An inline hook library for Android apps.

Overview

android-inline-hook

README 中文版

shadowhook is an inline hook library for Android apps.

shadowhook is a module of "the android-inline-hook project".

Features

  • Support Android 4.1 - 12 (API level 16 - 31).
  • Support armeabi-v7a and arm64-v8a.
  • Support hook for the whole function, but does not support hook for the middle position of the function.
  • Support to specify the hook location by "function address" or "library name + function name".
  • Automatically complete the hook of "newly loaded dynamic library" (only "library name + function name"), and call the optional callback function after the hook is completed.
  • Multiple hooks and unhooks can be executed concurrently on the same hook point without interfering with each other (only in shared mode).
  • Automatically avoid possible recursive calls and circular calls between proxy functions (only in shared mode).
  • The proxy function supports unwinding backtrace in a normal way.
  • Integrated symbol address search function.
  • MIT licensed.

Documentation

shadowhook Manual

Quick Start

You can refer to the sample app in app module, or refer to the hook/unhook examples of commonly used system functions in systest module.

1. Add dependency in build.gradle

shadowhook is published on Maven Central, and uses Prefab package format for native dependencies, which is supported by Android Gradle Plugin 4.0+.

allprojects {
    repositories {
        mavenCentral()
    }
}
android {
    buildFeatures {
        prefab true
    }
}

dependencies {
    implementation 'com.bytedance.android:shadowhook:1.0.2'
}

2. Add dependency in CMakeLists.txt or Android.mk

CMakeLists.txt

find_package(shadowhook REQUIRED CONFIG)

add_library(mylib SHARED mylib.c)
target_link_libraries(mylib shadowhook::shadowhook)

Android.mk

include $(CLEAR_VARS)
LOCAL_MODULE           := mylib
LOCAL_SRC_FILES        := mylib.c
LOCAL_SHARED_LIBRARIES += shadowhook
include $(BUILD_SHARED_LIBRARY)

$(call import-module,prefab/shadowhook)

3. Specify one or more ABI(s) you need

android {
    defaultConfig {
        ndk {
            abiFilters 'armeabi-v7a', 'arm64-v8a'
        }
    }
}

4. Add packaging options

If you are using shadowhook in an SDK project, you may need to avoid packaging lib shadowhook.so into your AAR, so as not to encounter duplicate lib shadowhook.so file when packaging the app project.

android {
    packagingOptions {
        exclude '**/libshadowhook.so'
    }
}

On the other hand, if you are using shadowhook in an APP project, you may need to add some options to deal with conflicts caused by duplicate libshadowhook.so file.

android {
    packagingOptions {
        pickFirst '**/libshadowhook.so'
    }
}

5. Initialize

shadowhook supports two modes (shared mode and unique mode). The proxy function in the two modes is written slightly differently. You can try the unique mode first.

import com.bytedance.shadowhook.ShadowHook;

public class MySdk {
    public static void init() {
        shadowhook.init(new ShadowHook.ConfigBuilder()
            .setMode(ShadowHook.Mode.UNIQUE)
            .build());
    }
}

6. Hook and Unhook

#include "shadowhook.h"

void *shadowhook_hook_sym_addr(
    void *sym_addr,
    void *new_addr,
    void **orig_addr);

void *shadowhook_hook_sym_name(
    const char *lib_name,
    const char *sym_name,
    void *new_addr,
    void **orig_addr);

typedef void (*shadowhook_hooked_t)(
    int error_number,
    const char *lib_name,
    const char *sym_name,
    void *sym_addr,
    void *new_addr,
    void *orig_addr,
    void *arg);

void *shadowhook_hook_sym_name_callback(
    const char *lib_name,
    const char *sym_name,
    void *new_addr,
    void **orig_addr,
    shadowhook_hooked_t hooked,
    void *hooked_arg);

int shadowhook_unhook(void *stub);
  • shadowhook_hook_sym_addr: hook a function address.
  • shadowhook_hook_sym_name: hook the symbol name of a function in a dynamic library.
  • shadowhook_hook_sym_name_callback: Similar to shadowhook_hook_sym_name, but the specified callback function will be called after the hook is completed.
  • shadowhook_unhook: unhook.

