pagalaxylab / yahfa Goto Github PK

10-20 04:50:34.749: W/ActivityManager(1224): Force finishing activity 1 io.virtualhook/com.lody.virtual.client.stub.StubActivity$C0
10-20 04:50:34.789: W/art(1224): Suspending all threads took: 12.479ms
10-20 04:50:34.842: W/ActivityManager(1224): finishTopRunningActivityLocked , taskNdx is 45, activityNdx is 0
10-20 04:50:34.967: W/MediaFocusControl(1224): AudioFocus audio focus client died
10-20 04:50:34.970: W/ActivityManager(1224): getRecentTasks: caller 10099 does not hold REAL_GET_TASKS; limiting output
10-20 04:50:34.985: W/ADB_SERVICES(403): terminating JDWP 26680 connection: Try again
10-20 04:50:35.040: W/InputMethodManagerService(1224): Got RemoteException sending setActive(false) notification to pid 26680 uid 10099
10-20 04:50:35.047: W/ActivityManager(1224): getRunningAppProcesses: caller 10094 does not hold REAL_GET_TASKS; limiting output
10-20 04:50:35.068: W/PerfScheduler(1224): Not Boost !
10-20 04:50:35.312: W/ActivityManager(1224): getRunningAppProcesses: caller 1001 is using old GET_TASKS but privileged; allowing
10-20 04:50:35.315: E/CellLocation(2746): create GsmCellLocation
10-20 04:50:38.624: W/ActivityManager(1224): getRunningAppProcesses: caller 10102 does not hold REAL_GET_TASKS; limiting output

即virtualhook中的app的context

hook的方法是SystemSensorManager的registerListenerImpl

05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] JNI DETECTED ERROR IN APPLICATION: JNI CallObjectMethod called with pending exception java.lang.IllegalAccessError: Method 'boolean android.hardware.SystemSensorManager.registerListenerImpl(android.hardware.SensorEventListener, android.hardware.Sensor, int, android.os.Handler, int, int)' is inaccessible to class 'BudHook.GenedClass_0' (declaration of 'BudHook.GenedClass_0' appears in /data/data/io.virtualapp/files/BudHook1.dex)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at boolean BudHook.GenedClass_0.replace(java.lang.Object, java.lang.Object, java.lang.Object, int, java.lang.Object, int, int) ((null):-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at boolean android.hardware.SensorManager.registerListener(android.hardware.SensorEventListener, android.hardware.Sensor, int, android.os.Handler) (SensorManager.java:816)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at boolean android.hardware.SensorManager.registerListener(android.hardware.SensorEventListener, android.hardware.Sensor, int) (SensorManager.java:723)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.pajk.pedometer.core.d.g() (MotionDetectorManager.java:-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.pajk.pedometer.core.f.a() (OldActiveMotionDetector.java:-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.pajk.pedometer.core.d.c() (MotionDetectorManager.java:-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.pajk.pedometer.core.d.m() (MotionDetectorManager.java:-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.pajk.pedometer.core.k.d() (StepCountDetector.java:-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.pajk.pedometer.core.k.a(android.hardware.SensorEvent) (StepCountDetector.java:-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.pajk.pedometer.core.c.onSensorChanged(android.hardware.SensorEvent) (MotionDetector.java:-1)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.lody.virtual.client.core.JSensorEventListener.onSensorChanged(android.hardware.SensorEvent) (JSensorEventListener.java:40)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void android.hardware.SystemSensorManager$SensorEventQueue.dispatchSensorEvent(int, float[], int, long) (SystemSensorManager.java:709)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void android.os.MessageQueue.nativePollOnce(long, int) (MessageQueue.java:-2)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at android.os.Message android.os.MessageQueue.next() (MessageQueue.java:323)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void android.os.Looper.loop() (Looper.java:136)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void android.app.ActivityThread.main(java.lang.String[]) (ActivityThread.java:6255)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at java.lang.Object java.lang.reflect.Method.invoke!(java.lang.Object, java.lang.Object[]) (Method.java:-2)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run() (ZygoteInit.java:920)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at void com.android.internal.os.ZygoteInit.main(java.lang.String[]) (ZygoteInit.java:810)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470]
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] in call to CallObjectMethod
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] from void android.os.MessageQueue.nativePollOnce(long, int)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] "main" prio=5 tid=1 Runnable
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] | group="main" sCount=0 dsCount=0 obj=0x74756000 self=0xe8885400
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] | sysTid=14382 nice=-4 cgrp=default sched=0/0 handle=0xeb516534
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] | state=R schedstat=( 3137861465 407964159 2656 ) utm=274 stm=39 core=2 HZ=100
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] | stack=0xff0d8000-0xff0da000 stackSize=8MB
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] | held mutexes= "mutator lock"(shared held)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #00 pc 0021c585 /system/lib/libart.so (???)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #1 pc 001fcc91 /system/lib/libart.so (???)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #2 pc 0010507f /system/lib/libart.so (???)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #3 pc 001055b7 /system/lib/libart.so (???)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #4 pc 000ca933 /system/lib/libart.so (_ZN3art11ScopedCheck6AbortFEPKcz+42)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #5 pc 000ca523 /system/lib/libart.so (_ZN3art11ScopedCheck11CheckThreadEP7_JNIEnv+362)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #6 pc 000c9537 /system/lib/libart.so (_ZN3art11ScopedCheck22CheckPossibleHeapValueERNS_18ScopedObjectAccessEcNS_12JniValueTypeE+26)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #7 pc 000c8a09 /system/lib/libart.so (_ZN3art11ScopedCheck5CheckERNS_18ScopedObjectAccessEbPKcPNS_12JniValueTypeE+800)
05-15 14:42:34.675 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #8 pc 000ccbb7 /system/lib/libart.so (_ZN3art8CheckJNI13CheckCallArgsERNS_18ScopedObjectAccessERNS_11ScopedCheckEP7_JNIEnvP8_jobjectP7_jclassP10_jmethodIDNS_10InvokeTypeEPKNS_7VarArgsE+110)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #9 pc 000cc1e9 /system/lib/libart.so (_ZN3art8CheckJNI11CallMethodVEPKcP7_JNIEnvP8_jobjectP7_jclassP10_jmethodIDSt9__va_listNS_9Primitive4TypeENS_10InvokeTypeE+512)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #10 pc 000c19f7 /system/lib/libart.so (_ZN3art8CheckJNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz+50)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #11 pc 0000303d /system/lib/libnativehelper.so (jniGetReferent+92)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #12 pc 000bab67 /system/lib/libandroid_runtime.so (???)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #13 pc 00011f33 /system/lib/libutils.so (_ZN7android6Looper9pollInnerEi+614)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #14 pc 00011c3f /system/lib/libutils.so (_ZN7android6Looper8pollOnceEiPiS1_PPv+26)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #15 pc 00090265 /system/lib/libandroid_runtime.so (_ZN7android18NativeMessageQueue8pollOnceEP7_JNIEnvP8_jobjecti+22)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] native: #16 pc 00642265 /system/framework/arm/boot-framework.oat (Java_android_os_MessageQueue_nativePollOnce__JI+96)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at android.os.MessageQueue.nativePollOnce(Native method)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at android.os.MessageQueue.next(MessageQueue.java:323)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at android.os.Looper.loop(Looper.java:136)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at android.app.ActivityThread.main(ActivityThread.java:6255)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at java.lang.reflect.Method.invoke!(Native method)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:920)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470] at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:810)
05-15 14:42:34.676 14382 14382 F art : art/runtime/java_vm_ext.cc:470]

