🔥 bhook(aka ByteHook) is a PLT hook framework for Android app.

Overview

bhook

README 中文版

bhook(aka ByteHook) is a PLT hook framework for Android app.

Most of ByteDance's Android apps use bhook as the PLT hook solution online.

Features

  • Multiple hooks and unhooks for the same function do not conflict with each other.
  • Hook a single, partial or all of the dynamic libraries in the process.
  • Hook the newly loaded dynamic libraries automatically.
  • Avoid recursive-calls and circular-calls between proxy functions automatically.
  • Support unwinding backtrace in proxy function.
  • Support Android 4.1 - 12 (API level 16 - 31).
  • Support armeabi-v7a, arm64-v8a, x86 and x86_64.
  • MIT licensed.

Usage

1. Add dependency in build.gradle

bhook is published on Maven Central, and uses Prefab package format for native dependencies, which is supported by Android Gradle Plugin 4.0+.

allprojects {
    repositories {
        mavenCentral()
    }
}
android {
    buildFeatures {
        prefab true
    }
}

dependencies {
    implementation 'com.bytedance:bytehook:1.0.0'
}

2. Add dependency in CMakeLists.txt or Android.mk

CMakeLists.txt

find_package(bytehook REQUIRED CONFIG)

add_library(mylib SHARED mylib.c)
target_link_libraries(mylib bytehook::bytehook)

Android.mk

include $(CLEAR_VARS)
LOCAL_MODULE           := mylib
LOCAL_SRC_FILES        := mylib.c
LOCAL_SHARED_LIBRARIES += bytehook
include $(BUILD_SHARED_LIBRARY)

$(call import-module,prefab/bytehook)

3. Specify one or more ABI(s) you need

android {
    defaultConfig {
        ndk {
            abiFilters 'armeabi-v7a', 'arm64-v8a', 'x86', 'x86_64'
        }
    }
}

4. Add packaging options

If you are using bhook in an SDK project, you may need to avoid packaging libbytehook.so into your AAR, so as not to encounter duplicate libbytehook.so file when packaging the app project.

android {
    packagingOptions {
        exclude '**/libbytehook.so'
    }
}

On the other hand, if you are using bhook in an APP project, you may need to add some options to deal with conflicts caused by duplicate libbytehook.so file.

android {
    packagingOptions {
        pickFirst '**/libbytehook.so'
    }
}

5. Initialize

import com.bytedance.android.bytehook.ByteHook;

public class MySdk {
    public static synchronized void init() {
        ByteHook.init();
    }
}

6. Hook and Unhook

#include "bytehook.h"
bytehook_stub_t bytehook_hook_single(
    const char *caller_path_name,
    const char *callee_path_name,
    const char *sym_name,
    void *new_func,
    bytehook_hooked_t hooked,
    void *hooked_arg);

bytehook_stub_t bytehook_hook_partial(
    bytehook_caller_allow_filter_t caller_allow_filter,
    void *caller_allow_filter_arg,
    const char *callee_path_name,
    const char *sym_name,
    void *new_func,
    bytehook_hooked_t hooked,
    void *hooked_arg);

bytehook_stub_t bytehook_hook_all(
    const char *callee_path_name,
    const char *sym_name,
    void *new_func,
    bytehook_hooked_t hooked,
    void *hooked_arg);

int bytehook_unhook(bytehook_stub_t stub);

These three hook functions are used to hook single, partial, and all caller dynamic libraries in the process.

Notice:

  • If you need to call the original function in the proxy function, please always use the BYTEHOOK_CALL_PREV() macro.
  • Make sure to call BYTEHOOK_POP_STACK() macro before proxy function returning. In the CPP source file, you can also call BYTEHOOK_STACK_SCOPE() macro at the beginning of the proxy function instead.
  • bhook proxies dlopen() and android_dlopen_ext() internally, so please do not try to hook these two functions. If you want to monitor the loading of ELF, please use bytehook_add_dlopen_callback() and bytehook_del_dlopen_callback().

There is a sample app in the bytehook-sample folder you can refer to.

Contributing

Contributing Guide

License

MIT License

Comments
  • 请问安卓9的open函数hook不到是什么原因。同样代码安卓10是没有问题的。

    请问安卓9的open函数hook不到是什么原因。同样代码安卓10是没有问题的。

    Android层测试代码: File file = new File("/storage/emulated/0/1.txt"); try { FileInputStream fileInputStream = new FileInputStream(file); byte[] buf = new byte[(int)file.length()]; fileInputStream.read(buf); fileInputStream.close(); } catch (IOException e) { e.printStackTrace(); }

    c层hook代码: bytehook_hook_single("libjavacore.so", NULL, "open", open_proxy, open_hooked_callback, NULL); bytehook_hook_single("libjavacore.so", NULL, "stat", stat_proxy, stat_hooked_callback, NULL); bytehook_hook_single("libjavacore.so", NULL, "read", read_proxy_auto, read_hooked_callback, NULL);