For example, let's try to hook art::ArtMethod::Invoke:

void *orig = NULL;
void *stub = NULL;

typedef void (*type_t)(void *, void *, uint32_t *, uint32_t, void *, const char *);

void proxy(void *thiz, void *thread, uint32_t *args, uint32_t args_size, void *result, const char *shorty)
{
    // do something
    ((type_t)orig)(thiz, thread, args, args_size, result, shorty);
    // do something
}

void do_hook()
{
    stub = shadowhook_hook_sym_name(
               "libart.so",
               "_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc",
               (void *)proxy,
               (void **)&orig);
    
    if(stub == NULL)
    {
        int err_num = shadowhook_get_errno();
        const char *err_msg = shadowhook_to_errmsg(err_num);
        LOG("hook error %d - %s", err_num, err_msg);
    }
}

void do_unhook()
{
    shadowhook_unhook(stub);
    stub = NULL;
}
  • _ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc is the function symbol name of art::ArtMethod::Invoke processed by C++ Name Mangler in libart.so. You can use readelf to view it. The C function does not have the concept of Name Mangler.
  • The symbol name of art::ArtMethod::Invoke is different in previous versions of Android M. This example is only applicable to Android M and later versions. If you want to achieve better Android version compatibility, you need to handle the difference in function symbol names yourself.

Contributing

Contributing Guide

License

shadowhook is licensed by MIT License.

shadowhook uses the following third-party source code or libraries:

  • queue.h
    BSD 3-Clause License
    Copyright (c) 1991, 1993 The Regents of the University of California.
  • tree.h
    BSD 2-Clause License
    Copyright (c) 2002 Niels Provos [email protected]
  • linux-syscall-support
    BSD 3-Clause License
    Copyright (c) 2005-2011 Google Inc.
  • xDL
    MIT License
    Copyright (c) 2020-2021 HexHacking Team
Comments
  • proxy函数没用调用

    proxy函数没用调用

    ShadowHook Version

    1.0.3

    Android OS Version

    11

    Android ABIs

    armeabi-v7a, arm64-v8a

    Device Manufacturers and Models

    pixel2xL

    Describe the Bug

    demo里面hook了 android_get_device_api_level, 结果显示hook成功了,但是proxy没有执行。请问是使用不对么。

    cStub = shadowhook_hook_sym_name(
                "libc.so",
                "android_get_device_api_level",
                (void *) cProxy,
                nullptr
        );
    
        if(cStub != nullptr) {
            LOGE("libc hook成功");
        } else{
            LOGE("libc hook失败");
        }
    
    void* cProxy() {
        LOGE("cproxy");
    }
    

    libc.so里面符号表里也是这个: image

    bug invalid 
    opened by shaomaicheng 12
  • crash bug while hook an arm64 function

    crash bug while hook an arm64 function

    ShadowHook Version

    1.0.4

    Android OS Version

    9

    Android ABIs

    arm64-v8a

    Device Manufacturers and Models

    LDPlayer 9

    Describe the Bug

    I got a crash bug while hooking this function

    image

    another function is working well but this function got a crash

    I'm using an android emulator called LDPlayer 9, the latest build

    tombstone: tombstone_00.zip

    Thanks!