应该是ａｒｔ抛出了ThrowIllegalAccessErrorField　但是不清楚是为什么

Nexus5X 安卓版本8.0，hook final方法报错，hook 非final方法正常。
java.lang.IncompatibleClassChangeError: The method 'long com.tencent.wcdb.database.SQLiteDatabase.insertWithOnConflict!(java.lang.String, java.lang.String, android.content.ContentValues, int)' was expected to be of type static but instead was found to be of type virtual (declaration of ...

05-15 16:06:51.576 3596 3596 D AndroidRuntime: Shutting down VM
05-15 16:06:51.576 3596 3596 E AndroidRuntime: FATAL EXCEPTION: main
05-15 16:06:51.576 3596 3596 E AndroidRuntime: Process: com.pingan.lifeinsurance, PID: 3596
05-15 16:06:51.576 3596 3596 E AndroidRuntime: java.lang.NoSuchMethodError: No static method backup(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;ILjava/lang/Object;II)Z in class LBudHook/GenedClass_0; or its super classes (declaration of 'BudHook.GenedClass_0' appears in /data/data/io.virtualapp/files/BudHook1.dex)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at BudHook.GenedClass_0.replace(Unknown Source:88)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at android.hardware.SensorManager.registerListener(SensorManager.java:817)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at android.hardware.SensorManager.registerListener(SensorManager.java:724)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.business.activities.oldactivities.healthwalk.activity.ae.a(SourceFile:111)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.basic.initialize.setupcenter.u.b(SourceFile:54)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.basic.initialize.setupcenter.u.a(SourceFile:48)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.basic.initialize.setupcenter.ak.a(SourceFile:129)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.basic.initialize.setupcenter.ak.c(SourceFile:119)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.common.base.a.e.a(SourceFile:40)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.common.base.a.h.a(SourceFile:123)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.pingan.lifeinsurance.common.base.AppContext.onCreate(SourceFile:69)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.secneo.apkwrapper.ApplicationWrapper.onCreate(ApplicationTemplate.java:47)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1120)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.lody.virtual.client.hook.delegate.InstrumentationDelegate.callApplicationOnCreate(InstrumentationDelegate.java:226)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.lody.virtual.client.hook.delegate.AppInstrumentation.callApplicationOnCreate(AppInstrumentation.java:149)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.lody.virtual.client.VClientImpl.bindApplicationNoCheck(VClientImpl.java:334)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.lody.virtual.client.VClientImpl.bindApplication(VClientImpl.java:206)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.lody.virtual.client.hook.proxies.am.HCallbackStub.handleLaunchActivity(HCallbackStub.java:123)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.lody.virtual.client.hook.proxies.am.HCallbackStub.handleMessage(HCallbackStub.java:73)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:102)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at android.os.Looper.loop(Looper.java:164)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at android.app.ActivityThread.main(ActivityThread.java:6518)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at java.lang.reflect.Method.invoke(Native Method)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
05-15 16:06:51.576 3596 3596 E AndroidRuntime: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)
05-15 16:06:51.577 3596 3596 E uncaught: java.lang.NoSuchMethodError: No static method backup(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;ILjava/lang/Object;II)Z in class LBudHook/GenedClass_0; or its super classes (declaration of 'BudHook.GenedClass_0' appears in /data/data/io.virtualapp/files/BudHook1.dex)
05-15 16:06:51.577 3596 3596 E uncaught: at BudHook.GenedClass_0.replace(Unknown Source:88)
05-15 16:06:51.577 3596 3596 E uncaught: at android.hardware.SensorManager.registerListener(SensorManager.java:817)
05-15 16:06:51.577 3596 3596 E uncaught: at android.hardware.SensorManager.registerListener(SensorManager.java:724)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.business.activities.oldactivities.healthwalk.activity.ae.a(SourceFile:111)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.basic.initialize.setupcenter.u.b(SourceFile:54)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.basic.initialize.setupcenter.u.a(SourceFile:48)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.basic.initialize.setupcenter.ak.a(SourceFile:129)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.basic.initialize.setupcenter.ak.c(SourceFile:119)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.common.base.a.e.a(SourceFile:40)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.common.base.a.h.a(SourceFile:123)
05-15 16:06:51.577 3596 3596 E uncaught: at com.pingan.lifeinsurance.common.base.AppContext.onCreate(SourceFile:69)
05-15 16:06:51.577 3596 3596 E uncaught: at com.secneo.apkwrapper.ApplicationWrapper.onCreate(ApplicationTemplate.java:47)
05-15 16:06:51.577 3596 3596 E uncaught: at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1120)
05-15 16:06:51.577 3596 3596 E uncaught: at com.lody.virtual.client.hook.delegate.InstrumentationDelegate.callApplicationOnCreate(InstrumentationDelegate.java:226)
05-15 16:06:51.577 3596 3596 E uncaught: at com.lody.virtual.client.hook.delegate.AppInstrumentation.callApplicationOnCreate(AppInstrumentation.java:149)
05-15 16:06:51.577 3596 3596 E uncaught: at com.lody.virtual.client.VClientImpl.bindApplicationNoCheck(VClientImpl.java:334)
05-15 16:06:51.577 3596 3596 E uncaught: at com.lody.virtual.client.VClientImpl.bindApplication(VClientImpl.java:206)
05-15 16:06:51.577 3596 3596 E uncaught: at com.lody.virtual.client.hook.proxies.am.HCallbackStub.handleLaunchActivity(HCallbackStub.java:123)
05-15 16:06:51.577 3596 3596 E uncaught: at com.lody.virtual.client.hook.proxies.am.HCallbackStub.handleMessage(HCallbackStub.java:73)
05-15 16:06:51.577 3596 3596 E uncaught: at android.os.Handler.dispatchMessage(Handler.java:102)
05-15 16:06:51.577 3596 3596 E uncaught: at android.os.Looper.loop(Looper.java:164)
05-15 16:06:51.577 3596 3596 E uncaught: at android.app.ActivityThread.main(ActivityThread.java:6518)
05-15 16:06:51.577 3596 3596 E uncaught: at java.lang.reflect.Method.invoke(Native Method)
05-15 16:06:51.577 3596 3596 E uncaught: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
05-15 16:06:51.577 3596 3596 E uncaught: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)

同样的代码在6.0上是正常的

大神

hook .so里面的函数是不是非要等程序调用System.loadLibrary("");加载了so之后才可以找到并hook函数?

public static String className = "android.view.View";
public static String methodName = "setOnClickListener";
public static String methodSig = "(Landroid/view/View$OnClickListener;)V";
public void hook(Object thiz, View.OnClickListener listener) {
// origin(thiz,listener)
return ;
}

public static void origin(Object thiz,View.OnClickListener listener) {
    return ;
}

public static void origin (Object thiz, String path)
{
    //Log(thisClass(),"调用原函数");
}

这是hook file类构造函数,我发现如果原函数下面不写任何东西在5.1系统就会崩溃,6.0系统正常,我猜想可能是没有写任何内容导致调用原函数失败,所以必须把这行注释解开才行,这个问题找的我头都大了

代码如下：
public static void hook(Object thiz, int arg0) {

    Log.i("YAHFA", "hook here");
   
    origin(thiz, arg0);
}

public static void origin(Object thiz, int arg0) {
    Log.w("YAHFA", "should not be here");
    return;
}

前面执行是正常的，一直执行hook，并没有输出 should not be here，但是运行一会以后，就会出现should not be here了，然后就不正常了

