Android 10 无法hook程序自己的函数 ( App cannot hook the method in itself on Android10 )

[Mivik]

Considering some contributors may not understand Chinese, I added a English translation for this issue.

错误点（Crash Reason）：

[thread.cc:3532] Check failed: exception != nullptr 

堆栈（Stacktrace）：

"main" prio=5 tid=1 Runnable
  | group="" sCount=0 dsCount=0 flags=0 obj=0x75a403c8 self=0x7ef6a8ec00
  | sysTid=5327 nice=0 cgrp=default sched=0/0 handle=0x7f7cb2ced0
  | state=R schedstat=( 618345698 42182189 165 ) utm=48 stm=13 core=1 HZ=100
  | stack=0x7fd2b26000-0x7fd2b28000 stackSize=8192KB
  | held mutexes= "abort lock" "mutator lock"(shared held)
  native: #00 pc 0000000000410928  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 3ed000) (art::DumpNativeStack(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, int, BacktraceMap*, char const*, art::ArtMethod*, void*, bool)+140)
  native: #01 pc 00000000004f8080  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (art::Thread::DumpStack(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, bool, BacktraceMap*, bool) const+512)
  native: #02 pc 00000000005129bc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (art::DumpCheckpoint::Run(art::Thread*)+828)
  native: #03 pc 000000000050b7e0  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (art::ThreadList::RunCheckpoint(art::Closure*, art::Closure*)+456)
  native: #04 pc 000000000050acc4  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (art::ThreadList::Dump(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, bool)+1964)
  native: #05 pc 00000000004b805c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4b8000) (art::Runtime::Abort(char const*)+1452)
  native: #06 pc 000000000000b458  /system/lib64/libbase.so (android::base::LogMessage::~LogMessage()+580)
  native: #07 pc 0000000000503c40  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (art::Thread::QuickDeliverException()+1720)
  native: #08 pc 0000000000590354  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (artDeliverPendingExceptionFromCode+8)
  native: #09 pc 000000000013f404  /apex/com.android.runtime/lib64/libart.so (art_quick_generic_jni_trampoline+324)
  native: #10 pc 000000000013f31c  /apex/com.android.runtime/lib64/libart.so (art_quick_generic_jni_trampoline+92)
  native: #11 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568)
  native: #12 pc 000000000014500c  /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+276)
  native: #13 pc 00000000002e27cc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 296000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+384)
  native: #14 pc 00000000002dda2c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 296000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+892)
  native: #15 pc 00000000005a27c0  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeStatic+372)
  native: #16 pc 0000000000130994  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20)
  native: #17 pc 0000000000004878  /data/app/com.mivik.yahfa-vhL7-lC5ql5DkhF_SNhCEg==/oat/arm64/base.vdex (com.mivik.yahfa.MainActivity.onCreate+14)
  native: #18 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #19 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #20 pc 00000000001b0002  /system/framework/framework.jar (android.app.Activity.performCreate+38)
  native: #21 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #22 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #23 pc 00000000001affc2  /system/framework/framework.jar (android.app.Activity.performCreate+2)
  native: #24 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #25 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #26 pc 0000000000211f0a  /system/framework/framework.jar (android.app.Instrumentation.callActivityOnCreate+6)
  native: #27 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #28 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #29 pc 000000000019ed0c  /system/framework/framework.jar (android.app.ActivityThread.performLaunchActivity+752)
  native: #30 pc 00000000005a22b8  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeDirect+1100)
  native: #31 pc 0000000000130914  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+20)
  native: #32 pc 000000000019e98a  /system/framework/framework.jar (android.app.ActivityThread.handleLaunchActivity+94)
  native: #33 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #34 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #35 pc 00000000002826ae  /system/framework/framework.jar (android.app.servertransaction.LaunchActivityItem.execute+126)
  native: #36 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #37 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #38 pc 0000000000284bfa  /system/framework/framework.jar (android.app.servertransaction.TransactionExecutor.executeCallbacks+154)
  native: #39 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #40 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #41 pc 0000000000284b36  /system/framework/framework.jar (android.app.servertransaction.TransactionExecutor.execute+146)
  native: #42 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #43 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #44 pc 000000000019d87a  /system/framework/framework.jar (android.app.ActivityThread$H.handleMessage+86)
  native: #45 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #46 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #47 pc 0000000000321892  /system/framework/framework.jar (android.os.Handler.dispatchMessage+38)
  native: #48 pc 000000000059ffac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeVirtual+1352)
  native: #49 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20)
  native: #50 pc 00000000003469c0  /system/framework/framework.jar (android.os.Looper.loop+484)
  native: #51 pc 00000000005a2a5c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (MterpInvokeStatic+1040)
  native: #52 pc 0000000000130994  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20)
  native: #53 pc 00000000001a7b14  /system/framework/framework.jar (android.app.ActivityThread.main+196)
  native: #54 pc 00000000002b3ae0  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 296000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.15102659631621532397+240)
  native: #55 pc 0000000000591254  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 4ba000) (artQuickToInterpreterBridge+1032)
  native: #56 pc 000000000013f468  /apex/com.android.runtime/lib64/libart.so (art_quick_to_interpreter_bridge+88)
  native: #57 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568)
  native: #58 pc 000000000014500c  /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+276)
  native: #59 pc 00000000004afc58  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 459000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
  native: #60 pc 00000000004b17fc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 459000) (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1480)
  native: #61 pc 000000000043cba0  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 3ed000) (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+52)
  at com.mivik.yahfa.TestClass.foo(Native method)
  at com.mivik.yahfa.MainActivity.onCreate(MainActivity.java:11)
  at android.app.Activity.performCreate(Activity.java:7894)
  at android.app.Activity.performCreate(Activity.java:7881)
  at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1307)
  at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3289)
  at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3453)
  at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:83)
  at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
  at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
  at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2050)
  at android.os.Handler.dispatchMessage(Handler.java:107)
  at android.os.Looper.loop(Looper.java:224)
  at android.app.ActivityThread.main(ActivityThread.java:7567)
  at java.lang.reflect.Method.invoke(Native method)
  at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:539)
  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:950)

