YAHFA
Introduction
YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports:
-
Android 5.0(API 21) -
Android 5.1(API 22) -
Android 6.0(API 23) - Android 7.0(API 24)
- Android 7.1(API 25)
- Android 8.0(API 26)
- Android 8.1(API 27)
- Android 9(API 28)
- Android 10(API 29)
- Android 11(API 30)
- Android 12(DP1)
(Support for version <= 6.0 is broken after commit 9824bdd.)
with ABI:
- x86
- x86_64
- armeabi-v7a
- arm64-v8a
YAHFA is utilized by VirtualHook so that applications can be hooked without root permission.
Please take a look at this article and this one for a detailed introduction.
Setup
Add Maven central repo in build.gradle:
buildscript {
repositories {
mavenCentral()
}
}
allprojects {
repositories {
mavenCentral()
}
}
Then add YAHFA as a dependency:
dependencies {
implementation 'io.github.pagalaxylab:yahfa:0.10.0'
}
YAHFA depends on dlfunc after commit 5b60df8 for calling MakeInitializedClassesVisiblyInitialized explicitly on Android R, and Android Gradle Plugin version 4.1+ is required for that native library dependency.
Usage
To hook a method:
HookMain.backupAndHook(Method target, Method hook, Method backup);
where backup would be a placeholder for invoking the target method. Set backup to null or just use HookMain.hook(Method target, Method hook) if the original code is not needed.
Both hook and backup are static methods, and their parameters should match the ones of target. Please take a look at demoPlugin on how these methods are defined.
Workaround for Method Inlining
Hooking would fail for methods that are compiled to be inlined. For example:
0x00004d5a: f24a7e81 movw lr, #42881
0x00004d5e: f2c73e11 movt lr, #29457
0x00004d62: f6495040 movw r0, #40256
0x00004d66: f2c70033 movt r0, #28723
0x00004d6a: 4641 mov r1, r8
0x00004d6c: 1c32 mov r2, r6
0x00004d6e: 47f0 blx lr
Here the value of register lr is hardcoded instead of reading from entry point field of ArtMethod.
A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option --debuggable of dex2oat is not available until API 23. So please take a look at machine instructions of the target when the hook doesn't work.
License
YAHFA is distributed under GNU GPL V3.
-
YAHFA 目前简单找了一下 Android 上的 ART Hook Epic 和 YAHFA 较为流行,支持的版本也比较好 5.0 - 9.0,所以看了一下 YAHFA 源码并且跑了一下 demo。 Bug 使用中发现在 5.0 - 6.0 的 64 位机器上会挂掉,调试了一下发现 YAHFA 在试图获取 dexCacheResolvedMethods 列表时读到了非法地址。 因为 ArtMet
-
开源项目YAHFA-master在git上面 https://github.com/PAGalaxyLab/YAHFA ----------------- 开源项目介绍 ------------------- 1.demoApp 1.1:这个为被hook的demo项目,其中引入了yahfa的库library 1.2:在这个类里面唯一在MainApp(Applicat
-
android有很多hook框架,原理都是大同小异。本文是使用YAHFA。 YAHFA 的github地址:https://github.com/PAGalaxyLab/YAHFA 一 、准备工作 项目的build.gradle中添加mavenCentral() buildscript { repositories { mavenCentral() } } a
-
在Android Dalvik时代,最流行的Hook框架非Xposed莫属了。各种功能强大的Xposed插件极大地丰富了Android的可玩性,而对于安全研究人员来说,hook则是应用逆向工作中的一项非常有效的手段。 但是,进入到ART时代后,情况逐渐发生了变化。Xposed框架对系统进行了较大的改动,因此其安装适配难度显著提高;另一方面,随着近年来热修复技术的兴起,各大国内厂商也纷纷推出了自己的
-
一、 概述 经过实际项目大量测试验证,FastHook表现出了远超YAHFA的优异稳定性。用户反馈未出现Hook引发的稳定性问题、压力测试也未发生Hook引发的稳定问题。之所以FastHook拥有优异的稳定性,除了框架实现原理的优越性之外,还得益于FastHook出色的细节处理。 本文将通过FastHook实现原理优越性与一些出色的细节处理来解释为何FastHook拥有优异的稳定性,最后对比YAH
-
NewHooks 基于YAHFA和dexposed 结合的hook框架 支持安卓4.0-7.0 注:(app目录是demo,hookinject是apt代码,dexposed是框架) 2017-7-01 10:35 1:新增非静态方法hook回调MethodHookParam.thisOnject参数为当前hook类的实例对象,静态方法hook次参数将为NULL 2017-6-30 19:34