    安卓9的回调显示hook成功了。 bytehook_tag: >>>>> hooked. stub: c6b93ac0, status: 0, caller_path_name: /system/lib/libjavacore.so, sym_name: open, new_func: c5e08ebd, prev_func: e756aefd, arg: 0 安卓10的回调也类似。 bytehook_tag: >>>>> hooked. stub: ba5d3480, status: 0, caller_path_name: /apex/com.android.runtime/lib/libjavacore.so, sym_name: open, new_func: c04afebd, prev_func: edaa2299, arg: 0 但是实际测试中在open入口打印,只有安卓10的设备有响应。 LOG("open hooked path("%s")", pathname);

    help wanted invalid 
    opened by LeeKasm 13
  • 通过hook pthread_create 来获取(java+native)线程的创建,但是有大部分的线程没有被hook到,是什么原因呢?

    通过hook pthread_create 来获取(java+native)线程的创建,但是有大部分的线程没有被hook到,是什么原因呢?

    在应用启动的时候开始hook,还是有大部分的线程没有被hook到,是什么原因呢? bytehook_hook_all(nullptr, "pthread_create", reinterpret_cast<void*>(pthread_create_hook), nullptr,nullptr);

    invalid question 
    opened by beyondckw 8
  • Android 11 没有命中自己App中加载的so

    Android 11 没有命中自己App中加载的so

    bytehook Version

    1.0.5

    Android OS Version

    11

    Android ABIs

    arm64-v8a

    Device Manufacturers and Models

    oppo

    Describe the Bug

    df702b1fadb03cf625d6cb43ef172f1

    我使用bhook去hook自己加载的另一个so,发现没有hook到,map中没找到这个so,pc命中的是base.apk,打印bhook中的bh_elf_manager_iterate_cb,没看到这个so,这个是Android 11的特性?

    bug 
    opened by zqhGeek 5
  • 关于符号查找的一个小建议

    关于符号查找的一个小建议

    https://github.com/bytedance/bhook/blob/19f99d96c5e561b8e3598498024ef1285ee59c83/bytehook/src/main/cpp/bh_elf.c#L499

    大佬,你好 关于符号的查找,个人觉得xhook的写法更好: 布隆过滤器对于item存在是有误判的,但对于item不存在是有精准保障的。 所以存在gnu_hash段、sym_name确实不存在于gnu_hash布隆过滤器时,不应该继续查找。

    opened by Mr-JingShi 5
  • 有人遇到开启hook后native heap明显增加的问题吗

    有人遇到开启hook后native heap明显增加的问题吗

    bytehook Version

    1.0.0

    Android OS Version

    10.0

    Android ABIs

    armeabi-v7a, arm64-v8a

    Device Manufacturers and Models

    oppo r17

    Describe the Bug

    用一个demo应用跑的。hook的是mmap malloc等函数。 跳板函数仅调用了BYTEHOOK_STACK_SCOPE 和BYTEHOOK_CALL_PREV。 但是开启后heap native增加了非常多。在真实项目中更明显,多了大几百M 未开启hook image

    开启hook image

    bug 
    opened by maocanmao 4
  • android 4.4 等版本找不到符号 sigfillset

    android 4.4 等版本找不到符号 sigfillset

    hi: 之前使用 xhook,看到推荐准备使用 bhook。我看介绍说是支持 android 5 一下的版本的。但是在实际运行过程中出现问题: cannot locate symbol "sigfillset"

    我看代码的确是使用了 sigfillset,网上看了下这个符号是在 android 5 才引入。所以是不是 bhook 其实只支持 android 5 及其以上版本?

    invalid 
    opened by cogbee 4
  • 夜神模拟器跑unity应用,hook libunity.so

    夜神模拟器跑unity应用,hook libunity.so

    我现在在夜神模拟器7.0.0.8 32位上跑bhook,hook了libunity的fseek函数或者其他函数,fopen等等。我单纯调用bytehook_init没问题,但是一旦调用了bytehook_hook_single去hook函数,也是显示hook成功的,但是后面就闪退了: 2021-12-17 12:12:00.127 5510-5510/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0xfff33011 in tid 5510 (xxx.xxx.xxx) 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: Build fingerprint: 'samsung/dream2qltezh/dream2qltechn:7.1/N2G48H/G9550ZHU1AQEE:user/release-keys' 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: Revision: '12' 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: ABI: 'x86' 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: pid: 5510, tid: 5510, name: xxx.xxx.xxx >>> xxx.xxx.xxx <<< 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xfff33011 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: eax f66d4127 ebx 98724ff4 ecx 00000001 edx fff32e99 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: esi 989a720c edi fff32e99 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: eip 984fa373 ebp 988c67e4 esp bfa9c334 flags 00010282 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: backtrace: 2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: #00 pc 00238373 /system/lib/libhoudini.so

