当我们app被卸载,一些流氓软件还能够在后台做操作,对于root过的手机,甚至可以重新安装回来,今天介绍一种在没有root过的手机中监听自身app被卸载的方法。
核心思路:当app被卸载,相应的进程也被中断,无论是广播还是线程,都将不复存在。但我们可以开启一个进程,不断监听文件夹变化。当app被安装时,会在/data/data/目录下新建相应包名的文件夹,而java中有一个工具类:FileObserver,可以监听文件和文件夹的变化,我们利用在native层调用FileObserver的方法
首先查看FileObserver的源码发现,它内部就是一个线程
static {
s_observerThread = new ObserverThread();
s_observerThread.start();
}
private static class ObserverThread extends Thread {
private HashMap<Integer, WeakReference> m_observers = new HashMap<Integer, WeakReference>();
private int m_fd;
public ObserverThread() {
super("FileObserver");
m_fd = init();
}
public void run() {
observe(m_fd);
}
public int[] startWatching(List<File> files,
@NotifyEventType int mask, FileObserver observer) {
final int count = files.size();
final String[] paths = new String[count];
for (int i = 0; i < count; ++i) {
paths[i] = files.get(i).getAbsolutePath();
}
final int[] wfds = new int[count];
Arrays.fill(wfds, -1);
startWatching(m_fd, paths, mask, wfds);
final WeakReference<FileObserver> fileObserverWeakReference =
new WeakReference<>(observer);
synchronized (m_observers) {
for (int wfd : wfds) {
if (wfd >= 0) {
m_observers.put(wfd, fileObserverWeakReference);
}
}
}
return wfds;
}
public void stopWatching(int[] descriptors) {
stopWatching(m_fd, descriptors);
}
@UnsupportedAppUsage
public void onEvent(int wfd, @NotifyEventType int mask, String path) {
// look up our observer, fixing up the map if necessary...
FileObserver observer = null;
synchronized (m_observers) {
WeakReference weak = m_observers.get(wfd);
if (weak != null) { // can happen with lots of events from a dead wfd
observer = (FileObserver) weak.get();
if (observer == null) {
m_observers.remove(wfd);
}
}
}
// ...then call out to the observer without the sync lock held
if (observer != null) {
try {
observer.onEvent(mask, path);
} catch (Throwable throwable) {
Log.wtf(LOG_TAG, "Unhandled exception in FileObserver " + observer, throwable);
}
}
}
private native int init();
private native void observe(int fd);
private native void startWatching(int fd, String[] paths,
@NotifyEventType int mask, int[] wfds);
private native void stopWatching(int fd, int[] wfds);
}内部类ObserverThread 继承至 Thread,并在构造函数中调用native方法:init()获取文件句柄,在run方法中,调用observe方法,然后需要调用startWatching方法开启监听,而startWatching方法最终调用的还是native层代码。查看系统源码发现native方法是在\frameworks\base\core\jni目录下的android_util_FileObserver.cpp文件中实现的
/* //device/libs/android_runtime/android_util_FileObserver.cpp
**
** Copyright 2006, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#include "JNIHelp.h"
#include "jni.h"
#include "utils/Log.h"
#include "utils/misc.h"
#include "core_jni_helpers.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <errno.h>
#if defined(__linux__)
#include <sys/inotify.h>
#endif
namespace android {
static jmethodID method_onEvent;
static jint android_os_fileobserver_init(JNIEnv* env, jobject object)
{
#if defined(__linux__)
return (jint)inotify_init();
#else
return -1;
#endif
}
static void android_os_fileobserver_observe(JNIEnv* env, jobject object, jint fd)
{
#if defined(__linux__)
char event_buf[512];
struct inotify_event* event;
while (1)
{
int event_pos = 0;
int num_bytes = read(fd, event_buf, sizeof(event_buf));
if (num_bytes < (int)sizeof(*event))
{
if (errno == EINTR)
continue;
ALOGE("***** ERROR! android_os_fileobserver_observe() got a short event!");
return;
}
while (num_bytes >= (int)sizeof(*event))
{
int event_size;
event = (struct inotify_event *)(event_buf + event_pos);
jstring path = NULL;
if (event->len > 0)
{
path = env->NewStringUTF(event->name);
}
env->CallVoidMethod(object, method_onEvent, event->wd, event->mask, path);