    bug 
    opened by supernghia89 6
  • hook 递归调用的函数崩溃

    hook 递归调用的函数崩溃

    ShadowHook Version

    1.0.3

    Android OS Version

    8.0.1

    Android ABIs

    arm64-v8a

    Device Manufacturers and Models

    Samung Galaxy

    Describe the Bug

    正常情况下函数调用链 A->B->C->B->.....,此时hook B函数,hook的函数体没有做任何操作,直接调用原始方法,在经过C再次进入B之后崩溃,实际hook的是libart的DexFile::Open 错误信息: 2022-06-16 09:25:18.291 A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x7a02bbf204 2022-06-16 09:25:18.291 A/DEBUG: x0 0000000000000001 x1 000000000000008c x2 00000079f580e7a8 x3 000000008bd76d86 2022-06-16 09:25:18.291 A/DEBUG: x4 00000079f580e7a0 x5 0000000000000000 x6 0000000000000000 x7 0000007fe61a09e8 2022-06-16 09:25:18.291 A/DEBUG: x8 0000007a02bbf200 x9 0000000000000001 x10 000000000000019f x11 0000000000000003 2022-06-16 09:25:18.291 A/DEBUG: x12 0000007a0060d708 x13 2e7265746c696631 x14 000d7c633a084230 x15 0000a8a620ea48ae 2022-06-16 09:25:18.291 A/DEBUG: x16 0000007a00eb3cc0 x17 00000079d6834608 x18 0000000000000000 x19 0000007fe61a09e8 2022-06-16 09:25:18.291 A/DEBUG: x20 00000079f580e7a0 x21 0000007fe61a09d8 x22 0000007a0277e0f4 x23 0000007a0277e048 2022-06-16 09:25:18.291 A/DEBUG: x24 0000007fe61a0bc0 x25 0000007a0277e048 x26 0000000000000001 x27 0000007a006d78a0 2022-06-16 09:25:18.291 A/DEBUG: x28 0000007a0277e0f4 x29 0000007fe61a0990 x30 0000007a003b6fcc 2022-06-16 09:25:18.291 A/DEBUG: sp 0000007fe61a0960 pc 0000007a02bbf204 pstate 0000000000000000 2022-06-16 09:25:18.291 A/DEBUG: backtrace: 2022-06-16 09:25:18.291 A/DEBUG: #00 pc 0000000000000204 [anon:shadowhook-enter:0000007a02bbf000] 2022-06-16 09:25:18.292 A/DEBUG: #01 pc 000000000004afc8 /system/lib64/libart.so (offset 0x358000)

    bug invalid 
    opened by qq6r 4
  • Hook dlopen function crashes on mumu emulator

    Hook dlopen function crashes on mumu emulator

    ShadowHook Version

    1.0.3

    Android OS Version

    6.0.1

    Android ABIs

    armeabi-v7a

    Device Manufacturers and Models

    MuMu

    Describe the Bug

    1、application中初始化shadow 2、mainactivity statsic中load native-lib.so 3、native-lib.so的JNI_Onload中hook dlopen,代码使用的是unittest中的dlopen示例

    ============shadowhook_tag的日志如下========== shadowhook_tag: shadowhook: shadowhook init(mode: UNIQUE, debuggable: true), return: 0, real-init: yes shadowhook_tag: sdk_verison : 23 shadowhook_tag: shadowhook: hook_sym_name(linker, __dl__Z9do_dlopenPKciPK17android_dlextinfo, 0xc60151d) ... shadowhook_tag: task: hook dlopen/do_dlopen internal. target-address f7768ca0 shadowhook_tag: switch: get dlinfo info: target_addr f7768ca0, sym_name __dl__Z9do_dlopenPKciPK17android_dlextinfo, sym_sz 522, load_bias f775d000, pathname /system/bin/linker shadowhook_tag: exit: gap, f779ad10 - f779b000 (load_bias f775d000, 3dd10 - 3e000), NFZ 1, READABLE 1 shadowhook_tag: exit: gap, f77a21d0 - f77a3000 (load_bias f775d000, 451d0 - 46000), NFZ 0, READABLE 1 shadowhook_tag: exit: gap fill zero, f779ad10 - f779b000 (load_bias f775d000, 3dd10 - 3e000), READABLE 1 shadowhook_tag: exit: gap resize, f779ad10 - f779aff8 (load_bias f775d000, 3dd10 - 3dff8) shadowhook_tag: exit: in-library alloc, at f779ad18 (load_bias f775d000, 3dd18), len 8 shadowhook_tag: exit: alloc in library, exit f779ad18, pc f7768ca8, distance 32070, range [-2000000, 1fffffc] shadowhook_tag: a32 rewrite: type 0, inst 83535657 shadowhook_tag: a32: hook (WITH EXIT) OK. target f7768ca0 -> exit f779ad18 -> new c107749 -> enter ef3d0000 -> remaining f7768ca4 shadowhook_tag: switch: hook(invisible) in UNIQUE mode OK: target_addr f7768ca0, new_addr c107749 shadowhook_tag: linker: hook dlopen OK, return: 0 shadowhook_tag: switch: get dlinfo info: target_addr f7768ca0, sym_name __dl__Z9do_dlopenPKciPK17android_dlextinfo, sym_sz 522, load_bias f775d000, pathname /system/bin/linker shadowhook_tag: exit: gap, f779ad10 - f779b000 (load_bias f775d000, 3dd10 - 3e000), NFZ 1, READABLE 1 shadowhook_tag: exit: gap, f77a21d0 - f77a3000 (load_bias f775d000, 451d0 - 46000), NFZ 0, READABLE 1 shadowhook_tag: exit: gap resize, f779ad10 - f779aff8 (load_bias f775d000, 3dd10 - 3dff8) shadowhook_tag: exit: in-library alloc, at f779ad20 (load_bias f775d000, 3dd20), len 8 shadowhook_tag: exit: alloc in library, exit f779ad20, pc f7768ca8, distance 32078, range [-2000000, 1fffffc] shadowhook_tag: a32 rewrite: type 1, inst ea00c81c shadowhook_tag: a32: hook (WITH EXIT) OK. target f7768ca0 -> exit f779ad20 -> new c60151d -> enter ef3d0100 -> remaining f7768ca4 shadowhook_tag: switch: hook in UNIQUE mode OK: target_addr f7768ca0, new_addr c60151d shadowhook_tag: shadowhook: hook_sym_name(linker, __dl__Z9do_dlopenPKciPK17android_dlextinfo, 0xc60151d) OK. return: 0xf3b375b0. 0 - OK

