Skip to content

Latest commit

 

History

History
100 lines (68 loc) · 3.38 KB

README.md

File metadata and controls

100 lines (68 loc) · 3.38 KB

YAHFA

Introduction

YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports

  • Android 5.0(API 21)
  • Android 5.1(API 22)
  • Android 6.0(API 23)
  • EXPERIMENTAL Android 7.0(API 24)
  • EXPERIMENTAL Android 7.1(API 25)

on either x86 or armeabi platform.

YAHFA is utilized by VirtualHook so that applications can be hooked without root permission.

Please take a look at this article for a detailed introduction.

Build

Import and build the project in Android Studio(with Instant Run disabled). There are three modules:

  • library. This is the YAHFA library module, which compiles to .aar for use.
  • demoApp. This is a demo app which would load and apply the plugin.
  • demoPlugin. This is a demo plugin which contains the hooks and would be loaded by demoApp.

Please refer to demoApp and demoPlugin for more details on the demo.

Usage

First please take a look at demoPlugin on how to create a patch plugin.

To apply a patch, create a new DexClassLoader which loads the file:

DexClassLoader dexClassLoader = new DexClassLoader("/sdcard/demoPlugin-debug.apk",
            getCodeCacheDir().getAbsolutePath(), null, classLoader);

Then initalize HookMain and call doHookDefault():

HookMain hookMain = new HookMain();
hookMain.doHookDefault(dexClassLoader, classLoader);

You can also omit the default helper and call the following function instead:

public native void findAndBackupAndHook(Class targetClass, String methodName, String methodSig,
                                 Method hook, Method backup);

Workaround for Method Inlining

Hook would fail for methods that are compiled to be inlined. A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option --debuggable of dex2oat is not available until API 23. So please take a look at machine instructions of the target by oatdump when a hook doesn't work.

Hooking JNI methods

Although YAHFA overwrites entry_point_from_jni_ for hooking, JNI methods can still be hooked in the same way. For example, the target App contains the following JNI method:

package lab.galaxy.yahfa.demoApp;

public class ClassWithJNIMethod {
    static {
        System.loadLibrary("hello");
    }

    public native static String fromJNI();
}

Then the method fromJNI can be hooked with the following plugin code:

public class Hook_ClassWithJNIMethod_fromJNI {
    public static String className = "lab.galaxy.yahfa.demoApp.ClassWithJNIMethod";
    public static String methodName = "fromJNI";
    public static String methodSig = "()Ljava/lang/String;";

    public static String hook() {
        Log.w("YAHFA", "calling fromJNI");
        return origin()+" hooked with YAHFA";
    }

    public static String origin() {
        Log.w("YAHFA", "ClassWithJNIMethod.fromJNI() should not be here");
        return "";
    }
}

Android N Support

Support for Android N(7.0 and 7.1) is experimental and not stable.

License

YAHFA is distributed under GNU GPL V3.