加1：但奇怪的是，我还有几个其他类似的都没有问题，只有这个有问题

加2：再进一步测试，发现其他几个也有此问题，只是需要过的时间较长才会出现问题

安卓版本6.0.0
plugin是什么版无所谓，
app是debug版， 可以调用原始函数，按home键切换到后台，关闭屏幕，再次打开，触发hook的api崩溃

app是release办，不会调用原始函数，但不会崩溃。

9-08 07:30:58.868 194 194 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x12cff138
09-08 07:30:58.885 194 194 F DEBUG : r0 0000004b r1 ab0c58b8 r2 12cff12c r3 fffff798
09-08 07:30:58.885 194 194 F DEBUG : r4 6fd3e3e4 r5 32cd4400 r6 12cff000 r7 ab0c58b8
09-08 07:30:58.885 194 194 F DEBUG : r8 b4d36500 r9 b4d36500 sl 00094ec6 fp 00000000
09-08 07:30:58.885 194 194 F DEBUG : ip 00000000 sp bea28160 lr b48feb31 pc b4be7a5c cpsr 200f0030
09-08 07:30:58.892 194 194 F DEBUG :
09-08 07:30:58.892 194 194 F DEBUG : backtrace:
09-08 07:30:58.880 194 194 W debuggerd: type=1400 audit(0.0:54): avc: denied { search } for name="com.abc.msm" dev="mmcblk0p28" ino=1475217 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
09-08 07:30:58.892 194 194 F DEBUG : #00 pc 003d0a5c /system/lib/libart.so (artAllocObjectFromCodeRosAlloc+35)
09-08 07:30:58.892 194 194 F DEBUG : #1 pc 000e7b2d /system/lib/libart.so (art_quick_alloc_object_rosalloc+28)
09-08 07:30:58.893 194 194 F DEBUG : #2 pc 00715b07 /data/app/com.abc.msm-1/oat/arm/base.odex (offset 0x39b000) (android.content.Intent com.abc.msm.PhoneTest.call_phone()+34)
09-08 07:30:58.893 194 194 F DEBUG : #3 pc 001e3e2b /data/data/com.abc.msm/code_cache/Plugin-debug.dex (offset 0x383000)
09-08 07:30:59.214 27061 27061 D QSEECOMD: : qseecom listener services process entry PPID = 1
09-08 07:30:59.214 27061 27061 E QSEECOMD: : Listener: index = 0, hierarchy = 0
09-08 07:30:59.214 27061 27061 E QSEECOMD: : Init dlopen(librpmb.so, RLTD_NOW) is failed....
09-08 07:30:59.214 27061 27061 E QSEECOMD: : ERROR: RPMB_INIT failed, shall not start listener services

写错了字母：）

设计之初是参考xposed，hook代码采用插件的形式，运行时通过DexClassLoader动态加载。目前基本没有问题

但是现在有些人要把hook代码与app放在一起，这样做目前是不支持的。具体原因和能否解决，还得等将来有时间再去看。用这个issue统一跟踪。

public static boolean hook(String thiz, String prefix) {
    Log.w("YAHFA", "in String.startsWith(): "+thiz+", "+prefix);
    return origin(thiz, prefix);
}

public static boolean origin(String thiz, String prefix) {
    Log.w("YAHFA", "String.startsWith() should not be here");
    return false;
}

这2个方法都会修改返回值,请问如果能得到方法本身的返回值呢?

Hello,
I tried to run your sample code and it is running successfully. I want to know that can i also hook non-static method of some class. I tried this but didn't get success.
Please tell me if this is possible.
Thanks.

我想hook系统属性调用的c语言方法,您的例子里面可以成功hook自定义的native方法,但是这个方法没有类名,无从下手,请帮忙指导一下,谢谢
__system_property_get("ro.serialno", a);

日志全部打印了，但是hook不成功。
只hook了Log.e，同样的代码6.0 OK。
我把plugin和mainapp放一块了，没有用classloader，直接使用的findAndBackupAndHook。

理论上，如果我的设备root了，YAHFA应该也可以脱离VA环境使用的吧？

可以支持类似xposed那种hook api么？epic和andhook都接近xposed那种api，可以很把xposed模块移植到epic和andhook上来。

will support Android N?

rt

用xposed hook住一个方法,即使用反射调用这个方法也可以照样修改,
但是用yahfa的话,反射调用就绕过了hook,对于反射调用yahfa有做处理吗?

