• Stars
    star
    4,063
  • Rank 10,700 (Top 0.3 %)
  • Language
    C
  • License
    Other
  • Created over 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔥 A PLT hook library for Android native ELF.

xhook

xHook

README 中文版

Android PLT hook 概述 中文版

xHook is a PLT (Procedure Linkage Table) hook library for Android native ELF (executable and shared libraries).

xHook has been keeping optimized for stability and compatibility.

Features

  • Support Android 4.0 - 10 (API level 14 - 29).
  • Support armeabi, armeabi-v7a, arm64-v8a, x86 and x86_64.
  • Support ELF HASH and GNU HASH indexed symbols.
  • Support SLEB128 encoded relocation info.
  • Support setting hook info via regular expressions.
  • Do not require root permission or any system permissions.
  • Do not depends on any third-party shared libraries.

Build

  • Download Android NDK r16b, set environment PATH. (support for armeabi has been removed since r17)

  • Build and install the native libraries.

./build_libs.sh
./install_libs.sh

Demo

cd ./xhookwrapper/
./gradlew assembleDebug
adb install ./app/build/outputs/apk/debug/app-debug.apk

API

External API header file: libxhook/jni/xhook.h

1. Register hook info

int xhook_register(const char  *pathname_regex_str,  
                   const char  *symbol,  
                   void        *new_func,  
                   void       **old_func);

In current process's memory space, in every loaded ELF which pathname matches regular expression pathname_regex_str, every PLT entries to symbol will be replaced with new_func. The original one will be saved in old_func.

The new_func must have the same function declaration as the original one.

Return zero if successful, non-zero otherwise.

The regular expression for pathname_regex_str only support POSIX BRE (Basic Regular Expression).

2. Ignore some hook info

int xhook_ignore(const char *pathname_regex_str,  
                 const char *symbol);

Ignore some hook info according to pathname_regex_str and symbol, from registered hooks by xhook_register. If symbol is NULL, xhook will ignore all symbols from ELF which pathname matches pathname_regex_str.

Return zero if successful, non-zero otherwise.

The regular expression for pathname_regex_str only support POSIX BRE.

3. Do hook

int xhook_refresh(int async);

Do the real hook operations according to the registered hook info.

Pass 1 to async for asynchronous hook. Pass 0 to async for synchronous hook.

Return zero if successful, non-zero otherwise.

xhook will keep a global cache for saving the last ELF loading info from /proc/self/maps. This cache will also be updated in xhook_refresh. With this cache, xhook_refresh can determine which ELF is newly loaded. We only need to do hook in these newly loaded ELF.

4. Clear cache

void xhook_clear();

Clear all cache owned by xhook, reset all global flags to default value.

If you confirm that all PLT entries you want have been hooked, you could call this function to save some memory.

5. Enable/Disable debug info

void xhook_enable_debug(int flag);

Pass 1 to flag for enable debug info. Pass 0 to flag for disable. (disabled by default)

Debug info will be sent to logcat with tag xhook.

6. Enable/Disable SFP (segmentation fault protection)

void xhook_enable_sigsegv_protection(int flag);

Pass 1 to flag for enable SFP. Pass 0 to flag for disable. (enabled by default)

xhook is NOT a compliant business layer library. We have to calculate the value of some pointers directly. Reading or writing the memory pointed to by these pointers will cause a segmentation fault in some unusual situations and environment. The APP crash rate increased which caused by xhook is about one ten-millionth (0.0000001) according to our test. (The increased crash rate is also related to the ELFs and symbols you need to hook). Finally, we have to use some trick to prevent this harmless crashing. We called it SFP (segmentation fault protection) which consists of: sigaction(), SIGSEGV, siglongjmp() and sigsetjmp().

You should always enable SFP for release-APP, this will prevent your app from crashing. On the other hand, you should always disable SFP for debug-APP, so you can't miss any common coding mistakes that should be fixed.

