gtoad / android_inline_hook Goto Github PK

Build an so file to automatically do the android_native_hook work. Supports thumb-2/arm32 and ARM64 ! With this, tools like Xposed can do android native hook.

Makefile 2.62% C 88.58% Assembly 2.49% C++ 6.31%

android_inline_hook's Introduction

Android Inline Hook

This project make an Android .so file that can automatically do some native hook works.

It mainly use Android Inline Hook, not PLT Hook.

If you can read Chinese or wanna see more picture, I've wrote some articles about this repo and the first one is the main article. I highly recommend you to read the articles before reading the code. These article will save you a lot of time, I promise.

Articles in English

I've received several e-mails and all the questions in them have been written in the Chinese articles. So i think it's necessary translate some part of the articles in English. I will try my best to tanslate more part and the parts metioned by the questions in issue will have high priority.

Android Inline Hook Practice EN

Features

No ptrace -- So the anti-debug tech won't affect on this tool.
Auto run -- Just use Xposed or other tools to load it into the memory and it will do the native hook work.
Pure inline hook -- No other imprint left so it's hard to anti.
Flexible -- Fine docs for users to understand the code and change it on your own perpose.
Active support -- Brand new so I'm still keen on fix the bugs and arm32/thumb-2/arm64 has been finished one by one.

How To Use

The only thing you have to change is the code in InlineHook.cpp.

You can name the __attribute__((constructor)) ModifyIBored() function at your will and change the follow arg in it:

pModuleBaseAddr is the address of your target so.
target_offset is the offset of your hook point in the target so.
is_target_thumb shows the hook point's CPU mode. You can know this information in the work of reversing before the hook work.

EvilHookStubFunctionForIBored function is the thing you really wanna do when the hook works. You can name at your will, but keep the arg (pt_regs *regs). It brings you the power to control the registers, like set r0 to 0x333 : regs->uregs[0]=0x333;.

After you finish the args above, just ndk-build and you will get your .so file.

ARM32 Design

The ARM32 has code fix too, I just didn't show in this picture.

Thumb-2 Design

Example

I've make some examples in other repo, it includes code and the target APK file.

ARM64

ARM64 has been finished ! I put it in another Android Inline Hook ARM64 to keep clean.

Contact

I believe that this project still has some problems. If you find some bugs or have some problems, you can send e-mail to [email protected]. I wish we can fix it together!

Reference

Game Security Lab of Tencent

Ele7enxxh's Blog

android_inline_hook's People

Contributors

Stargazers

Watchers

Forkers

dstmath mayl8822 zysyyz gobig1573 crackercat genarior yangboyd pagalaxylab androiddog1991 carbonsec wncios guolei1130 kungia09 geektan suge moojx zhangyulong882 vxzhong jiejiao6 m8599399 secice q1f3 dreamzgj yuknight rokith walkingalone-david markjian molongwudi dothanthitiendiettiende cen123456 wanghuabing breathleas fengjixuchui colordancer xiaoyaomeng dysquard wyu0hop dandycheung coolsnake hnyaoqingping koko01024122 zylthinking coldly superbase-zz h0ne burningfix sanchahua lgq2015 aplus123 cylee0909 516025 st-rnd jiangtao89 pancts soon-gz xdcs100 brinedfish mickeytang qqbenst sumincy eaglexmw-gmail gyyfifafans liro0206 enovella dexcalibur-engine sumerzhang asuralove havenow ryanfu cuilwww uni7corn chaocoder mubiaogi farzgz jfishing hanger23 fdlucifer 3kyo0 costcost heckerstone ssageparuders fhooker pengpengpro qingyiwebt michaelzyy losenineai feng504x

android_inline_hook's Issues

Float-point registers

How I can hook them? For example, VLDR S15, =512.0, how I can get value from S15?

关于如何改进这个项目

如果您发现了BUG，本人非常希望您能够联系我或者新建一个issue来讨论它。
请将bug所在的apk、so库名称、hook offset给我。
为了隐私，您也可以将hook addr周围的那几十个涉及bug的bytes给我，我会尽量去修复。

我绝对相信这个新的项目中是肯定存在bug的，感谢所有乐于批评指正的朋友。

Hook 后 onCallBack 收到的参数数据不正确

使用 armHook 后，可以跳转到 onCallBack 的函数去，但是 onCallBack 参数收到的参数不正确。

使用方式是直接参考的 Demo 里的 bool InlineHook(void *pHookAddr, void (*onCallBack)(struct pt_regs *))，只修改了 onCallBack，改成适合自己的格式。


// 头文件
typedef struct tagINLINEHOOKINFO{
    void *pHookAddr;
    void *pStubShellCodeAddr;  
    void*(*onCallBack)(void*, void*, void*); // onCallBack 改了下，和demo 里有点区别
    void ** ppOldFuncAddr;
    BYTE szbyBackupOpcodes[OPCODEMAXLEN]; 
    int backUpLength;
    int backUpFixLengthList[BACKUP_CODE_NUM_MAX]; 
    uint32_t *pNewEntryForOldFunction;
} INLINE_HOOK_INFO;

