共计 2505 个字符,预计需要花费 7 分钟才能阅读完成。
a.apk- 主利用 b.apk- 被启动利用
次要思维:把 b.apk 放到 assets 目录下,因为有大小限度(1M),所以改名成 b.mp3(因为 mp3,jpg,png,mp4 等不会查看,不会限度大小),而后在用的时候再改回来
1. 具体实现:
public void intallApp(Context context) {
try {String path = context.getFilesDir().getAbsolutePath()+ "/b.apk"; // 从 assets 中解压到这个目录
File f = new File(path);
if (!f.exists()) {f.createNewFile();
}
InputStream is = context.getAssets().open("b.mp3");//assets 里的文件在利用装置后依然存在于 apk 文件中
inputStreamToFile(is, f);
String cmd = "chmod 777" + f.getAbsolutePath();
Runtime.getRuntime().exec(cmd);
cmd = "chmod 777" + f.getParent();
Runtime.getRuntime().exec(cmd);
// 尝试晋升上 2 级的父文件夹权限,在浏览插件下载到手机存储时,刚好用到了 2 级目录
// /data/data/packagename/files/ 这个目录上面所有的层级目录都须要晋升权限,才可装置 apk,弹出装置界面
cmd = "chmod 777" + new File(f.getParent()).getParent();
Runtime.getRuntime().exec(cmd);
Intent intent = new Intent();
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.setAction(android.content.Intent.ACTION_VIEW);
String type = "application/vnd.android.package-archive";
/* 设置 intent 的 file 与 MimeType */
intent.setDataAndType(Uri.fromFile(f), type);
context.startActivity(intent);
} catch (ActivityNotFoundException e) {e.printStackTrace();
} catch (IOException e) {e.printStackTrace();
}
}
public void inputStreamToFile(InputStream inputStream,File file){
///InputStream inputStream = null;
OutputStream outputStream = null;
try {
// read this file into InputStream
//inputStream = new FileInputStream("test.txt");
// write the inputStream to a FileOutputStream
outputStream = new FileOutputStream(file);
int read = 0;
byte[] bytes = new byte[1024];
while ((read = inputStream.read(bytes)) != -1) {outputStream.write(bytes, 0, read);
}
System.out.println("Done!");
} catch (IOException e) {e.printStackTrace();
} finally {if (inputStream != null) {
try {inputStream.close();
} catch (IOException e) {e.printStackTrace();
}
}
if (outputStream != null) {
try {// outputStream.flush();
outputStream.close();} catch (IOException e) {e.printStackTrace();
}
}
}
}2. 如果是启动已装置的利用,实现如下:
public boolean startApp(Context context, String packageName) {
//String packageName = "XXX";
Intent intent = new Intent(Intent.ACTION_MAIN, null);
intent.addCategory(Intent.CATEGORY_LAUNCHER);
PackageManager pm = context.getPackageManager();
List<ResolveInfo> listInfos = pm.queryIntentActivities(intent, 0);
String className = null;
for (ResolveInfo info : listInfos) {if (packageName.equals(info.activityInfo.packageName)) {
className = info.activityInfo.name;
break;
}
}
if (className != null && className.length() > 0) {intent.setComponent(new ComponentName(packageName, className));
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK
| Intent.FLAG_ACTIVITY_RESET_TASK_IF_NEEDED);
context.startActivity(intent);
return true;
}
return false;
}如果你晓得包名, 还晓得作为启动的那 activity 的类名,就更简略了,就能够省掉下面查找的过程,间接启动。
正文完