    我的应用是只打了arm32和arm64的,没打x86,在模拟器上应该是跑的arm32。应该是libhoudini.so转码导致的。用你的demo只打arm32和arm64,在模拟器上跑却没问题。

    opened by CrazyStormer 4
  • @caikelun hook时机

    @caikelun hook时机

    @caikelun 感谢回复!这两天我尝试了一下,但没有找到比较好的方案。 原因是linker内部的dl_iterate_phdr和dlopen是有互斥锁的,而.init和.init_array调用是在dlopen内部,所以直到dlopen结束前是无法读取到elf的 😭

    是否可以从导出符号__dl__ZN6soinfo17call_constructorsEv入手

    opened by fh2002 3
  • hook 构造函数崩溃问题

    hook 构造函数崩溃问题

    bytehook Version

    1.0.6

    Android OS Version

    10.0

    Android ABIs

    armeabi-v7a

    Device Manufacturers and Models

    pixel 1

    Describe the Bug

    希望hook Android libbase.so android::base::LogMessage::LogMessage构造函数,hook代码如下: `namespace android { namespace base {

        enum LogSeverity {
            VERBOSE,
            DEBUG,
            INFO,
            WARNING,
            ERROR,
            FATAL_WITHOUT_ABORT,
            FATAL,
        };
    
        enum LogId {
            DEFAULT,
            MAIN,
            SYSTEM,
        };
    
        void LogMessage(const char *file, unsigned int line, LogId id, LogSeverity severity,
                        const char *tag, int error) {
            BYTEHOOK_STACK_SCOPE();
            ALOGD("LogMessage %s",file);
            BYTEHOOK_CALL_PREV(LogMessage, file, line, id, severity, tag, error);
        }
    
        void HookCallback(bytehook_stub_t task_stub, int status,
                          const char *caller_path_name, const char *sym_name,
                          void *new_func, void *prev_func, void *hooked_arg) {
            ALOGE("hook: %s-%s-%d", caller_path_name, sym_name, status);
        }
    
        void hook(){
            bytehook_hook_single("libart.so", "libbase.so",
                    "_ZN7android4base10LogMessageC2EPKcjNS0_5LogIdENS0_11LogSeverityES3_i",
                                 reinterpret_cast<void *>(LogMessage), HookCallback, NULL);
       }
    }
    

    }`

    然后时间运行时在BYTEHOOK_CALL_PREV调用原函数时会崩溃,崩溃栈如下: image

    大佬帮忙看下是怎么回事啊

    bug good first issue 
    opened by pengood 2
  • 老哥,BYTESIG_TRY好像不能生效

    老哥,BYTESIG_TRY好像不能生效

    bytehook Version

    1.0.6

    Android OS Version

    13

    Android ABIs

    arm64-v8a

    Device Manufacturers and Models

    Pixel 5

    Describe the Bug

    老哥,我尝试使用BYTESIG_TRY,发现不能捕获异常,下面是我的测试代码

    void init_once(void) {
    //    bytesig_init(SIGSEGV);
    //    bytesig_init(SIGBUS);
    //    bytesig_init(SIGILL);
        bytesig_init(SIGTRAP);
        // ......
    }
    
    void crashTest1(void) {
        int i;
        init_once();
        LOG("crashTest");
        int *p = NULL;
        BYTESIG_TRY(SIGABRT)
                {
    //                call_some_native_function();
                    *p = 2;
                }
            BYTESIG_CATCH(signum, code)
                {
                    LOG("signum %d (code %d)", signum, code);
                }
                BYTESIG_EXIT
    }
    

    使用这测试代码后,发现还是会出现崩溃 image

    bug invalid 
    opened by AriaLyy 2
  • hook jni 方法失败

    hook jni 方法失败

    bytehook Version

    1.0.6

    Android OS Version

    12

    Android ABIs

    armeabi-v7a

    Device Manufacturers and Models

    mix4

    Describe the Bug

    我尝试hook jni 方法的时候,无法hook jni 方法

    这是我的JNI方法

    JNIEXPORT void JNICALL
    Java_com_lyy_crashhook_NativeLib_stringFromJNI(JNIEnv *env, jobject thiz) {
        LOG("Java_com_lyy_crashhook_NativeLib_stringFromJNI");
    }
    

    这是我的Hook代码

        bytehook_hook_single("libhookee.so", NULL, "Java_com_lyy_crashhook_NativeLib_stringFromJNI",
                             (void *) open_proxy_manual,
                             crash_hooked_callback,
                             NULL);
    