// Hook 实现
bool TestHooker::Hook(const char* name, void* org,  void*(*dest)(void*, void*, void*)) {
    bool bRet = false;

    if(org == NULL || dest == NULL)
    {
        return bRet;
    }

    INLINE_HOOK_INFO* pstInlineHook = new INLINE_HOOK_INFO();
    pstInlineHook->pHookAddr = org;
    pstInlineHook->onCallBack = dest;

    if(TEST_BIT0((uint32_t)pstInlineHook->pHookAddr)) { 
        if(HookThumb(pstInlineHook) == false) {
            delete pstInlineHook;
            return bRet;
        }
    } else {
        if(HookArm(pstInlineHook) == false) { // 使用的是 HookArm
            delete pstInlineHook;
            return bRet;
        }
    }
    m_InlineHookInfoPVec.push_back(pstInlineHook);
    Origin_getenv = *pstInlineHook->ppOldFuncAddr;
    return true;
}

// OnCallback 函数
void* CalledFunc(void* param0, void* param1, void* param2){
    std::string memStr = PrintBuffer(param0, 10);
     __android_log_print(ANDROID_LOG_VERBOSE, APPNAME, "** %s **", memStr.c_str()); // **被调用后，打印出 ”50 30 02 e4 00 00 00 00 00 00“，内容是不正确的。**
    return ((void*(*)(void*, void*, void*))Origin_getenv)(param0, param1, param2);;
}

// 运行
Hook("test",  orgAddr, CalledFunc); // orgAddr 是从一个第三方 so 中获取出的函数地址。

Hook 运行后正确执行到了 CalledFunc, Orgigin_getenv 调用也正确，但参数的数据都不对了。
有试过对同一个 so 的另一个只有一个参数的函数 hook过，运行是正常的。
测试机: Google Pixel2

刚接触 hook ，对 arm 和底层不大了解，哪位大佬能帮忙看下问题大概是出在哪里吗。

About how to improve this project

If you find some bugs, I wish you could contact me or make an issue.
Give me the target apk, the so name and hook offset.
Or you can just show me the several bytes at the hook_addr and I will try to fix it.

I believe that there are several bugs in this new project. Thanks for all the people give me advice to improve.

接口不如Ele7enxxh的那个简洁，希望可以再简化接口

看了一下代码，感觉接口用法稍微负责点，也可能是我先入为主了，习惯了Ele7enxxh的那个代码

关于DEMO测试的问题

不是太熟悉ARM，所以测试了下DEMO，有几个问题希望能请教下：
1：DEMO直接HOOK到0xF70位置，也就是CMP R0, #0xA的位置，这里执行相关自定义hook方法无问题，完成后可以继续走到下一行指令。但是如果想从函数最开始位置0xF44 即STMFD SP!, {R11,LR}，则自定义方法执行后程序会异常退出(自定义的hook方法就打印了一条R0的值,无其他操作)。再向后一行指令0xF48也会异常退出，同样的再向后一行也是异常，一直到0xF54才不会异常退出，这是什么原因？按文章所说，应该只有方法最末尾才会有问题吧？

2.如果想修改demo的被hook方法的返回值，也就是那个_JNIEnv::NewStringUTF的值，应该如何写？

3.如果希望中止当前被hook方法，直接跳出到下一个方法，是否有合适的方法？也就是说用自己的方法取代原被hook的方法，不再执行原方法，走到原方法的下个方法，应该怎么写？

最近在写毕业论文，回复可能会很慢

《Android Native Hook工具实践》文章中的疑问

《Android Native Hook工具实践》文章里的问题就发这里哈，这样方便我定期从这个issue下面找东西补充文章。

请问这个项目和Android_Inline_Hook_ARM64有什么不一样吗

请问这个项目和Android_Inline_Hook_ARM64有什么不一样吗、？？？我用这个项目应该就可以了吧？

使用时需要遵守什么协议吗

最近打算做游戏保护相关的，而游戏保护内需要hook掉libc的fopen和fread等函数来在运行时解密相关文件。
虽然没有打算商用，但是还是问一下

能Hook系统的so库吗？

比如libc.so库

《Android Native Hook技术路线概述》文章中的疑问

《Android Native Hook技术路线概述》文章里的问题就发这里哈，这样方便我定期从这个issue下面找东西补充文章。

后续有计划支持Android x86 吗？

和substrate相比稳定性更好吗

substrate那套目前没发现任何问题

About the fix code of B.. instruction

I've received some emails about the fix code of B.. code.
They find me changed BLS to BHI, BEQ to BNE.
It's not a mistake, I do this on purpose. I use the "opposite logic" idea in my mind to fix the B.. code shorter and nice.
You can see the details about what I've done: https://gtoad.github.io/2018/08/03/Android-Native-Hook-Practice-EN/

Please do not changed it back, that will be wrong.

《Android Inline Hook中的指令修复详解》文章中的疑问

《Android Inline Hook中的指令修复详解》文章里的问题就发这里哈，这样方便我定期从这个issue下面找东西补充文章。

Run ndk-build failed

➜ Android_Inline_Hook git:(master) ✗ ndk-build
Android NDK: WARNING:jni/InlineHook/Android.mk:IHook: LOCAL_LDLIBS is always ignored for static libraries
obj/local/armeabi-v7a/objs/InlineHook/InlineHook.o.d:1: *** multiple target patterns. Stop.

NDK VERSION: android-ndk-r16b for mac