运行加载过程
ActivityThread.JAVA
Application app = data.info.makeApplication(data.restrictedBackupMode, null);
->进入LoadedApk.java
String appClass = mApplicationInfo.className;
app.attachBaseContext() //可控函数
...
mActivityThread.mAllApplications.add(app);
mApplication = app;
<-退出
mInitialApplication = app;
mInstrumentation.callApplicationOnCreate(app);
-> app.onCreate() //可控函数
onCreate中实现
Object currentActivityThread = javaRef.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread",
new Class[]{}, new Object[]{});
Object mBoundApplication = javaRef.getFieldValue("android.app.ActivityThread", "mBoundApplication", currentActivityThread);
Object loadedApk = javaRef.getFieldValue("android.app.ActivityThread$AppBindData", "info", mBoundApplication);
javaRef.setFieldValue("android.app.LoadedApk", "mApplication", loadedApk, null);
ApplicationInfo applicationInfo_loadapk = (ApplicationInfo) javaRef.getFieldValue("android.app.LoadedApk", "mApplicationInfo", loadedApk);
String desAppName = "com.cc.shell.MyApplication";
applicationInfo_loadapk.className = desAppName;
Application oldApplication = (Application) javaRef.getFieldValue("android.app.ActivityThread", "mInitialApplication", currentActivityThread);
ArrayList<Application> mAllApplications = (ArrayList<Application>) javaRef.getFieldValue("android.app.ActivityThread",
"mAllApplications", currentActivityThread);
mAllApplications.remove(oldApplication);
Application realApp = (Application) javaRef.invokeMethod("android.app.LoadedApk", "makeApplication", loadedApk
, new Class[]{boolean.class, Instrumentation.class}, new Object[]{false, null});
realApp.onCreate();
javaRef.setFieldValue("com.android.ActivityThread", "mInitialApplication", currentActivityThread, realApp);