    返回结果总是:

    hooked. stub: b4000072fbc7f100, status: 13, caller_path_name: /data/app/~~rQpm4GQxSoUuAhD1gtXleA==/com.lyy.invorkhook-qoYvtStS3UiRqUyF-62m4Q==/lib/arm64/libhookee.so, sym_name: Java_com_lyy_crashhook_NativeLib_stringFromJNI, new_func: 72edc6e958, prev_func: 0, arg: 0
    
    
    bug invalid 
    opened by AriaLyy 2
  • armeabi-v7a hook失败,用xhook库能成功

    armeabi-v7a hook失败,用xhook库能成功

    bytehook Version

    1.0.5

    Android OS Version

    6.0

    Android ABIs

    armeabi-v7a

    Device Manufacturers and Models

    模拟器

    Describe the Bug

    ANDROID_API < 21, 运行时apilevel=23,尝试修改,默认没走/proc/self/maps,改成走/proc/self/maps部分能成功,不过app会闪退

    bug 
    opened by richcx 3
  • bhook 的dlopen未监控到加载的so

    bhook 的dlopen未监控到加载的so

    bytehook Version

    1.0.5

    Android OS Version

    6

    Android ABIs

    armeabi-v7a

    Device Manufacturers and Models

    xiaomi 4

    Describe the Bug

    我通过注册回调函数: bytehook_add_dlopen_callback(dlopen_pre_callback, dlopen_callback, NULL); 发现加载so后未被监控到。 于是我修改bh_hook_manager_verify_got_value输出了一下日志

    rs = dladdr(*((void **)got_addr), &info); BH_LOG_INFO("dladdr: %s got_addr=%p callee: %s %s", got_addr, info.dli_fname, info.dli_sname); ... if (NULL == info.dli_sname) {    ElfW(Sym) *sym = bh_elf_find_export_func_symbol_by_symbol_name(callee_elf, task->sym_name);    BH_LOG_INFO("callee: %s(%s), sym:%p", callee_elf->pathname, task->sym_name, sym);    if (NULL != sym && STT_GNU_IFUNC == ELF_ST_TYPE(sym->st_info)) {       BH_LOG_INFO("hook chain: verify bypass ifunc: %s in %s", task->sym_name, info.dli_fname);       r = 0;    } }

    日志如下: 06-22 18:23:57.609 32110-32110/? I/bhook: hook symbol(dlopen) in /system/lib/libart.so 06-22 18:23:57.609 32110-32110/? I/bhook: trampo: created for GOT b4abcbf0 at b5de608c, size 20 + 8 = 28 06-22 18:23:57.609 32110-32110/? I/bhook: hook chain: created for GOT b4abcbf0, orig func ab53e961 06-22 18:23:57.609 32110-32110/? I/bhook: hook chain: add(new) func, GOT b4abcbf0, func b377cf61 06-22 18:23:57.610 32110-32110/? I/bhook: dladdr got_addr=b4abcbf0 callee: /system/lib/libsechook.so (null) 06-22 18:23:57.610 32110-32110/? I/bhook: /system/lib/libsechook.so(dlopen), sym:0x0 06-22 18:23:57.610 32110-32110/? I/bhook: hook chain: del func, GOT b4abcbf0, func b377cf61

    这个问题可能是因为dlopen已经被别的库(/system/lib/libsechook.so)hook了,然后bhook就不处理了?

    bug 
    opened by fh2002 0
  • 自动hook新加载的动态库可能没被hook的问题

    自动hook新加载的动态库可能没被hook的问题

    我在线上使用 bhook,版本 v1.0.3,想 hook 一个动态下载的 so,发现会有 so 已经加载好,但是 bhook 没有自动去 hook 的问题,出现概率比较低。

    我找到了一种复现场景,发现是 bhook 没有立即监听到动态库的加载,所以也没有 hook 了: 1.线程 1 去初始化 bhook,调用 Bytehook.init,并且调用 bytehook_hook_single; 2.线程 2 加载某一个 so;

    复现的环境和代码我也贴出来:

    bhook 版本:v1.0.3 机型:OnePlus6,Android 10

    我改了一些代码,让问题复现:

    void bh_task_manager_hook(bh_task_manager_t *self, bh_task_t *task)
    {
        if(bh_dl_monitor_is_initing())
        {
            static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
            static bool oneshot_refreshed = false;
            if(!oneshot_refreshed)
            {
                bool hooked = false;
                pthread_mutex_lock(&lock);
                if(!oneshot_refreshed)
                {
                    BH_LOG_INFO("task_id:%u, hit init", task->id);
                    bh_dl_monitor_dlclose_rdlock();
                    bh_elf_manager_refresh(bh_core_global()->elf_mgr, false, NULL, NULL);
                    BH_LOG_INFO("sleep start...");  // 获取完 maps 停一会,然后 APP 另一个线程去加载新的 so,模拟动态 so 随机加载的场景
                    sleep(10);
                    BH_LOG_INFO("sleep end...");
                    bh_task_hook(task);
                    bh_dl_monitor_dlclose_unlock();
                    oneshot_refreshed = true;
                    hooked = true;
                }
                pthread_mutex_unlock(&lock);
                if(hooked) return;
            }
        }
        else
        {
            // start & check dl-monitor
            if(0 != bh_task_manager_init_dl_monitor(self))
            {
                // For internal tasks in the DL monitor, this is not an error.
                // But these internal tasks do not set callbacks, so there will be no side effects.
                bh_task_hooked(task, BYTEHOOK_STATUS_CODE_INITERR_DLMTR, NULL, NULL);
                return;
            }
        }
    
        BH_LOG_INFO("task_id:%u start hook", task->id);
    
        bh_dl_monitor_dlclose_rdlock();
        bh_task_hook(task);
        bh_dl_monitor_dlclose_unlock();
    }
    

    大致的流程是 bhook 会先 hook dlopen 系列函数,会先调用一遍 bh_elf_manager_refresh 把当前的 so 信息缓存起来,然后执行 hook dlopen 的任务;如果中途有别的 so 加载,bhook 会漏掉这些新的 so,相当于没监听到。 有个补救措施是 如果后续有新的 so 加载会调用 dlopen,就会触发 bh_elf_manager_refresh 再刷一遍缓存,之前漏掉的 so 也会加进来并且执行它们的 hook 任务,这样表现的情况就是 hook 被延后了。假如后续没有触发 bh_elf_manager_refresh,那么这次的 hook 就失败了

    我感觉这种情况无法完全避免,如果对可靠性要求高的话,我可以每隔一段时间调用 refresh 吗?就像 xhook 的那种用法一样

    bug enhancement 
    opened by flx413 4
  • 是否可以对.init_array中的调用进行hook

    是否可以对.init_array中的调用进行hook

    从原理上来看,bhook执行的时机应该是在dlopen之后?现在有个需求是:dlopen里会执行.init和.init_array区块的代码,我需要hook一个在.init_array区块中执行的函数,从本地尝试来看hook是无效的,原因是dlopen阶段hook还未执行,是否有其他办法可以做到呢?

    image

    enhancement 
    opened by yimun 3
  • Android 5.1.1 AUTO模式时,后加载so无法hook

    Android 5.1.1 AUTO模式时,后加载so无法hook

    手机:Xiaomi MI NOTE Pro 系统:Android 5.1.1 bhook: 1.0.3

    bytehook_init(BYTEHOOK_MODE_AUTOMATIC, true);
    bytehook_hook_all(nullptr, "getaddrinfo", (void*)MY_getaddrinfo, hookCallbac, nullptr);
    

    以上代码执行完后再加载webview,无法hook libwebviewchromium.so 但是,先在加载webview后再执行以上代码,则可以hook到libwebviewchromium.so

    opened by 0x6666 5
Releases(v1.0.7)
  • v1.0.7(Dec 6, 2022)

    Bugs fixed

    1. Fix the bug that part of ELF cannot be hooked in Android 4.x.

    The first LOAD segment of ELF may be read-only (use the linker option --rosegment), and the /proc/self/maps at this time may look like this:

    75b8d000-75b9f000 r--p 00000000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75b9f000-75bde000 r-xp 00012000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75bde000-75be1000 r--p 00051000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75be1000-75be2000 rw-p 00054000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    

    In previous ByteHook versions, this type of ELF could not be hooked in Android 4.x.

    2. Fix the bug that the wrong initialization state may be returned when ByteHook#init() is called concurrently.

    It may actually be still being initialized, but it returns a state that has been initialized.

    Improve

    1. Avoid additional acquisition of the linker's global mutex lock during initialization.

    ByteHook needs to obtain several symbol addresses in libc.so through dlopen and dlsym during initialization. These operations need to hold the linker's global mutex lock. We moved the above operations to .init_array of libbytehook.so.

