YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports:
- Android 5.0(API 21)
- Android 5.1(API 22)
- Android 6.0(API 23)
- EXPERIMENTAL Android 7.0(API 24)
- EXPERIMENTAL Android 7.1(API 25)
with ABI:
- x86
- armeabi-v7a
- EXPERIMENTAL arm64-v8a
YAHFA is utilized by VirtualHook so that applications can be hooked without root permission.
Please take a look at this article for a detailed introduction.
Import and build the project in Android Studio(with Instant Run disabled). There are three modules:
library. This is the YAHFA library module, which compiles to.aarfor use.demoApp. This is a demo app which would load and apply the plugin.demoPlugin. This is a demo plugin which contains the hooks and would be loaded bydemoApp.
Please refer to demoApp and demoPlugin for more details on the demo.
First please take a look at demoPlugin on how to create a patch plugin.
To apply a patch, create a new DexClassLoader which loads the file:
DexClassLoader dexClassLoader = new DexClassLoader("/sdcard/demoPlugin-debug.apk",
getCodeCacheDir().getAbsolutePath(), null, classLoader);Then initalize HookMain and call doHookDefault():
HookMain hookMain = new HookMain();
hookMain.doHookDefault(dexClassLoader, classLoader);You can also omit the default helper and call the following function instead:
public native void findAndBackupAndHook(Class targetClass, String methodName, String methodSig,
Method hook, Method backup);Hook would fail for methods that are compiled to be inlined. A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option --debuggable of dex2oat is not available until API 23. So please take a look at machine instructions of the target by oatdump when a hook doesn't work.
JNI methods can be hooked without calling origin method. For example, the target App contains the following JNI method:
package lab.galaxy.yahfa.demoApp;
public class ClassWithJNIMethod {
static {
System.loadLibrary("hello");
}
public native static String fromJNI();
}Then the method fromJNI can be hooked with the following plugin code:
public class Hook_ClassWithJNIMethod_fromJNI {
public static String className = "lab.galaxy.yahfa.demoApp.ClassWithJNIMethod";
public static String methodName = "fromJNI";
public static String methodSig = "()Ljava/lang/String;";
public static String hook() {
Log.w("YAHFA", "calling fromJNI");
return "new string";
}
}Support for Android N(7.0 and 7.1) is experimental and not stable.
YAHFA is distributed under GNU GPL V3.