Build an .so file to automatically do the android_native_hook work. Supports ARM64 ! With this, tools like Xposed can do android native hook.
Switch branches/tags
Nothing to show
Clone or download
Latest commit 8d0d661 Sep 30, 2018
Permalink
Failed to load latest commit information.
.vscode fix work Sep 29, 2018
jni fix work Sep 29, 2018
libs/arm64-v8a fix work Sep 29, 2018
obj/local fix work Sep 29, 2018
README.md readme Sep 30, 2018
STACK1.pdf readme Sep 30, 2018
STACK1.png readme Sep 30, 2018
STACK2.pdf readme Sep 30, 2018
STACK2.png readme Sep 30, 2018
arm64hook.pdf readme Sep 30, 2018
arm64hook.png readme Sep 30, 2018
arm64hook.vsdx readme Sep 30, 2018
arm64hook4.png readme Sep 30, 2018
stack.pdf readme Sep 30, 2018
stack.vsdx readme Sep 30, 2018
stack.xlsx readme Sep 30, 2018

README.md

Android Inline Hook ARM64

This is the ARM64 version of Android Inline Hook. I highly recommend you to view Android Inline Hook first.

This arm64-version is almost finished. But I still need some time on the docs and code-fix work. Thank you for your patience!

Android Inline Hook

This project make an Android .so file that can automatically do some native hook works.

It mainly use Android Inline Hook, not PLT Hook.

If you can read Chinese or wanna see more picture, I've wrote some articles about this repo and the first one is the main article. I highly recommend you to read the articles before reading the code. These article will save you a lot of time, I promise.

  1. Android Inline Hook Practice
  2. Opcode Fix In Android Inline Hook
  3. An Introduction to Android Native Hook
  4. Android Inline Hook ARM64 Practice

Articles in English

I've received several e-mails and all the questions in them have been written in the Chinese articles. So i think it's necessary translate some part of the articles in English. I will try my best to tanslate more part and the parts metioned by the questions in issue will have high priority.

  1. Android Inline Hook Practice EN

Features

  1. No ptrace -- So the anti-debug tech won't affect on this tool.
  2. Auto run -- Just use Xposed or other tools to load it into the memory and it will do the native hook work.
  3. Pure inline hook -- No other imprint left so it's hard to anti.
  4. Flexible -- Fine docs for users to understand the code and change it on your own perpose.
  5. Active support -- Brand new so I'm still keen on fix the bugs and arm32/thumb-2/arm64 has been finished one by one.

How To Use

The only thing you have to change is the code in InlineHook.cpp.

You can name the __attribute__((constructor)) ModifyIBored() function at your will and change the follow arg in it:

  1. pModuleBaseAddr is the address of your target so.
  2. target_offset is the offset of your hook point in the target so.

EvilHookStubFunctionForIBored function is the thing you really wanna do when the hook works. You can name at your will, but keep the arg (pt_regs *regs). It brings you the power to control the registers, like set r0 to 0x333 : regs->uregs[0]=0x333;.

After you finish the args above, just ndk-build and you will get your .so file.

ARM64 Design

Example

I've make some examples in other repo, it includes code and the target APK file.

  1. thumb-2 example
  2. arm32 example

Contact

I believe that this project still has some problems. If you find some bugs or have some problems, you can send e-mail to gtoad1994@aliyun.com. I wish we can fix it together!

Reference

Game Security Lab of Tencent

Ele7enxxh's Blog