code-scan starred YAHFA
2022-3-13 00:21:10 Author: github.com(查看原文) 阅读量:10 收藏

YAHFA

Build Status Download Maven

Introduction

YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports:

  • Android 5.0(API 21)
  • Android 5.1(API 22)
  • Android 6.0(API 23)
  • Android 7.0(API 24)
  • Android 7.1(API 25)
  • Android 8.0(API 26)
  • Android 8.1(API 27)
  • Android 9(API 28)
  • Android 10(API 29)
  • Android 11(API 30)
  • Android 12(DP1)

(Support for version <= 6.0 is broken after commit 9824bdd.)

with ABI:

  • x86
  • x86_64
  • armeabi-v7a
  • arm64-v8a

YAHFA is utilized by VirtualHook so that applications can be hooked without root permission.

Please take a look at this article and this one for a detailed introduction.

更新说明

Setup

Add Maven central repo in build.gradle:

buildscript {
    repositories {
        mavenCentral()
    }
}

allprojects {
    repositories {
        mavenCentral()
    }
}

Then add YAHFA as a dependency:

dependencies {
    implementation 'io.github.pagalaxylab:yahfa:0.10.0'
}

YAHFA depends on dlfunc after commit 5b60df8 for calling MakeInitializedClassesVisiblyInitialized explicitly on Android R, and Android Gradle Plugin version 4.1+ is required for that native library dependency.

Usage

To hook a method:

HookMain.backupAndHook(Method target, Method hook, Method backup);

where backup would be a placeholder for invoking the target method. Set backup to null or just use HookMain.hook(Method target, Method hook) if the original code is not needed.

Both hook and backup are static methods, and their parameters should match the ones of target. Please take a look at demoPlugin on how these methods are defined.

Workaround for Method Inlining

Hooking would fail for methods that are compiled to be inlined. For example:

0x00004d5a: f24a7e81  movw    lr, #42881
0x00004d5e: f2c73e11  movt    lr, #29457
0x00004d62: f6495040  movw    r0, #40256
0x00004d66: f2c70033  movt    r0, #28723
0x00004d6a: 4641      mov     r1, r8
0x00004d6c: 1c32      mov     r2, r6
0x00004d6e: 47f0      blx     lr

Here the value of register lr is hardcoded instead of reading from entry point field of ArtMethod.

A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option --debuggable of dex2oat is not available until API 23. So please take a look at machine instructions of the target when the hook doesn't work.

License

YAHFA is distributed under GNU GPL V3.


文章来源: https://github.com/PAGalaxyLab/YAHFA
如有侵权请联系:admin#unsafe.sh