我对您的框架进行了一些修复和实现x86_64,arm64。

另外希望参与到项目中，一起对7.0以上系统进行解决

测试环境：
华为mate9 android7.0 arm64-v8a真机。
多次循环执行Toast.show方法后出现如下异常，然后程序退出
猜测是由于yahfa替换artMethod的数据后，导致gc无法回收对象。这个异常在64位的真机上基本都会出现。
05-24 10:56:04.134: W/YAHFA(22727): hook end
05-24 10:56:04.137: W/YAHFA(22727): hook
05-24 10:56:04.137: W/YAHFA(22727): hook end
05-24 10:56:04.140: W/YAHFA(22727): hook
05-24 10:56:04.140: W/YAHFA(22727): hook end
05-24 10:56:04.143: W/YAHFA(22727): hook
05-24 10:56:04.143: W/YAHFA(22727): hook end
05-24 10:56:04.146: W/YAHFA(22727): hook
05-24 10:56:04.146: W/YAHFA(22727): hook end
05-24 10:56:04.148: A/art(22727): art/runtime/gc/collector/mark_sweep.cc:413] Tried to mark 0xea205160 not contained by any spaces
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 12c00000-12e13000 rw-p 00000000 00:01 15013 /dev/ashmem/dalvik-main space (deleted)
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 12e13000-12ed4000 rw-p 00213000 00:01 15013 /dev/ashmem/dalvik-main space (deleted)
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 12ed4000-2ac00000 ---p 002d4000 00:01 15013 /dev/ashmem/dalvik-main space (deleted)
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 32c00000-32c01000 rw-p 00000000 00:01 15014 /dev/ashmem/dalvik-main space 1 (deleted)
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 32c01000-4ac00000 ---p 00001000 00:01 15014 /dev/ashmem/dalvik-main space 1 (deleted)
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 6f849000-6ffd7000 rw-p 00000000 103:1e 2043 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 6ffd7000-700ba000 rw-p 00000000 103:1e 2057 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 700ba000-700d5000 rw-p 00000000 103:1e 2070 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 700d5000-700f8000 rw-p 00000000 103:1e 2073 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 700f8000-700f9000 rw-p 00000000 103:1e 2076 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 700f9000-7011d000 rw-p 00000000 103:1e 2078 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 7011d000-7013a000 rw-p 00000000 103:1e 2083 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 7013a000-70573000 rw-p 00000000 103:1e 2099 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70573000-7059e000 rw-p 00000000 103:1e 2120 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 7059e000-705a2000 rw-p 00000000 103:1e 2127 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 705a2000-705a5000 rw-p 00000000 103:1e 2130 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 705a5000-705bd000 rw-p 00000000 103:1e 2135 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 705bd000-705ce000 rw-p 00000000 103:1e 2139 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 705ce000-705fd000 rw-p 00000000 103:1e 2143 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 705fd000-70616000 rw-p 00000000 103:1e 2149 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70616000-7062f000 rw-p 00000000 103:1e 2154 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 7062f000-70630000 rw-p 00000000 103:1e 2159 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70630000-70631000 rw-p 00000000 103:1e 2164 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70631000-70634000 rw-p 00000000 103:1e 2168 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70634000-70636000 rw-p 00000000 103:1e 2172 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70636000-70638000 rw-p 00000000 103:1e 2177 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70638000-7063a000 rw-p 00000000 103:1e 2181 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 7063a000-70c34000 r--p 00000000 103:1e 2050 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 70c34000-71095000 r-xp 005fa000 103:1e 2050 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 71095000-71096000 r--p 00a5b000 103:1e 2050 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] 71096000-71097000 rw-p 00a5c000 103:1e 2050 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:203] 71097000-715a9000 r--p 00000000 103:1e 2058 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:203] 715a9000-71933000 r-xp 00512000 103:1e 2058 /data/dalvik-cache/arm/system@framework@boot-core
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:184] -libart.oat
05-24 10:56:04.149: A/art(22727): art/runtime/utils.cc:203] 71933000-71934000 r--p 0089c000 103:1e 2058 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71934000-71935000 rw-p 0089d000 103:1e 2058 /data/dalvik-cache/arm/system@framework@boot-core
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] -libart.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71935000-719a9000 r--p 00000000 103:1e 2071 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 719a9000-719fb000 r-xp 00074000 103:1e 2071 /data/dalvik-cache/arm/system@framework@boot-conscr
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] ypt.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 719fb000-719fc000 r--p 000c6000 103:1e 2071 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 719fc000-719fd000 rw-p 000c7000 103:1e 2071 /data/dalvik-cache/arm/system@framework@boot-conscr
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] ypt.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 719fd000-71a90000 r--p 00000000 103:1e 2075 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71a90000-71af7000 r-xp 00093000 103:1e 2075 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] t
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71af7000-71af8000 r--p 000fa000 103:1e 2075 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71af8000-71af9000 rw-p 000fb000 103:1e 2075 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] t
