

            startWatching(m_fd, paths, mask, wfds);

            final WeakReference<FileObserver> fileObserverWeakReference =
                    new WeakReference<>(observer);
            synchronized (m_observers) {
                for (int wfd : wfds) {
                    if (wfd >= 0) {
                        m_observers.put(wfd, fileObserverWeakReference);
                    }
                }
            }

            return wfds;
        }

        public void stopWatching(int[] descriptors) {
            stopWatching(m_fd, descriptors);
        }

        @UnsupportedAppUsage
        public void onEvent(int wfd, @NotifyEventType int mask, String path) {
            // look up our observer, fixing up the map if necessary...
            FileObserver observer = null;

            synchronized (m_observers) {
                WeakReference weak = m_observers.get(wfd);
                if (weak != null) {  // can happen with lots of events from a dead wfd
                    observer = (FileObserver) weak.get();
                    if (observer == null) {
                        m_observers.remove(wfd);
                    }
                }
            }

            // ...then call out to the observer without the sync lock held
            if (observer != null) {
                try {
                    observer.onEvent(mask, path);
                } catch (Throwable throwable) {
                    Log.wtf(LOG_TAG, "Unhandled exception in FileObserver " + observer, throwable);
                }
            }
        }

        private native int init();
        private native void observe(int fd);
        private native void startWatching(int fd, String[] paths,
                @NotifyEventType int mask, int[] wfds);
        private native void stopWatching(int fd, int[] wfds);
    }
內部類ObserverThread 繼承至 Thread,并在構造函數(shù)中調用native方法:init()獲取文件句柄,在run方法中,調用observe方法,然后需要調用startWatching方法開啟監(jiān)聽,而startWatching方法最終調用的還是native層代碼。查看系統(tǒng)源碼發(fā)現(xiàn)native方法是在\frameworks\base\core\jni目錄下的android_util_FileObserver.cpp文件中實現(xiàn)的
/* //device/libs/android_runtime/android_util_FileObserver.cpp
**
** Copyright 2006, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License"); 
** you may not use this file except in compliance with the License. 
** You may obtain a copy of the License at 
**
**     http://www.apache.org/licenses/LICENSE-2.0 
**
** Unless required by applicable law or agreed to in writing, software 
** distributed under the License is distributed on an "AS IS" BASIS, 
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
** See the License for the specific language governing permissions and 
** limitations under the License.
*/

#include "JNIHelp.h"
#include "jni.h"
#include "utils/Log.h"
#include "utils/misc.h"
#include "core_jni_helpers.h"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <errno.h>

#if defined(__linux__)
#include <sys/inotify.h>
#endif

namespace android {

static jmethodID method_onEvent;

static jint android_os_fileobserver_init(JNIEnv* env, jobject object)
{
#if defined(__linux__)
    return (jint)inotify_init();
#else
    return -1;
#endif
}

static void android_os_fileobserver_observe(JNIEnv* env, jobject object, jint fd)
{
#if defined(__linux__)

    char event_buf[512];
    struct inotify_event* event;

    while (1)
    {
        int event_pos = 0;
        int num_bytes = read(fd, event_buf, sizeof(event_buf));

        if (num_bytes < (int)sizeof(*event))
        {
            if (errno == EINTR)
                continue;

            ALOGE("***** ERROR! android_os_fileobserver_observe() got a short event!");
            return;
        }

        while (num_bytes >= (int)sizeof(*event))
        {
            int event_size;
            event = (struct inotify_event *)(event_buf + event_pos);

            jstring path = NULL;

            if (event->len > 0)
            {
                path = env->NewStringUTF(event->name);
            }

            env->CallVoidMethod(object, method_onEvent, event->wd, event->mask, path);
            if (env->ExceptionCheck()) {
                env->ExceptionDescribe();
                env->ExceptionClear();
            }
            if (path != NULL)
            {
                env->DeleteLocalRef(path);
            }

            event_size = sizeof(*event) + event->len;
            num_bytes -= event_size;
            event_pos += event_size;
        }
    }

#endif
}

static jint android_os_fileobserver_startWatching(JNIEnv* env, jobject object, jint fd, jstring pathString, jint mask)
{
    int res = -1;

#if defined(__linux__)

    if (fd >= 0)
    {
        const char* path = env->GetStringUTFChars(pathString, NULL);

        res = inotify_add_watch(fd, path, mask);

        env->ReleaseStringUTFChars(pathString, path);
    }

#endif

    return res;
}

static void android_os_fileobserver_stopWatching(JNIEnv* env, jobject object, jint fd, jint wfd)
{
#if defined(__linux__)

    inotify_rm_watch((int)fd, (uint32_t)wfd);

#endif
}

static JNINativeMethod sMethods[] = {
     /* name, signature, funcPtr */
    { "init", "()I", (void*)android_os_fileobserver_init },
    { "observe", "(I)V", (void*)android_os_fileobserver_observe },
    { "startWatching", "(ILjava/lang/String;I)I", (void*)android_os_fileobserver_startWatching },
    { "stopWatching", "(II)V", (void*)android_os_fileobserver_stopWatching }

