/HookZz

a hook framework for arm/arm64/ios/android

Primary LanguageC++Apache License 2.0Apache-2.0

HookZz

A hook framework for arm / arm64 / iOS / Android

tips: any question go to Discord

Features

  • Static Binary Instrumentation for Mach-O [doing]

  • replace function with replace_call

  • wrap function with pre_call and post_call

  • dynamic binary instrumentation with dbi_call

  • the power to hook short function(even single one instruction)

  • the power to access registers directly(ex: reg_ctx->general.regs.x16)

  • it's cute, 70kb+-

Multiple Branch Type Support

Branch Type Arch/Mode Trampoline Assembly Bytes Range
- ARM64 B xxx 4 2^25
- ARM64 LDR x17, 8
BR x17
.long 0x41414141
.long 0x41414141		 16 2^64
- ARM/ARM B xxx 4 2^25
- ARM/ARM LDR pc, [pc, #-4]
.long 0x41414141		 8 2^32
- ARM/Thumb1 B xxx 2 2^6
- ARM/Thumb2 B xxx 4 2^25
- ARM/Thumb2 LDR pc, [pc, #-[2|4]
.long 0x41414141		 8 2^32

Compile

git clone --depth 1 git@github.com:jmpews/HookZz.git

0x1. Build for iOS/ARM64

# 1: not recommend
export CFLAGS="-DIOS -arch arm64 -miphoneos-version-min=6.0 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk"
cmake .. \
-DPLATFORM=iOS \
-DARCH=arm64 \
-DSHARED=ON \
-DCMAKE_OSX_SYSROOT="" \
-DCMAKE_BUILD_TYPE=Release

# 2: recommend
cmake .. -G Xcode \
-DCMAKE_TOOLCHAIN_FILE=cmake/ios.toolchain.cmake \
-DIOS_PLATFORM=OS \
-DIOS_ARCH=arm64 \
-DENABLE_ARC=FALSE \
-DENABLE_BITCODE=OFF \
-DDEBUG=ON \
-DSHARED=ON \
-DPLATFORM=iOS \
-DARCH=armv8 \
-DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=Release

make -j4

if you want generate Xcode Project, just replace with cmake -G Xcode .

0x2. Build for Android/armeabi-armv7a

export ANDROID_NDK=/Users/jmpews/Library/Android/sdk/ndk-bundle

cmake .. \
-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK/build/cmake/android.toolchain.cmake \
-DANDROID_NDK=$ANDROID_NDK \
-DCMAKE_BUILD_TYPE=Release \
-DANDROID_ABI=armeabi-v7a \
-DSHARED=ON \
-DPLATFORM=Android \
-DARCH=armv7 \
-DCMAKE_VERBOSE_MAKEFILE=OFF \
-DCMAKE_BUILD_TYPE=Release 

make -j4

Usage

0x0. near jump

if you want enable near jump, just add zz_enable_near_jump(); before hook funciton, and stop with zz_disable_near_jump();

0x1. replace hook function

size_t (*origin_fread)(void * ptr, size_t size, size_t nitems, FILE * stream);

size_t (fake_fread)(void * ptr, size_t size, size_t nitems, FILE * stream) {
    // Do What you Want.
    return origin_fread(ptr, size, nitems, stream);
}

void hook_fread() {
    ZzReplace((void *)fread, (void *)fake_fread, (void **)&origin_fread);
}

2. wrap hook function

void open_post_call(RegisterContext *reg_ctx, ThreadStackPublic *tsp, CallStackPublic *csp, const HookEntryInfo *info) {
    // Do What you Want.
}

void hook_open() {
    ZzWrap((void *)open, open_pre_call, open_post_call);
}

3. dynamic binary instrumentation

void catchDecrypt(RegisterContext *reg_ctx, const HookEntryInfo *info) {
  printf("descrypt catch by HookZz\n");
}

__attribute__((constructor)) void initlializeTemplate() {
    struct mach_header *mainHeader = (struct mach_header *)_dyld_get_image_header(0);
    int slide                      = _dyld_get_image_vmaddr_slide(0);
    uintptr_t targetVmAddr         = 0x1001152BC;
    uintptr_t finalAddr            = targetVmAddr + slide;
    ZzDynamicBinaryInstrumentation((void *)finalAddr, catchDecrypt);
}

Refer

  1. frida-gum
  2. minhook
  3. substrate.
  4. v8
  5. dart
  6. vixl