架构（Architecture）：arm64

系统（System Version）：Android 10

源码 Source Code

这个 demoApp 的功能是弹出两个简单的随机内容的 toast，内容来自TestClass.foo方法。demo中用两种方法达成在 toast 的内容后面追加" (Hooked)"的目的：

1. 直接 hook TestClass.foo 方法，修改其返回值

2. hook 系统的 Toast.makeText 方法

目前只有第二种方法能成功，第一种方法出现了以上所述的问题

p.s. 切换两种方式可在 Hooker.java 的第20行找到

---

The demoApp above displays two simple toasts with random content generated from TestClass.foo method. The demo uses the following two ways to append " (Hooked)" to the toast content:

1. hook TestClass.foo method and modify its return value

2. hook Toast.makeText method and modify its argument before calling the original method.

However, as tested on my phone, only the second way worked, and the first way caused the error above.

p.s. You can switch between these two ways by modifying Hooker.java around line 20.

[rk700]

先试下release版本是否会复现，如果系统的方法可以被hook而自定义的方法失败

[Mivik]

先试下release版本是否会复现，如果系统的方法可以被hook而自定义的方法失败

测试过了，在 Android10 上 release 和 debug 架构都是和 issue 中所述相同的问题。（且分别在 Android10 的模拟器和物理机上取得了同样的结果）

此外，额外追加了 Android7 的测试，发现 Android7 在 release 和 debug 架构中出现了相同的问题：系统的方法可以被 hook，但自己的方法虽然日志中正常输出 （"hook done"），但调用时却依旧调用的是原方法。代码没有经过任何更改，还是原来的那一份

[rk700]

把

TestClass.class.getDeclaredMethod("foo", long.class),

改成

Class.forName("com.mivik.yahfa.TestClass").getDeclaredMethod("foo", long.class)

试试

[Mivik]

把

TestClass.class.getDeclaredMethod("foo", long.class),

改成

Class.forName("com.mivik.yahfa.TestClass").getDeclaredMethod("foo", long.class)

试试

成了

但本人很困惑，为什么这两种操作造成的结果最后是不一样的？他们获取到的不应该是同一个操作对象吗？

[rk700]

直接访问TestClass.class不会初始化TestClass，但Class.forName("TestClass")会。

[Mivik]

懂了，差不多是在类初始化之前 hook 函数，在类初始化之后又会被覆盖掉... 的意思吧？（应该是

谢谢了

[Mivik]

不过又有一个新的问题出现了.. （（（

依旧是原来的代码，多次启动程序（或者多次调用被 hook 的方法），会概率性（1/3左右）出现 这个问题（来自模拟器）。由于物理机上和模拟器上得到的问题一致，我就不重复贴了。注意模拟器是 x86 架构的。

上面这个问题在 Android10 的物理机和模拟器上的 release 和 debug 架构都出现了，在 Android7 上均没有问题。

[Mivik]

讲道理是我的问题，我用的YAHFA是前几天的没有pull，pull之后修复了