    Bugs 修复

    1. 修复 Android 4.x 中无法 hook 部分 ELF 的 bug。

    ELF 的第一个 LOAD segment 可能是只读的(用链接器选项 --rosegment),此时的 /proc/self/maps 大概是这样的:

    75b8d000-75b9f000 r--p 00000000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75b9f000-75bde000 r-xp 00012000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75bde000-75be1000 r--p 00051000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    75be1000-75be2000 rw-p 00054000 b3:1c 89884 /data/app-lib/io.hexhacking.xdl.sample-2/libquick.so
    

    在之前的 ByteHook 版本中,在 Android 4.x 中这种类型 ELF 无法被 hook。

    2. 修复了并发调用 ByteHook#init() 时可能返回错误的初始化状态的 bug。

    可能实际还处在初始化中,但是却返回了已经初始化完成的状态。

    改进

    1. 避免在初始化期间额外获取 linker 的全局 mutex 锁。

    ByteHook 需要在初始化时通过 dlopendlsym 获取 libc.so 中的几个符号地址,这些操作需要持有 linker 的全局 mutex 锁,我们将上述操作移动到了 libbytehook.so.init_array 中。

    Source code(tar.gz)
    Source code(zip)
  • v1.0.6(Sep 27, 2022)

    Announcements

    • Compatible with Android 13.

    Bugs fixed

    • Fix a native crash in bh_dl_iterate module on Androd 4.x.

    In Android 4.x, the system does not provide the dl_iterate_phdr function, so we traverse the ELF list by scanning maps. In the process of traversal, since the previous implementation does not hold the linker's mutex global lock, when we read the ELF header information, the ELF may have been dlcloseed, which will cause a crash. The solution is to hold the linker's mutex global lock while scanning the maps.

    • Fixed a bug where specifying callee_path_name when hooking caused unhook to fail.

    This is caused by a program logic error.

    Improve

    • Update version for NDK, CMake, gradle and AGP.

    公告

    • 兼容 Android 13。

    Bugs 修复

    • 修复了 Androd 4.x 中 bh_dl_iterate 模块的一个 native 崩溃。

    在 Android 4.x 中,系统没有提供 dl_iterate_phdr 函数,所以我们通过扫描 maps 的方式来遍历 ELF list。在遍历的过程中,由于之前的实现没有持有 linker 的 mutex 全局锁,所以在我们读取 ELF 头部信息的时候,可能这个 ELF 已经被 dlclose 了,于是会导致崩溃。解决的方式是在扫描 maps 时持有 linker 的 mutex 全局锁。

    • 修复了“hook 时指定 callee_path_name 导致 unhook 失败的 bug”。

    这是一个程序逻辑错误导致的。

    改进

    • 升级 NDK,CMake,gradle 和 AGP 的版本。
    Source code(tar.gz)
    Source code(zip)
  • v1.0.5(Mar 21, 2022)

    Bugs fixed

    • Fixed an issue where calling dlclose in some proxy functions could cause a deadlock.

    This is a very rare case: in the hook operation flow of ByteHook itself, some functions used are hooked, and dlclose is called in the proxy function. For example: the call of mmap to mmap64 in libc.so is hooked, and dlclose is called in mmap64_proxy. ByteHook can prevent itself from being hooked by PLT, but cannot prevent other dynamic libraries on the call chain from being hooked.

    New features

    • Added interfaces (native layer bytehook_add_ignore and java layer addIgnore) for setting the dynamic libraries that need to be ignored globally.

    We may need to ignore some dynamic libraries globally. For example, some hardened dynamic libraries from third parties may contain some unknown protection errors. Executing hooks on these dynamic libraries may cause unknown problems. Hooks to dlopen and dlclose inside ByteHook are also not available.

    Improve

    • Add clang_format configuration and format code.
    • Add java checkstyle configuration.
    • Update version for gradle and AGP.

    Bugs 修复

    • 修复了在某些 proxy 函数中调用 dlclose 可能引起死锁的问题。

    这是一种非常罕见的情况:在 ByteHook 自身的 hook 操作流程中,某些用到的函数被 hook 了,而在 proxy 函数中调用了 dlclose。比如:libc.sommapmmap64 的调用被 hook 了,在 mmap64_proxy 中调用了 dlclose。ByteHook 能避免自身被 PLT hook,但是无法阻止调用链上其他动态库被 hook。

    新特性

    • 增加了接口(native 层 bytehook_add_ignore 和 java 层 addIgnore),用于设置全局需要忽略的动态库。

    我们可能需要全局的忽略某些动态库,例如某些来自第三方的加固过的动态库,可能包含某些未知的防护错误,对这些动态库执行 hook 可能引起未知的问题。包括 ByteHook 内部对 dlopendlclose 的 hook 也不能进行。

    改进

    • 增加 clang_format 配置,并格式化代码。
    • 增加了 java checkstyle 配置。
    • 升级 gradle 和 AGP 的版本。
    Source code(tar.gz)
    Source code(zip)
  • v1.0.4(Dec 27, 2021)

    Improve

    • Reduce the memory footprint of the recording module.
    • Enable LLVM ICF and machine outliner.

    改进

    • 减少记录模块的内存占用。
    • 启用 LLVM ICF 和 machine outliner。
    Source code(tar.gz)
    Source code(zip)
  • v1.0.3(Nov 5, 2021)

    Bugs fixed

    Fix an occasional carsh bug

    Fix an occasional crash bug caused by GOT table data reading.