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71af9000-71b04000 r--p 00000000 103:1e 2077 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71b04000-71b0a000 r-xp 0000b000 103:1e 2077 /data/dalvik-cache/arm/system@framework@boot-core-
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] junit.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71b0a000-71b0b000 r--p 00011000 103:1e 2077 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71b0b000-71b0c000 rw-p 00012000 103:1e 2077 /data/dalvik-cache/arm/system@framework@boot-core-
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] junit.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71b0c000-71cff000 r--p 00000000 103:1e 2079 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71cff000-71e71000 r-xp 001f3000 103:1e 2079 /data/dalvik-cache/arm/system@framework@boot-bou
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] ncycastle.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71e71000-71e72000 r--p 00365000 103:1e 2079 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 71e72000-71e73000 rw-p 00366000 103:1e 2079 /data/dalvik-cache/arm/system@framework@boot-bou
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] ncycastle.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] 71e73000-71feb000 r--p 00000000 103:1e 2084 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] 71feb000-720db000 r-xp 00178000 103:1e 2084 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] 720db000-720dc000 r--p 00268000 103:1e 2084 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 720dc000-720dd000 rw-p 00269000 103:1e 2084 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 720dd000-738a3000 r--p 00000000 103:1e 2101 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] t
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 738a3000-74852000 r-xp 017c6000 103:1e 2101 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74852000-74853000 r--p 02775000 103:1e 2101 /data/dalvik-cache/arm/system@framework@boot-framew
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] ork.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74853000-74854000 rw-p 02776000 103:1e 2101 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74854000-74b91000 r--p 00000000 103:1e 2123 /data/dalvik-cache/arm/system@framework@boot-teleph
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] ony-common.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74b91000-74da6000 r-xp 0033d000 103:1e 2123 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74da6000-74da7000 r--p 00552000 103:1e 2123 /data/dalvik-cache/arm/system@framework@boot
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] -telephony-common.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74da7000-74da8000 rw-p 00553000 103:1e 2123 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74da8000-74de4000 r--p 00000000 103:1e 2128 /data/dalvik-cache/arm/system@framework@boot
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] -voip-common.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74de4000-74e0e000 r-xp 0003c000 103:1e 2128 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74e0e000-74e0f000 r--p 00066000 103:1e 2128 /data/dalvik-cache/arm/system@framework@boot-voip
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] -common.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74e0f000-74e10000 rw-p 00067000 103:1e 2128 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74e10000-74e3c000 r--p 00000000 103:1e 2132 /data/dalvik-cache/arm/system@framework@boot-ims-
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:184] common.oat
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74e3c000-74e56000 r-xp 0002c000 103:1e 2132 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.150: A/art(22727): art/runtime/utils.cc:203] 74e56000-74e57000 r--p 00046000 103:1e 2132 /data/dalvik-cache/arm/system@framework@boot-ims-c
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] ommon.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 74e57000-74e58000 rw-p 00047000 103:1e 2132 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 74e58000-7500c000 r--p 00000000 103:1e 2137 /data/dalvik-cache/arm/system@framework@boot-apach
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] e-xml.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 7500c000-7512d000 r-xp 001b4000 103:1e 2137 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 7512d000-7512e000 r--p 002d5000 103:1e 2137 /data/dalvik-cache/arm/system@framework@boot-apach
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] e-xml.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 7512e000-7512f000 rw-p 002d6000 103:1e 2137 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 7512f000-751e9000 r--p 00000000 103:1e 2142 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] pache.http.legacy.boot.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 751e9000-75265000 r-xp 000ba000 103:1e 2142 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75265000-75266000 r--p 00136000 103:1e 2142 /data/dalvik-cache/arm/system@fra
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] [email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75266000-75267000 rw-p 00137000 103:1e 2142 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75267000-7550a000 r--p 00000000 103:1e 2145 /data/dalvik-cache/arm/system@fra
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] [email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 7550a000-75666000 r-xp 002a3000 103:1e 2145 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75666000-75667000 r--p 003ff000 103:1e 2145 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] t
