https://developer.android.google.cn/guide/app-bundle
https://github.com/didi/VirtualAPK
https://blog.csdn.net/u012124438/article/details/74118905
我们可以先启动一个已经在AndroidManifest.xml里面声明过的替身Activity,让这个Activity进入AMS进程接受检验;最后在换成我们真正需要启动的Activity;这样就成功欺骗了AMS进程
https://blog.csdn.net/M075097/article/details/79225030
;//-----2.3.3替换系统原生ClassLoader为DelegateClassLoad
AndroidHack.injectClassLoader(packageName, newClassLoaderer)
//-----2.3.4 替换系统的Instrumentation为InstrumentationHook,该类是一个系统与用户之间交互的介质层,大部分调用的功能操作都会流过此类之后再进一步调
AndroidHack.injectInstrumentationHook(new InstrumentationHook(AndroidHack.getInstrumentation(), application.getBaseContext()
ActivityManagerDelegate activityManagerProxy = new ActivityManagerDelegate();
Object gDefault = null;
if(Build.VERSION.SDK_INT>25 || (Build.VERSION.SDK_INT==25&&Build.VERSION.PREVIEW_SDK_INT>0)){
gDefault=AtlasHacks.ActivityManager_IActivityManagerSingleton.get(AtlasHacks.ActivityManager.getmClass());
}else{
gDefault=AtlasHacks.ActivityManagerNative_gDefault.get(AtlasHacks.ActivityManagerNative.getmClass());
}
AtlasHacks.Singleton_mInstance.hijack(gDefault, activityManagerProxy);
虽然唯一Hook点为宿主Application#LoadedApk中的classLoader对象,但源码中依然存在着众多的invoke反射,和google禁止使用非公开api的策略相违背