    Improve

    Enhanced hook capability

    In some special cases, the dynamic library will call its own function through PLT, but the called function is not an exported function, so it is not in .hash and .gnu.hash. In the previous implementation, this kind of PLT call could not be hooked.

    Improve the performance of the proxy function

    In the previous implementation, when a thread executes a proxy function for the first time, it will call mmap and prctl once.

    Added hook / unhook operation recording module

    We have added a module for recording hook / unhook operation records and the corresponding data export interface. You can use these data to count the success rate of hook / unhook, the reason for operation failure, etc. You can also make a comprehensive analysis of these data and app crash information.

    Bugs 修复

    修复了一个偶现的崩溃 bug

    修复了一个偶现的读取 GOT 表数据引起崩溃的 bug。

    改进

    增强 hook 能力

    某些特殊情况下,动态库会通过 PLT 调用自身的函数,但是被调用函数不是导出函数,因此不在 .hash 和 .gnu.hash 中。在之前的实现中,这种 PLT 调用是 hook 不到的。

    改进 proxy 函数的性能

    在之前的实现中,线程第一次执行到一个 proxy 函数时,会调用一次 mmap 和一次 prctl

    增加 hook / unhook 操作记录模块

    我们增加了一个用于记录 hook / unhook 操作记录的模块,以及对应的数据导出接口。你可以用这些数据统计 hook / unhook 的成功率,操作失败的原因等,也可以把这些数据和 app 的崩溃信息一起做综合分析。

    Source code(tar.gz)
    Source code(zip)
  • v1.0.2(Sep 3, 2021)

    Bugs fixed

    Fix a crash in manual mode

    In manual mode, the caller needs to save the original function address in the hooked callback first, and then we can replace the address in the GOT. Otherwise, it may crash due to timing issues. So we added an additional callback (status code is BYTEHOOK_STATUS_CODE_ORIG_ADDR) to the manual mode to allow the caller to save the original function address.

    Thanks to the contributors from iQiyi Video.

    Fix a deadlock bug

    If dlopen or dlclose in .init_array or .fini_array, a deadlock may occur between linker-mutex and dlclose-proxy-rwlock.

    Thanks to the contributors from iQiyi Video and Toutiao.

    Bugs 修复

    修复手动模式的崩溃

    在手动模式中,调用者首先需要在 hooked 回调中保存原函数地址,然后我们才能替换 GOT 中的地址。否则,可能由于时序问题引起崩溃。所以我们在手动模式中,额外增加了一次回调(状态码是 BYTEHOOK_STATUS_CODE_ORIG_ADDR),用于让调用者保存原函数地址。

    感谢来自爱奇艺视频的贡献者。

    修复一个死锁 bug

    如果在 .init_array.fini_array 中存在 dlopendlclose,可能在 linker-mutexdlclose-proxy-rwlock 之间发生死锁。

    感谢来自爱奇艺视频和今日头条的贡献者。

    Source code(tar.gz)
    Source code(zip)
  • v1.0.1(Aug 18, 2021)

    Bugs fixed

    • Fix the bug in the CFI check bypass mechanism in arm64/x86_64. This bug will cause the CFI check bypass mechanism to fail after running for a period of time, and then cause a crash.
    • Add proguard.txt to AAR to keep all native methods.

    Improve

    • Upgrade the NDK version to 23.0.7599858.

    Bugs 修复

    • 修复 arm64 / x86_64 中 CFI check 绕过机制中的 bug。这个 bug 会导致 CFI check 绕过机制在运行一段时间后失效,然后导致崩溃。
    • 在 AAR 中增加 proguard.txt,用来 keep 所有的 native 方法。

    改进

    • 升级 NDK 版本到 23.0.7599858。
    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Aug 11, 2021)

Owner
Bytedance Inc.
Bytedance Inc.
Framework for Enterprise Application Development in c++, HTTP1/HTTP2/HTTP3 compliant, Supports multiple server backends

The ffead-cpp Framework ffead-cpp is a web-framework, application framework, utilities all bundled into one. It also provides an embedded HTTP/Web-Soc

Sumeet Chhetri 540 Dec 19, 2022
JUCE is an open-source cross-platform C++ application framework for desktop and mobile applications, including VST, VST3, AU, AUv3, RTAS and AAX audio plug-ins.

JUCE is an open-source cross-platform C++ application framework used for rapidly developing high quality desktop and mobile applications, including VS

JUCE 4.7k Jan 1, 2023
An eventing framework for building high performance and high scalability systems in C.

