Skip to content

ZhangLang001/YAHFA

BranchesTags
 
 

Repository files navigation

YAHFA

Introduction

YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports

  • Android 5.0(API 21)
  • Android 5.1(API 22)
  • Android 6.0(API 23)
  • EXPERIMENTAL Android 7.0(API 24)
  • EXPERIMENTAL Android 7.1(API 25)

on either x86 or armeabi platform.

YAHFA is utilized by VirtualHook so that applications can be hooked without root permission.

Please take a look at this article for a detailed introduction.

Build

Import and build the project in Android Studio(with Instant Run disabled). There are three modules:

  • library. This is the YAHFA library module, which compiles to .aar for use.
  • demoApp. This is a demo app which would load and apply the plugin.
  • demoPlugin. This is a demo plugin which contains the hooks and would be loaded by demoApp.

Please refer to demoApp and demoPlugin for more details on the demo.

Usage

First please take a look at demoPlugin on how to create a patch plugin.

To apply a patch, create a new DexClassLoader which loads the file:

DexClassLoader dexClassLoader = new DexClassLoader("/sdcard/demoPlugin-debug.apk",
            getCodeCacheDir().getAbsolutePath(), null, classLoader);

Then initalize HookMain and call doHookDefault():

HookMain hookMain = new HookMain();
hookMain.doHookDefault(dexClassLoader, classLoader);

You can also omit the default helper and call the following function instead:

public native void findAndBackupAndHook(Class targetClass, String methodName, String methodSig,
                                 Method hook, Method backup);

Workaround for Method Inlining

Hook would fail for methods that are compiled to be inlined. A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option --debuggable of dex2oat is not available until API 23. So please take a look at machine instructions of the target by oatdump when a hook doesn't work.

Hooking JNI methods

Although YAHFA overwrites entry_point_from_jni_ for hooking, JNI methods can still be hooked in the same way. For example, the target App contains the following JNI method:

package lab.galaxy.yahfa.demoApp;

public class ClassWithJNIMethod {
    static {
        System.loadLibrary("hello");
    }

    public native static String fromJNI();
}

Then the method fromJNI can be hooked with the following plugin code:

public class Hook_ClassWithJNIMethod_fromJNI {
    public static String className = "lab.galaxy.yahfa.demoApp.ClassWithJNIMethod";
    public static String methodName = "fromJNI";
    public static String methodSig = "()Ljava/lang/String;";

    public static String hook() {
        Log.w("YAHFA", "calling fromJNI");
        return origin()+" hooked with YAHFA";
    }

    public static String origin() {
        Log.w("YAHFA", "ClassWithJNIMethod.fromJNI() should not be here");
        return "";
    }
}

Android N Support

Support for Android N(7.0 and 7.1) is experimental and not stable.

License

YAHFA is distributed under GNU GPL V3.

About

Yet Another Hook Framework for ART

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 59.5%
  • C 33.6%
  • Assembly 4.6%
  • Makefile 2.3%