};

int register_android_os_FileObserver(JNIEnv* env)
{
    jclass clazz = FindClassOrDie(env, "android/os/FileObserver$ObserverThread");

    method_onEvent = GetMethodIDOrDie(env, clazz, "onEvent", "(IILjava/lang/String;)V");

    return RegisterMethodsOrDie(env, "android/os/FileObserver$ObserverThread", sMethods,
                                NELEM(sMethods));
}

} /* namespace android */
其中android_os_fileobserver_init方法對應JAVA中init方法。android_os_fileobserver_observe方法對應JAVA中observe方法,而該方法最關鍵的就是調用了read(fd, event_buf, sizeof(event_buf));read是一個阻塞函數(shù),直到文件發(fā)生變化,而observe方法最終會回調java中的onEvent回調函數(shù)。android_os_fileobserver_startWatching方法對應JAVA中的開啟監(jiān)聽方法startWatching
基于底層c++代碼,我們可以開啟另一個進程,不斷的監(jiān)聽data/data/{包名}的文件夾的變化,如果文件夾被刪除,則說明用戶卸載了app。linux下可以使用fork函數(shù),fork函數(shù)用于產(chǎn)生一個新的進程,函數(shù)返回值pid_t是一個整數(shù),在父進程中,返回值是子進程編號,在子進程中,返回值是0。
有了以上思路,開始編寫native方法
package com.aruba.uninstallapplication;

/**
 * Created by aruba on 2020/5/18.
 */
public class UninstallUtil {
    //開啟
    public native void startUninstallWatch(String path, int sdk);
}


#include <jni.h>
#include <string>
#include <android/log.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <sys/inotify.h>
#include <unistd.h>

#define LOG_TAG "aruba"
#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)

extern "C"
JNIEXPORT void JNICALL
Java_com_aruba_uninstallapplication_UninstallUtil_startUninstallWatch(JNIEnv *env, jobject instance,
                                                                      jstring path_, jint sdk) {
    const char *path = env->GetStringUTFChars(path_, 0);

    pid_t pid = fork();
    if (pid > 0) {//父進程
        LOGD("父進程");
    }else {//子進程
        //文件句柄
        int m_fd = inotify_init();
        //IN_ACCESS,即文件被訪問
        //IN_MODIFY,文件被 write
        //IN_ATTRIB,文件屬性被修改,如 chmod、chown、touch 等
        //IN_CLOSE_WRITE,可寫文件被 close
        //IN_CLOSE_NOWRITE,不可寫文件被 close
        //IN_OPEN,文件被 open
        //IN_MOVED_FROM,文件被移走,如 mv
        //IN_MOVED_TO,文件被移來,如 mv、cp
        //IN_CREATE,創(chuàng)建新文件
        //IN_DELETE,文件被刪除,如 rm
        //IN_DELETE_SELF,自刪除,即一個可執(zhí)行文件在執(zhí)行時刪除自己
        //IN_MOVE_SELF,自移動,即一個可執(zhí)行文件在執(zhí)行時移動自己
        //IN_UNMOUNT,宿主文件系統(tǒng)被 umount
        //IN_CLOSE,文件被關閉,等同于(IN_CLOSE_WRITE | IN_CLOSE_NOWRITE)
        //IN_MOVE,文件被移動,等同于(IN_MOVED_FROM | IN_MOVED_TO)
        //注:上面所說的文件也包括目錄。
        //開始監(jiān)聽
        int res = inotify_add_watch(m_fd, path, IN_DELETE_SELF);

        //阻塞,是否被刪除
        char event_buf[512];
        struct inotify_event* event;
        int num_bytes = read(m_fd, event_buf, sizeof(event_buf));

        //被刪除了,移除監(jiān)聽
        inotify_rm_watch(m_fd, (uint32_t) res);

        //使用am命令跳轉瀏覽器
        if (sdk < 17) {
            execlp("am", "am", "start", "-a", "android.intent.action.VIEW", "-d",
                   "http://www.baidu.com", NULL);
        } else {//17以后,新增多用戶的操作
            execlp("am", "am", "start", "--user", "0", "-a", "android.intent.action.VIEW", "-d",
                   "http://www.baidu.com", NULL);
        }
    }

    env->ReleaseStringUTFChars(path_, path);
}
卸載監(jiān)聽.gif
經(jīng)測試,安卓7.0以后無法使用,可以fork進程,但am命令無法調用
項目地址:https://gitee.com/aruba/UninstallApplication.git
最后編輯于
?著作權歸作者所有,轉載或內容合作請聯(lián)系作者
【社區(qū)內容提示】社區(qū)部分內容疑似由AI輔助生成,瀏覽時請結合常識與多方信息審慎甄別。
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發(fā)布,文章內容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

友情鏈接更多精彩內容