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75667000-75668000 rw-p 00400000 103:1e 2145 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75668000-75853000 r--p 00000000 103:1e 2152 /data/dalvik-cache/arm/system@framework@boot-hwTelepho
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] ny-common.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75853000-7598e000 r-xp 001eb000 103:1e 2152 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 7598e000-7598f000 r--p 00326000 103:1e 2152 /data/dalvik-cache/arm/system@framework@bo
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] ot-hwTelephony-common.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 7598f000-75990000 rw-p 00327000 103:1e 2152 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75990000-75b18000 r--p 00000000 103:1e 2155 /data/dalvik-cache/arm/system@framework@bo
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] ot-hwframework.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75b18000-75c08000 r-xp 00188000 103:1e 2155 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c08000-75c09000 r--p 00278000 103:1e 2155 /data/dalvik-cache/arm/system@framework@boot-hwfr
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] amework.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c09000-75c0a000 rw-p 00279000 103:1e 2155 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c0a000-75c13000 r--p 00000000 103:1e 2161 /data/dalvik-cache/arm/system@framework@boot-org.
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] simalliance.openmobileapi.oat
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c13000-75c17000 r-xp 00009000 103:1e 2161 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c17000-75c18000 r--p 0000d000 103:1e 2161 /data/dalvik-cache/arm/system@f
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] [email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c18000-75c19000 rw-p 0000e000 103:1e 2161 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c19000-75c1e000 r--p 00000000 103:1e 2166 /data/dalvik-cache/arm/system@f
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] [email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c1e000-75c1f000 r-xp 00005000 103:1e 2166 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c1f000-75c20000 r--p 00006000 103:1e 2166 /data/dalvik-cache/arm/system@framew
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] [email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c20000-75c21000 rw-p 00007000 103:1e 2166 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:203] 75c21000-75c43000 r--p 00000000 103:1e 2170 /data/dalvik-cache/arm/system@framew
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] [email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] 75c43000-75c56000 r-xp 00022000 103:1e 2170 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] 75c56000-75c57000 r--p 00035000 103:1e 2170 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] 75c57000-75c58000 rw-p 00036000 103:1e 2170 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] 75c58000-75c6a000 r--p 00000000 103:1e 2175 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] 75c6a000-75c72000 r-xp 00012000 103:1e 2175 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.151: A/art(22727): art/runtime/utils.cc:184] 75c72000-75c73000 r--p 0001a000 103:1e 2175 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75c73000-75c74000 rw-p 0001b000 103:1e 2175 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75c74000-75c8a000 r--p 00000000 103:1e 2179 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75c8a000-75c94000 r-xp 00016000 103:1e 2179 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75c94000-75c95000 r--p 00020000 103:1e 2179 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75c95000-75c96000 rw-p 00021000 103:1e 2179 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75c96000-75ca5000 r--p 00000000 103:1e 2183 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75ca5000-75cac000 r-xp 0000f000 103:1e 2183 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75cac000-75cad000 r--p 00016000 103:1e 2183 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75cad000-75cae000 rw-p 00017000 103:1e 2183 /data/dalvik-cache/arm/system@[email protected]
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75cae000-75dbc000 rw-p 00000000 00:01 15012 /dev/ashmem/dalvik-zygote space (deleted)
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75dbc000-75dbd000 rw-p 00000000 00:01 23436 /dev/ashmem/dalvik-non moving space (deleted)
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75dbd000-75dbf000 rw-p 00001000 00:01 23436 /dev/ashmem/dalvik-non moving space (deleted)
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 75dbf000-794af000 ---p 00003000 00:01 23436 /dev/ashmem/dalvik-non moving space (deleted)
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] 794af000-79cae000 rw-p 036f3000 00:01 23436 /dev/ashmem/dalvik-non moving space (deleted)
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] b245e000-b2463000 r-xp 00000000 fd:00 567 /system/bin/app_process32
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] b2463000-b2464000 r--p 00004000 fd:00 567 /system/bin/app_process32
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] b2464000-b2465000 rw-p 00000000 00:00 0
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] cca1c000-cd1a2000 rw-s 00000000 00:0b 8851 anon_inode:dmabuf
05-24 10:56:04.152: A/art(22727): art/runtime/utils.cc:184] cd1a2000-cd928000 rw-s 00000000 00:0b 8851 anon_inode:dmabuf