    ===========报错堆栈信息如下================== 2022-09-21 16:50:24.659 3113-3113/com.test.unity A/libc: Fatal signal 4 (SIGILL), code 2, fault addr 0xf7768ca8 in tid 3113 (com.test.unity) 2022-09-21 16:50:24.761 314-314/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 2022-09-21 16:50:24.761 314-314/? A/DEBUG: Build fingerprint: 'OnePlus/OnePlus2/OnePlus2:6.0.1/MMB29M/1447841200:user/release-keys' 2022-09-21 16:50:24.761 314-314/? A/DEBUG: Revision: '0' 2022-09-21 16:50:24.761 314-314/? A/DEBUG: ABI: 'x86' 2022-09-21 16:50:24.761 314-314/? A/DEBUG: pid: 3113, tid: 3113, name: com.test.unity >>> com.test.unity <<< 2022-09-21 16:50:24.761 314-314/? A/DEBUG: signal 4 (SIGILL), code 2 (ILL_ILLOPN), fault addr 0xf7768ca8 2022-09-21 16:50:24.763 314-314/? A/DEBUG: eax 00000000 ebx f779cfe4 ecx 0000006c edx 0000000b 2022-09-21 16:50:24.763 314-314/? A/DEBUG: esi f3b37760 edi f779d034 2022-09-21 16:50:24.763 314-314/? A/DEBUG: xcs 00000023 xds 0000002b xes 0000002b xfs 0000006b xss 0000002b 2022-09-21 16:50:24.763 314-314/? A/DEBUG: eip f7768ca8 ebp ffa6c324 esp ffa5d8f4 flags 00010202 2022-09-21 16:50:24.763 314-314/? A/DEBUG: backtrace: 2022-09-21 16:50:24.763 314-314/? A/DEBUG: #00 pc 00000ca8 /system/bin/linker (offset 0xb000) 2022-09-21 16:50:24.763 314-314/? A/DEBUG: #01 pc 0000002a 2022-09-21 16:50:24.782 314-314/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_01 2022-09-21 16:50:24.782 314-314/? E/DEBUG: AM write failed: Broken pipe 2022-09-21 16:50:24.785 740-760/system_process I/BootReceiver: Copying /data/tombstones/tombstone_01 to DropBox (SYSTEM_TOMBSTONE) 2022-09-21 16:50:24.787 740-3134/system_process W/ActivityManager: Force finishing activity com.test.unity/com.unity3d.player.UnityPlayerActivity 2022-09-21 16:50:24.787 740-3134/system_process E/JavaBinder: !!! FAILED BINDER TRANSACTION !!! (parcel size = 116)

