YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports:
- Android 5.0(API 21)
- Android 5.1(API 22)
- Android 6.0(API 23)
- Android 7.0(API 24)
- Android 7.1(API 25)
- Android 8.0(API 26)
- Android 8.1(API 27)
- Android 9.0(API 28)
YAHFA is utilized by VirtualHook so that applications can be hooked without root permission.
Import and build the project in Android Studio(with Instant Run disabled). There are three modules:
library. This is the YAHFA library module, which compiles to
demoApp. This is a demo app which would load and apply the plugin.
demoPlugin. This is a demo plugin which contains the hooks and would be loaded by
First please take a look at demoPlugin on how to create a hook plugin.
To apply hooks, first create a new
DexClassLoader which loads the plugin file:
DexClassLoader dexClassLoader = new DexClassLoader("/sdcard/demoPlugin-debug.apk", getCodeCacheDir().getAbsolutePath(), null, classLoader);
HookMain and call
HookMain hookMain = new HookMain(); hookMain.doHookDefault(dexClassLoader, classLoader);
You can also omit the default helper and call the following function instead:
public void findAndBackupAndHook(Class targetClass, String methodName, String methodSig, Method hook, Method backup);
Workaround for Method Inlining
Hooking would fail for methods that are compiled to be inlined. For example:
0x00004d5a: f24a7e81 movw lr, #42881 0x00004d5e: f2c73e11 movt lr, #29457 0x00004d62: f6495040 movw r0, #40256 0x00004d66: f2c70033 movt r0, #28723 0x00004d6a: 4641 mov r1, r8 0x00004d6c: 1c32 mov r2, r6 0x00004d6e: 47f0 blx lr
Here the value of register
lr is hardcoded instead of reading from entry point field of
A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option
dex2oat is not available until API 23. So please take a look at machine instructions of the target when the hook doesn't work.
YAHFA is distributed under GNU GPL V3.