Examples

//detect memory leaks
xhook_register(".*\\.so$", "malloc",  my_malloc,  NULL);
xhook_register(".*\\.so$", "calloc",  my_calloc,  NULL);
xhook_register(".*\\.so$", "realloc", my_realloc, NULL);
xhook_register(".*\\.so$", "free",    my_free,    NULL);

//inspect sockets lifecycle
xhook_register(".*\\.so$", "getaddrinfo", my_getaddrinfo, NULL);
xhook_register(".*\\.so$", "socket",      my_socket,      NULL);
xhook_register(".*\\.so$", "setsockopt"   my_setsockopt,  NULL);
xhook_register(".*\\.so$", "bind",        my_bind,        NULL);
xhook_register(".*\\.so$", "listen",      my_listen,      NULL);
xhook_register(".*\\.so$", "connect",     my_connect,     NULL);
xhook_register(".*\\.so$", "shutdown",    my_shutdown,    NULL);
xhook_register(".*\\.so$", "close",       my_close,       NULL);

//filter off and save some android log to local file
xhook_register(".*\\.so$", "__android_log_write",  my_log_write,  NULL);
xhook_register(".*\\.so$", "__android_log_print",  my_log_print,  NULL);
xhook_register(".*\\.so$", "__android_log_vprint", my_log_vprint, NULL);
xhook_register(".*\\.so$", "__android_log_assert", my_log_assert, NULL);

//tracking (ignore linker and linker64)
xhook_register("^/system/.*$", "mmap",   my_mmap,   NULL);
xhook_register("^/vendor/.*$", "munmap", my_munmap, NULL);
xhook_ignore  (".*/linker$",   "mmap");
xhook_ignore  (".*/linker$",   "munmap");
xhook_ignore  (".*/linker64$", "mmap");
xhook_ignore  (".*/linker64$", "munmap");

//defense to some injection attacks
xhook_register(".*com\\.hacker.*\\.so$", "malloc",  my_malloc_always_return_NULL, NULL);
xhook_register(".*/libhacker\\.so$",     "connect", my_connect_with_recorder,     NULL);

//fix some system bug
xhook_register(".*some_vendor.*/libvictim\\.so$", "bad_func", my_nice_func, NULL);

//ignore all hooks in libwebviewchromium.so
xhook_ignore(".*/libwebviewchromium.so$", NULL);

//hook now!
xhook_refresh(1);

Support

Contributing

See xHook Contributing Guide.

License

xHook is MIT licensed, as found in the LICENSE file.

xHook documentation is Creative Commons licensed, as found in the LICENSE-docs file.

More Repositories

1

xCrash

🔥 xCrash provides the Android app with the ability to capture java crash, native crash and ANR. No root permission or any system permissions are required.
C
3,703
star
2

dpvs

DPVS is a high performance Layer-4 load balancer based on DPDK.
C
3,010
star
3

Andromeda

Andromeda simplifies local/remote communication for Android modularization
Java
2,275
star
4

Qigsaw

🔥🔥Qigsaw ['tʃɪɡsɔ] is a dynamic modularization library which is based on Android App Bundles(Do not need Google Play Service). It supports dynamic delivery for split APKs without reinstalling the base one.
Java
1,676
star
5

FASPell

2019-SOTA简繁中文拼写检查工具:FASPell Chinese Spell Checker (Chinese Spell Check / 中文拼写检错 / 中文拼写纠错 / 中文拼写检查)
Python
1,194
star
6

Neptune

A flexible, powerful and lightweight plugin framework for Android
Java
763
star
7

libfiber

The high performance c/c++ coroutine/fiber library for Linux/FreeBSD/MacOS/Windows, supporting select/poll/epoll/kqueue/iouring/iocp/windows GUI
C
748
star
8

LiteApp

LiteApp is a high performance mobile cross-platform implementation, The realization of cross-platform functionality is base on webview and provides different ideas and solutions for improve webview performance.
JavaScript
677
star
9

qnsm

QNSM is network security monitoring framework based on DPDK.
C
515
star
10

TaskManager

一种支持依赖关系、任务兜底策略的任务调度管理工具。API灵活易用,稳定可靠。轻松提交主线程任务、异步任务。支持周期性任务,顺序执行任务,并行任务等。
Java
476
star
11

Lens

功能简介:一种开发帮助产品研发的效率工具。主要提供了:页面分析、任务分析、网络分析、DataDump、自定义hook 、Data Explorer 等功能。以帮助开发、测试、UI 等同学更便捷的排查和定位问题,提升开发效率。
Java
407
star
12

dexSplitter

Analyze contribution rate of each module to the apk size
Java
198
star
13

xgboost-serving

A flexible, high-performance serving system for machine learning models
C++
138
star
14

auklet

Auklet is a high performance storage engine based on Openstack Swift
Go
93
star
15

lua-resty-couchbase

Lua couchbase client driver for the ngx_lua based on the cosocket API / 使用cosocket纯lua实现的couchbase的client,已经在爱奇艺重要的服务播放服务稳定运行5年多
Lua
79
star
16

lotus

lotus is a framework for intereact between views in Android
Java
73
star
17

HMGNN

Python
62
star
18

Navi

Java
18
star