if (env->ExceptionCheck()) {
env->ExceptionDescribe();
env->ExceptionClear();
}
if (path != NULL)
{
env->DeleteLocalRef(path);
}
event_size = sizeof(*event) + event->len;
num_bytes -= event_size;
event_pos += event_size;
}
}
#endif
}
static jint android_os_fileobserver_startWatching(JNIEnv* env, jobject object, jint fd, jstring pathString, jint mask)
{
int res = -1;
#if defined(__linux__)
if (fd >= 0)
{
const char* path = env->GetStringUTFChars(pathString, NULL);
res = inotify_add_watch(fd, path, mask);
env->ReleaseStringUTFChars(pathString, path);
}
#endif
return res;
}
static void android_os_fileobserver_stopWatching(JNIEnv* env, jobject object, jint fd, jint wfd)
{
#if defined(__linux__)
inotify_rm_watch((int)fd, (uint32_t)wfd);
#endif
}
static JNINativeMethod sMethods[] = {
/* name, signature, funcPtr */
{ "init", "()I", (void*)android_os_fileobserver_init },
{ "observe", "(I)V", (void*)android_os_fileobserver_observe },
{ "startWatching", "(ILjava/lang/String;I)I", (void*)android_os_fileobserver_startWatching },
{ "stopWatching", "(II)V", (void*)android_os_fileobserver_stopWatching }
};
int register_android_os_FileObserver(JNIEnv* env)
{
jclass clazz = FindClassOrDie(env, "android/os/FileObserver$ObserverThread");
method_onEvent = GetMethodIDOrDie(env, clazz, "onEvent", "(IILjava/lang/String;)V");
return RegisterMethodsOrDie(env, "android/os/FileObserver$ObserverThread", sMethods,
NELEM(sMethods));
}
} /* namespace android */其中android_os_fileobserver_init方法对应JAVA中init方法。android_os_fileobserver_observe方法对应JAVA中observe方法,而该方法最关键的就是调用了read(fd, event_buf, sizeof(event_buf));read是一个阻塞函数,直到文件发生变化,而observe方法最终会回调java中的onEvent回调函数。android_os_fileobserver_startWatching方法对应JAVA中的开启监听方法startWatching
基于底层c++代码,我们可以开启另一个进程,不断的监听data/data/{包名}的文件夹的变化,如果文件夹被删除,则说明用户卸载了app。linux下可以使用fork函数,fork函数用于产生一个新的进程,函数返回值pid_t是一个整数,在父进程中,返回值是子进程编号,在子进程中,返回值是0。
有了以上思路,开始编写native方法
package com.aruba.uninstallapplication;
/**
* Created by aruba on 2020/5/18.
*/
public class UninstallUtil {
//开启
public native void startUninstallWatch(String path, int sdk);
}#include <jni.h>
#include <string>
#include <android/log.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <sys/inotify.h>
#include <unistd.h>
#define LOG_TAG "aruba"
#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
extern "C"
JNIEXPORT void JNICALL
Java_com_aruba_uninstallapplication_UninstallUtil_startUninstallWatch(JNIEnv *env, jobject instance,
jstring path_, jint sdk) {
const char *path = env->GetStringUTFChars(path_, 0);
pid_t pid = fork();
if (pid > 0) {//父进程
LOGD("父进程");
}else {//子进程
//文件句柄
int m_fd = inotify_init();
//IN_ACCESS,即文件被访问
//IN_MODIFY,文件被 write
//IN_ATTRIB,文件属性被修改,如 chmod、chown、touch 等
//IN_CLOSE_WRITE,可写文件被 close
//IN_CLOSE_NOWRITE,不可写文件被 close
//IN_OPEN,文件被 open
//IN_MOVED_FROM,文件被移走,如 mv
//IN_MOVED_TO,文件被移来,如 mv、cp
//IN_CREATE,创建新文件
//IN_DELETE,文件被删除,如 rm
//IN_DELETE_SELF,自删除,即一个可执行文件在执行时删除自己
//IN_MOVE_SELF,自移动,即一个可执行文件在执行时移动自己
//IN_UNMOUNT,宿主文件系统被 umount
//IN_CLOSE,文件被关闭,等同于(IN_CLOSE_WRITE | IN_CLOSE_NOWRITE)
//IN_MOVE,文件被移动,等同于(IN_MOVED_FROM | IN_MOVED_TO)
//注:上面所说的文件也包括目录。
//开始监听
int res = inotify_add_watch(m_fd, path, IN_DELETE_SELF);
//阻塞,是否被删除
char event_buf[512];
struct inotify_event* event;
int num_bytes = read(m_fd, event_buf, sizeof(event_buf));
//被删除了,移除监听
inotify_rm_watch(m_fd, (uint32_t) res);
//使用am命令跳转浏览器
if (sdk < 17) {
execlp("am", "am", "start", "-a", "android.intent.action.VIEW", "-d",
"http://www.baidu.com", NULL);
} else {//17以后,新增多用户的操作
execlp("am", "am", "start", "--user", "0", "-a", "android.intent.action.VIEW", "-d",
"http://www.baidu.com", NULL);
}
}
env->ReleaseStringUTFChars(path_, path);
}
卸载监听.gif