    bug good first issue 
    opened by SingleShu 3
  • Build Error

    Build Error

    shadowhook Version

    1.0.3

    Android OS Version

    10

    Android ABIs

    armeabi-v7a, arm64-v8a

    Device Manufacturers and Models

    any

    Describe the Bug

    [CXX1405] error when building with cmake using /Users/jarrettye/Documents/Workspace/Android/InlineHookDemo/app/src/main/cpp/CMakeLists.txt: Build command failed. Error while executing java process with main class com.google.prefab.cli.AppKt with arguments {--build-system cmake --platform android --abi arm64-v8a --os-version 21 --stl c++_static --ndk-version 21 --output /Users/jarrettye/Documents/Workspace/Android/InlineHookDemo/app/.cxx/Debug/52k576n3/prefab/arm64-v8a/prefab /Users/jarrettye/.gradle/caches/transforms-3/c46ec3f0af32bc2a9539f97e0d92f6fd/transformed/shadowhook-1.0.3/prefab}

    Exception in thread "main" java.lang.IllegalArgumentException: Only schema_version 1 is supported. shadowhook uses version 2. at com.google.prefab.api.Package.(Package.kt:46) at com.google.prefab.cli.Cli$packages$2.invoke(Cli.kt:124) at com.google.prefab.cli.Cli$packages$2.invoke(Cli.kt:95) at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74) at com.google.prefab.cli.Cli.getPackages(Cli.kt) at com.google.prefab.cli.Cli.validate(Cli.kt:172) at com.google.prefab.cli.Cli.run(Cli.kt:189) at com.github.ajalt.clikt.parsers.Parser.parse(Parser.kt:168) at com.github.ajalt.clikt.parsers.Parser.parse(Parser.kt:16) at com.github.ajalt.clikt.core.CliktCommand.parse(CliktCommand.kt:258) at com.github.ajalt.clikt.core.CliktCommand.parse$default(CliktCommand.kt:255) at com.github.ajalt.clikt.core.CliktCommand.main(CliktCommand.kt:273) at com.github.ajalt.clikt.core.CliktCommand.main(CliktCommand.kt:298) at com.google.prefab.cli.AppKt.main(App.kt:28)

    bug good first issue 
    opened by JarYe 3
  • memcpy 没调用

    memcpy 没调用

    ShadowHook Version

    1.0.4

    Android OS Version

    12

    Android ABIs

    arm64-v8a

    Device Manufacturers and Models

    one plus 8t

    Describe the Bug

    2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, strdup, 0x77d5414770) ... 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b07732c0c at 7afeafc000, size 96 + 16 = 112 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap fill zero, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), READABLE 1 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525c0 (load_bias 7b07696000, bc5c0), len 16 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525c0, pc 7b07732c0c, distance 1f9b4, range [-8000000, 7fffffc] 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst a9bd7bfd 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b07732c0c -> exit 7b077525c0 -> new 7afeafc000 -> enter 7afeafb000 -> remaining 7b07732c10 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414770 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b07732c0c, new_addr 77d5414770 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, strdup, 0x77d5414770) OK. return: 0xb4000078b57d29c0. 0 - OK 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcpy, 0x77d5414604) ... 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b0774b488 at 7afeafc070, size 96 + 16 = 112 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525d0 (load_bias 7b07696000, bc5d0), len 16 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525d0, pc 7b0774b488, distance 7148, range [-8000000, 7fffffc] 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst 39404828 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b0774b488 -> exit 7b077525d0 -> new 7afeafc070 -> enter 7afeafb100 -> remaining 7b0774b48c 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414604 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b0774b488, new_addr 77d5414604 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcpy, 0x77d5414604) OK. return: 0xb4000078b57d2020. 0 - OK 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memmove, 0x77d5414578) ... 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b0774b4a8 at 7afeafc0e0, size 96 + 16 = 112 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525e0 (load_bias 7b07696000, bc5e0), len 16 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525e0, pc 7b0774b4a8, distance 7138, range [-8000000, 7fffffc] 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst 39404828 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b0774b4a8 -> exit 7b077525e0 -> new 7afeafc0e0 -> enter 7afeafb200 -> remaining 7b0774b4ac 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414578 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b0774b4a8, new_addr 77d5414578 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memmove, 0x77d5414578) OK. return: 0xb4000078b57d2d40. 0 - OK 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcmp, 0x77d5414690) ... 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b076dea00 at 7afeafc150, size 96 + 16 = 112 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525f0 (load_bias 7b07696000, bc5f0), len 16 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525f0, pc 7b076dea00, distance 73bf0, range [-8000000, 7fffffc] 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst d503245f 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b076dea00 -> exit 7b077525f0 -> new 7afeafc150 -> enter 7afeafb300 -> remaining 7b076dea04 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414690 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b076dea00, new_addr 77d5414690 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcmp, 0x77d5414690) OK. return: 0xb4000078b57d1bc0. 0 - OK

