/Andr

Primary LanguageCGNU General Public License v3.0GPL-3.0

YAHFA

Introduction

YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports:

  • Android 5.0(API 21)
  • Android 5.1(API 22)
  • Android 6.0(API 23)
  • Android 7.0(API 24)
  • Android 7.1(API 25)
  • Android 8.0(API 26)

with ABI:

  • x86
  • armeabi-v7a
  • arm64-v8a

YAHFA is utilized by VirtualHook so that applications can be hooked without root permission.

Please take a look at this article and this one for a detailed introduction.

更新说明

Build

Import and build the project in Android Studio(with Instant Run disabled). There are three modules:

  • library. This is the YAHFA library module, which compiles to .aar for use.
  • demoApp. This is a demo app which would load and apply the plugin.
  • demoPlugin. This is a demo plugin which contains the hooks and would be loaded by demoApp.

Please refer to demoApp and demoPlugin for more details on the demo.

Usage

First please take a look at demoPlugin on how to create a hook plugin.

To apply hooks, first create a new DexClassLoader which loads the plugin file:

DexClassLoader dexClassLoader = new DexClassLoader("/sdcard/demoPlugin-debug.apk",
            getCodeCacheDir().getAbsolutePath(), null, classLoader);

Then initalize HookMain and call doHookDefault():

HookMain hookMain = new HookMain();
hookMain.doHookDefault(dexClassLoader, classLoader);

You can also omit the default helper and call the following function instead:

public void findAndBackupAndHook(Class targetClass, String methodName, String methodSig,
                                 Method hook, Method backup);

Workaround for Method Inlining

Hooking would fail for methods that are compiled to be inlined. For example:

0x00004d5a: f24a7e81  movw    lr, #42881
0x00004d5e: f2c73e11  movt    lr, #29457
0x00004d62: f6495040  movw    r0, #40256
0x00004d66: f2c70033  movt    r0, #28723
0x00004d6a: 4641      mov     r1, r8
0x00004d6c: 1c32      mov     r2, r6
0x00004d6e: 47f0      blx     lr

Here the value of register lr is hardcoded instead of reading from entry point field of ArtMethod.

A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option --debuggable of dex2oat is not available until API 23. So please take a look at machine instructions of the target when the hook doesn't work.

License

YAHFA is distributed under GNU GPL V3.