NOTE: THIS PROJECT HAS BEEN DEPRECATED AND IS NO LONGER ACTIVELY MAINTAINED As of 2019-03-08, this project will no longer be maintained and will be ar

Facebook Archive 1.7k Dec 14, 2022
Idle is an asynchronous and hot-reloadable C++ dynamic component framework

Idle is an asynchronous, hot-reloadable, and highly reactive dynamic component framework similar to OSGI that is: ?? Modular: Your program logic is en

Denis Blank 173 Dec 7, 2022
PYNQ Framework for ANTSDR

PYNQ Framework for ANTSDR This project was inspired by PYNQ and PlutoSDR. There are already many SDR platforms based on ZYNQ and AD9361, so does ANTSD

null 21 Oct 20, 2022
android analysis tools, jni trace by native hook, libc hook, write log with caller's addr in file or AndroidLog

编译方法 unix like mkdir "build" cd build cmake .. -DNDK=your_ndk_path/Android/sdk/ndk/22.0.7026061 -DANDROID_ABI=armeabi-v7a make -j8 或者使用andriod studio编

pony 63 Dec 1, 2022
Using PLT trampolines to provide a BLAS and LAPACK demuxing library.

libblastrampoline All problems in computer science can be solved by another level of indirection Using PLT trampolines to provide a BLAS and LAPACK de

Elliot Saba 54 Dec 7, 2022
Take Damage hook hook made to increase weapon damage, the game I made is Free Fire in version 1.65

Take-Damage Simple Take Damage hook hook made to increase weapon damage, the game I made is Free Fire in version 1.65 Bool bool isTakeDemageBool = fal

Master Games 3 Jan 1, 2022
Flutter-Clock-and-Reminder-App - a highly functional clock and reminder app developed on flutter framework.

clock_app A new Flutter project. Getting Started This project is a starting point for a Flutter application. A few resources to get you started if thi

Umar Baloch 6 Aug 4, 2022
🎉 A framework for improving android 32bit app stability. (Alleviate crashes caused by insufficient virtual memory)

Patrons ?? A framework for improving android 32bit app stability. (Alleviate crashes caused by insufficient virtual memory) 一行代码解决 Android 32位应用因虚拟内存不

Alibaba 378 Dec 29, 2022
Modify Android linker to provide loading module and hook function

fake-linker Chinese document click here Project description Modify Android linker to provide loading module and plt hook features.Please check the det

sanfengAndroid 216 Jan 4, 2023
codeless Android hook (experimental)

AppInspect Download app-inspect-v0.0.1.zip AppInspect-0.0.1.apk Install: install Riru module adb push app-inspect-v0.0.1.zip /data/local/tmp adb shel

null 56 Dec 4, 2022
Simple Android ARM&ARM64 GOT Hook

Simple Android ARM&ARM64 GOT Hook 基于链接视图和执行视图,解析ELF,查找导入函数偏移值,替换函数地址。 详见:简易Android ARM&ARM64 GOT Hook (一) 简易Android ARM&ARM64 GOT Hook (二) 编译 使用Androi

Xhy 25 Dec 28, 2022
shadowhook is an inline hook library for Android apps.

shadowhook is an inline hook library for Android apps.

Bytedance Inc. 819 Jan 1, 2023
If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Md. Harun-Or-Rashid 3 Aug 17, 2022
The DirectX Tool Kit (aka DirectXTK) is a collection of helper classes for writing DirectX 11.x code in C++

DirectX Tool Kit for DirectX 11 http://go.microsoft.com/fwlink/?LinkId=248929 Copyright (c) Microsoft Corporation. All rights reserved. January 9, 202

Microsoft 2.2k Jan 3, 2023
AstoriaCore is a customized Version of AzerothCore and the private source of WaloriaCore by Fractional aka Fred.

Community driven Classless MMO Framework. Proudly founded by Lushen and based on AzerothCore and TrinityCore ??

AstoriaCore 15 Apr 22, 2021
Manual map shellcode (aka byte array) injector

ShellJector This little tool can download DLL from the internet and inject it as shellcode (aka byte array) into process with manual map injection. Th

Александр Вольф 25 Jan 3, 2023
An 'embedded-friendly' (aka Arduino) JPEG image encoding library

Starting in the late 80's I wrote my own imaging codecs for the existing standards (CCITT G3/G4 was the first). I soon added GIF, JPEG and not long after that, the PNG specification was ratified. All of this code was "clean room" - written just from the specification. I used my imaging library in many projects and products over the years and recently decided that some of my codecs could get a new lease on life as open source, embedded-friendly libraries for microcontrollers.

Larry Bank 38 Dec 30, 2022
hotcaKey is the global shortcut (aka hotkey) module for node.js and electron.

?? hotcaKey is the global shortcut (aka hotkey) module for node.js and electron. hotcakey is now actively under deploment, so api may have

daylilyfield 6 Jun 20, 2022