    image

    bug good first issue question 
    opened by q601180252 2
  • Support for x86 and x86_64

    Support for x86 and x86_64

    the Feature, Motivation and Pitch

    Hello @caikelun, Is there any plan for supporting x86 and x86_64 architectures?

    Alternatives

    No response

    Additional context

    No response

    enhancement 
    opened by omarsahl 2
  • 去掉在JNI_OnLoad中调用RegisterNatives的方法

    去掉在JNI_OnLoad中调用RegisterNatives的方法

    the Feature, Motivation and Pitch

    JNI_OnLoad中RegisterNatives会引用Java类,在打包自己的AAR时会报找不到类错误,事实上如果在 native 层调用 init 的话并不需要 Java类

    Alternatives

    No response

    Additional context

    No response

    enhancement 
    opened by dev-xiaoyan 1
  • Build Error

    Build Error

    ShadowHook Version

    1.0.3

    Android OS Version

    android 11

    Android ABIs

    arm64-v8a

    Device Manufacturers and Models

    Redmi k40

    Describe the Bug

    CMake Error at CMakeLists.txt:9 (find_package):
      Could not find a package configuration file provided by "shadowhook" with
      any of the following names:
    
        shadowhookConfig.cmake
        shadowhook-config.cmake
    
      Add the installation prefix of "shadowhook" to CMAKE_PREFIX_PATH or set
      "shadowhook_DIR" to a directory containing one of the above files.  If
      "shadowhook" provides a separate development package or SDK, be sure it has
      been installed.
    

    here is my unsolved project https://github.com/BlackBoxing/BlackBox

    bug invalid 
    opened by BlackBoxing 1
  • Everything is completely wrong

    Everything is completely wrong

    ShadowHook Version

    1.0.5

    Android OS Version

    11.0

    Android ABIs

    armeabi-v7a

    Device Manufacturers and Models

    Poco X3 Pro

    Describe the Bug

    So i just switched from the old Cydia Subtrate to this hook... And now everything is completely bad. Function's stack/heap is completely broken: image

    bug 
    opened by RusJJ 5
Releases(v1.0.5)
  • v1.0.5(Dec 5, 2022)

    Bugs fixed

    1. Fix the bug that some function addresses cannot use ELF gap for relative jump when hooking.

    This bug will cause the hook stability of some functions to decrease. The bug occurs when the absolute address of a function is in the following ranges:

    | arch | address ranges | | :---------- | :-------------- | | thumb | [0, 0x1000000) | | thumb | (0xFF000001, 0xFFFFFFFF] | | arm | [0, 0x2000000) | | arm | (0xFE000003, 0xFFFFFFFF] | | arm64 | [0, 0x8000000) | | arm64 | (0xFFFFFFFFF8000003, 0xFFFFFFFFFFFFFFFF] |

    • related issue: #25
    • thanks to: @supernghia89

    2. Fix the bug that part of ELF cannot be hooked in Android 4.x.

    The first LOAD segment of ELF may be read-only (use the linker option --rosegment), and the /proc/self/maps at this time may look like this:

    75b8d000-75b9f000 r--p 00000000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75b9f000-75bde000 r-xp 00012000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75bde000-75be1000 r--p 00051000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75be1000-75be2000 rw-p 00054000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    

    In previous ShadowHook versions, this type of ELF could not be hooked in Android 4.x.