yahfa指定类名和方法名称和参数字符串就可以完成hook,但是比如需要Hook Application对象的onCreate方法,但是Application对象可能会被重写,无法指定类名,如果在xposed中的话,可以通过反射得到onCreate方法,然后直接hook这个方法,不知道这种情况在yahfa中怎么解决呢?

VirtualHook不能提问，因此发到这里。

我试了下VirtualHook，hook系统带的方法比如Activity.onCreate没问题，但是如果hook我自定义app中的某个Activity里的方法则没有效果，还是走原来的路径。

系统是Android6.0

我想写个配置界面，保存于sharedprefences，在hook()中如何读取得到？

比如下面Hook方法里面参数类型都是SDK已有的。
public static String hook(Object thiz, String a, String b, String c, String d) {
Log.w("YAHFA", "in ClassWithVirtualMethod.tac(): "+a+", "+b+", "+c+", "+d);
return origin(thiz, a, b, c, d);
}

如果要Hook的方法里面参数或者返回值类型不是Android Sdk里面的，能Hook吗？

作者你好! 我按下面的写法传参数,但总会在HookMain类的parseSignature方法抛出Exception("Invalid type: "
请问我这样写有什么错误吗?

public static String methodSig = "(Lcom/iqing/hh/tools/notification/b;Ljava/lang/String;Ljava/lang/String;I;I;Z)V";

第一个参数是自定义类?是否跟这个有关呢?

其中一个issue中提到按实际hook的方法进行返回,这些我基本知道怎么回事了，即，原方法返回值是什么类型，则hook返回什么类型

我现在想问的是，
例子中返回值类型为void的，都是直接return
,返回值是String的有的反回null或""

一。origin中的返回质到底有什么用？是随意写吗，有什么影响呢？影响什么？

二。hook,origin,原函数 这几个执行的流程是什么？我大概知道一些，但还是有些不太清楚

legend yahfa 在miui8 上都失效，应该是系统的问题

大神你好
我修改了一点点你的hook插件的写法,你原先是反射静态变量获得类名等等,现在改成了反射hookMethods 方法,并且一个类下面可以hook多个方法,这种写法可以成功hook的
但是我遇到了一个困难,我想把所有hook的参数都放到hook (Object thiz, Object[] params)的params里面,不想准确的定义每一种参数类型,请问我要怎么做呢?
public class Hook_Test extends BaseHook
{
@OverRide
public String hookMethods ()
{
return methodsToStr(
new HookMethod("zpp.wjy.testxvirtual.Test", "test"),//public String test ()
new HookMethod("zpp.wjy.testxvirtual.Test", "test1")//public String test1 (String param1)
);
}
public static String hook (Object thiz, Object[] params)
{
Log.i("hook", "hook到了" + thiz + " " + params.length);
return "被hook了";
}
public static String origin ()
{
return "";
}
}

测试环境：
android7.0 armeabi模拟器/android7.1 x86模拟器。
多次执行Toast.show方法后出现如下java.lang.IncompatibleClassChangeError异常，然后程序退出

05-24 04:13:43.362: W/YAHFA(1439): hook end
05-24 04:13:43.366: W/YAHFA(1439): hook
05-24 04:13:43.367: W/YAHFA(1439): hook end
05-24 04:13:43.367: I/Choreographer(1439): Skipped 42 frames! The application may be doing too much work on its main thread.
05-24 04:13:44.462: W/YAHFA(1439): hook
05-24 04:13:44.467: D/AndroidRuntime(1439): Shutting down VM
05-24 04:13:44.472: E/AndroidRuntime(1439): FATAL EXCEPTION: main
05-24 04:13:44.472: E/AndroidRuntime(1439): Process: lab.galaxy.yahfa.demoApp, PID: 1439
05-24 04:13:44.472: E/AndroidRuntime(1439): java.lang.IncompatibleClassChangeError: The method 'void android.widget.Toast.show()' was expected to be of type static but instead was found to be of type virtual (declaration of 'com.yunshouhu.hookitem.Hook_Toast_show' appears in /data/app/lab.galaxy.yahfa.demoApp-1/base.apk)
05-24 04:13:44.472: E/AndroidRuntime(1439): at com.yunshouhu.hookitem.Hook_Toast_show.hook(Hook_Toast_show.java:19)
05-24 04:13:44.472: E/AndroidRuntime(1439): at com.yunshouhu.MainActivity$4.onClick(MainActivity.java:88)
05-24 04:13:44.472: E/AndroidRuntime(1439): at android.view.View.performClick(View.java:5610)
05-24 04:13:44.472: E/AndroidRuntime(1439): at android.view.View$PerformClick.run(View.java:22260)
05-24 04:13:44.472: E/AndroidRuntime(1439): at android.os.Handler.handleCallback(Handler.java:751)
05-24 04:13:44.472: E/AndroidRuntime(1439): at android.os.Handler.dispatchMessage(Handler.java:95)
05-24 04:13:44.472: E/AndroidRuntime(1439): at android.os.Looper.loop(Looper.java:154)
05-24 04:13:44.472: E/AndroidRuntime(1439): at android.app.ActivityThread.main(ActivityThread.java:6077)
05-24 04:13:44.472: E/AndroidRuntime(1439): at java.lang.reflect.Method.invoke(Native Method)
05-24 04:13:44.472: E/AndroidRuntime(1439): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:865)
05-24 04:13:44.472: E/AndroidRuntime(1439): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:755)
05-24 04:13:44.515: W/ActivityManager(378): Force finishing activity lab.galaxy.yahfa.demoApp/com.yunshouhu.MainActivity