    3. Fix the bug that the wrong initialization state may be returned when ShadowHook#init() is called concurrently.

    It may actually be still being initialized, but it returns a state that has been initialized.

    Improve

    1. Avoid additional acquisition of the linker's global mutex lock during initialization.

    ShadowHook needs to obtain several symbol addresses in libc.so through dlopen and dlsym during initialization. These operations need to hold the linker's global mutex lock. We moved the above operations to .init_array of libshadowhook.so.

    Bugs 修复

    1. 修复部分函数地址在 hook 时无法利用 ELF gap 作相对跳转的bug。

    这个 bug 会导致部分函数的 hook 稳定性下降。当函数的绝对地址在以下范围内时,会出现这个 bug:

    | 架构 | 地址范围 | | :---------- | :-------------- | | thumb | [0, 0x1000000) | | thumb | (0xFF000001, 0xFFFFFFFF] | | arm | [0, 0x2000000) | | arm | (0xFE000003, 0xFFFFFFFF] | | arm64 | [0, 0x8000000) | | arm64 | (0xFFFFFFFFF8000003, 0xFFFFFFFFFFFFFFFF] |

    • 相关的 issue:#25
    • 感谢:@supernghia89

    2. 修复 Android 4.x 中无法 hook 部分 ELF 的 bug。

    ELF 的第一个 LOAD segment 可能是只读的(用链接器选项 --rosegment),此时的 /proc/self/maps 大概是这样的:

    75b8d000-75b9f000 r--p 00000000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75b9f000-75bde000 r-xp 00012000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75bde000-75be1000 r--p 00051000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75be1000-75be2000 rw-p 00054000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    

    在之前的 ShadowHook 版本中,在 Android 4.x 中这种类型 ELF 无法被 hook。

    • 相关的 xDL 版本:v1.2.1

    3. 修复了并发调用 ShadowHook#init() 时可能返回错误的初始化状态的 bug。

    可能实际还处在初始化中,但是却返回了已经初始化完成的状态。

    改进

    1. 避免在初始化期间额外获取 linker 的全局 mutex 锁。

    ShadowHook 需要在初始化时通过 dlopendlsym 获取 libc.so 中的几个符号地址,这些操作需要持有 linker 的全局 mutex 锁,我们将上述操作移动到了 libshadowhook.so.init_array 中。

    Source code(tar.gz)
    Source code(zip)
  • v1.0.4(Nov 10, 2022)

    New features

    • Added new API shadowhook_hook_func_addr() for hooking a function (which has no symbol info in ELF) by absolute address.

    Improve

    • Improve the performance of shadowhook_hook_sym_name and shadowhook_hook_sym_name_callback.
    • Update version for NDK, CMake, gradle and AGP.

    新特性

    • 增加了新的 API shadowhook_hook_func_addr(),用于通过绝对地址 hook 一个在 ELF 中没有符号信息的函数。

    改进

    • 改进 shadowhook_hook_sym_nameshadowhook_hook_sym_name_callback 的执行性能。
    • 升级 NDK,CMake,gradle 和 AGP 的版本。
    Source code(tar.gz)
    Source code(zip)
  • v1.0.3(Mar 21, 2022)

    Bugs fixed

    • In previous versions, in Android 5.x, if only the ELF file name was specified when hooking (the full path was not specified), and the function to be hooked was in .symtab, the hook would fail. (such as hooking __openat in libc.so)

    Bugs 修复

    • 在之前的版本中,在 Android 5.x 中,如果 hook 时仅指定 ELF 文件名(没有指定全路径),而要 hook 的函数又在 .symtab 中,此时会 hook 失败。(比如 hook libc.so 中的 __openat
    Source code(tar.gz)
    Source code(zip)
  • v1.0.2(Feb 10, 2022)

Owner
Bytedance Inc.
Bytedance Inc.
YukiHookAPI - An efficient Kotlin version of the Xposed Hook API

Yuki Hook API ?? An efficient Kotlin version of the Xposed Hook API. Introduce 这

Fankesyooni 459 Jan 1, 2023
AnyText - An Xposed module trying to hook TextView in any activities

AnyText What's this This application provides features to modify any TextView in

Leonardo 41 Nov 30, 2022
Kotlite (Angkot Elite) Android Apps

Kotlite (Angkot Elite) Android Apps A Part of Kotlite Ridesharing Application Explore the Projects » APK Demo · Report Bug · Request Feature Table of

Bisma Satria 4 Sep 27, 2021
CovidCertificate Apps for Android

COVID Certificate Apps - Android This project is released by the the Federal Office of Information Technology, Systems and Telecommunication FOITT on

Swiss Admin 176 Oct 29, 2022
Using Android device to uninstall iPhone apps

Using Android device to uninstall iPhone apps

chi 23 Nov 6, 2022
A Frida based tool that traces usage of the JNI API in Android apps.

jnitrace A Frida based tool to trace use of the JNI API in Android apps. Native libraries contained within Android Apps often make use of the JNI API

null 1.1k Jan 7, 2023
repository for training UI of Android apps

AndroidUITrain repository for training UI of Android apps 定義されたcolor resourceの意味 使われている部分 color resource 名 ブランド追加ボタンの黒 zozo_black (微妙に真っ黒ではなかった) 画面上部の

みっちゃん 9 Dec 26, 2022
Inspection tools for native android apps

InspectElement This project was just an exercise based on Android Developer Assistant, I have used AccessibilityService for inspecting, You can change

AmirHosseinAghajari 4 Sep 9, 2022
🚀A powerful android clean architecture that helps you build your apps faster.

IMStudio ?? Table of Contents Project Structure Convention RxJava Common Scripts Technical Stack Dependencies Library Architecture Case Study Authors

Hau NGUYEN (Leo) 0 Nov 20, 2022
A powerful cross-platform UI toolkit for building native-quality iOS, Android, and Progressive Web Apps with HTML, CSS, and JavaScript.

Ionic Ionic is an open source app development toolkit for building modern, fast, top-quality cross-platform native and Progressive Web Apps from a sin

Ionic 48.4k Jan 3, 2023
The Sleep tracker app for lesson 6 of the Udacity: Developing Android Apps with Kotlin Course

App Architecture-Presistence This is the Sleep tracker app for lesson 6 of the U

null 0 Dec 28, 2021
AboutMe - From Udacity course Developing Android Apps with Kotlin

AboutMe App From Udacity course "Developing Android Apps with Kotlin".

Anas Tariq 1 Feb 11, 2022
SimplePaint - Simple Paint Android Apps with Kotlin

Simple Paint Android Apps with Kotlin About This Project Simple paint consists o

Feronika Nur Maghfiro 12 Dec 19, 2022
A GitHub user Android apps using Dagger 2, MVVM, Modularization, Clean Architecture, and Airbnb Epoxy

A GitHub user Android apps using Dagger 2, MVVM, Modularization, Clean Architecture, and Airbnb Epoxy.

Alva Yonara Puramandya 3 Dec 28, 2022
Simple Paint Android Apps with Kotlin

Simple paint consists of five actions, such as pencil, drawing a line, rectangle, ellipse, and color pallet with five colors, which is inspired with google color.

Feronika Nur Maghfiro 12 Dec 19, 2022
One UI libraries for Android apps.

⚠️ W.I.P. For Wear OS, please look at seslw. This repo contains a collection of the libraries used by Samsung in their One UI apps. Samsung's One UI a

OneUI Project 66 Dec 17, 2022
A package to include a standard Unlock premium view in iOS and Android apps

A package to include a standard Unlock premium view in iOS and Android apps

Groupe MINASTE 2 May 21, 2022
⚡️ A Compose-driven architecture for Android apps.

Circuit ?? Under construction ?? This project is very much a work in progress and far from finished! License Copyright 2022 Slack Technologies, LLC L

Slack 426 Jan 2, 2023
Shot is an Android project you can use to write screenshot for your apps in a simple and friendly way

Shot is an Android project you can use to write screenshot for your apps in a simple and friendly way. What is this? Shot is a Gradle plugin and

Pedro Gómez 1k Dec 30, 2022