想hook java.lang.Runtime 中exec的执行，
public static String className = "java.lang.Runtime";
public static String methodName = "exec";
public static String methodSig = "(Ljava/lang/String;)Ljava/lang/Object;";
为什么提示找不到呢？将返回值改成Ljava/lang/Process也不行。

在genymotion android 5.0.0上hook没成功,
findAndBackupAndHook(targetClass, methodName, methodSig, hook, backup)显示done,
但是调用methodName所代表的方法依然是原来的方法, 调用backup所代表的方法会跳到methodName所代表的方法,
说明backup成功, hook失败了.

还未深究源码先贴这

如果Hook返回值是自定义类的方法，比如apk中有个自定义类
class Test{}, 然后有个方法的返回值就是Test, 如何写hook方法的返回值？

我想hook 访问SDCard时的一些常用操作所涉及的方法，如getExternalStorageState()时，遇到这种使用
Environment.getExternalStorageState().equals(Environment.MEDIA_MOUNTED
)时，为什么hook不到中间的getExternalStorageState()方法？
而如果单独使用string temp=Environment.getExternalStorageState()是可以的。

唯一的缺点是用户太少，找不到解决办法的只能自己想办法。issue中得到解决太慢太慢，要想通过issue解决，估计该解决的自己都解决了

每hook一个app第一次都会报类似的错然后退出，再开才恢复正常，log如下，求助如何解决：

11-21 15:31:26.245 10936-10936/? A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x96a5fa80 in tid 10936 (mobile.explorer)
11-21 15:31:26.299 1009-1009/? I/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
11-21 15:31:26.299 1009-1009/? I/DEBUG: Build fingerprint: 'google/shamu/shamu:5.1/LMY47D/1743759:user/release-keys'
11-21 15:31:26.299 1009-1009/? I/DEBUG: Revision: '33696'
11-21 15:31:26.299 1009-1009/? I/DEBUG: ABI: 'arm'
11-21 15:31:26.299 1009-1009/? I/DEBUG: pid: 10936, tid: 10936, name: mobile.explorer >>> sogou.mobile.explorer <<<
11-21 15:31:26.299 1009-1009/? I/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x96a5fa80
11-21 15:31:26.320 1009-1009/? I/DEBUG: r0 ffffffff r1 bea24130 r2 00000010 r3 0000069c
11-21 15:31:26.320 1009-1009/? I/DEBUG: r4 0000000a r5 bea24258 r6 00000180 r7 00000320
11-21 15:31:26.320 1009-1009/? I/DEBUG: r8 b493ccc8 r9 00000014 sl 00000000 fp 32c01040
11-21 15:31:26.320 1009-1009/? I/DEBUG: ip b6e6c6c0 sp bea24100 lr b6e1b141 pc 96a5fa80 cpsr 800b0010
11-21 15:31:26.321 1009-1009/? I/DEBUG: backtrace:
11-21 15:31:26.321 1009-1009/? I/DEBUG: #00 pc 0065fa80 [anon:libc_malloc]
11-21 15:31:26.321 1009-1009/? I/DEBUG: #1 pc 0001813d /system/lib/libc.so (__set_errno+4)
11-21 15:31:26.321 1009-1009/? I/DEBUG: #2 pc ffffffff

因为项目的需求，希望将方案放到一个sdk里来使用。
首先尝试了7.0。
开始是成功的。后来发现当一个被hook的方法反复调用多次后，无法调用原函数了。即多次调用后出现了下面的日志：
ClassWithVirtualMethod.tac() should not be here
看了作者的文章，初步判断这种随机的问题原因为hotness的变化。经过一系列调试，最后通过查看内存发现的确是hook函数的hotness发生了变化，相应的enter_point也发生了变化，而backupMethod的ArtMethod结构体并没有任何变化。
解决办法就是修改genTrampoline1的指令，先重置hookMethod的hotness。aarch64的模式下，用trampoline2的前两个命令替换掉了trampoline1的第一个命令：
0x80, 0x00, 0x00, 0x58, 0x1f, 0x24, 0x00, 0x79,
修改一系列offset后，结果喜人，三星S8，Android7.0 完全ok；
最后，问题来了：
1.为什么是hookMethod的hottness发生了变化，导致了hookMethod调用backupMethod没有调到原函数？开始我以为是backupMethod的hotness发生了变化导致该问题；
2.虽然修改了arrch64模式下的该问题，但无法判断相应的隐患，请作者给与一些思路指导；

如题

RT，谢谢！

大神,普通方法,静态方法的例子你都写了,能再写一个hook静态变量的例子吗?例如Build类的一些静态变量

可以进入Hook函数，但是貌似返回值无效!
在hook函数里面调用origin函数，会进入到origin函数里面去。
另外多次调用被Hook的函数也有问题，会卡住。

不能HOOK android.app.Activity吗？
我试了好像不行

希望可以像xposed那样有before after,并把参数方法封装回调,目前hook一个方法写一个类的写法太繁琐了

1.有一个issue中说到 origin 和 hook可以做到 xposed中的before和after，但具体如何做？

2. origin具体是干嘛的？为什么有的例子中有，有的没有？

3. origin的返回值是随便写都没有关系吗？

4. origin 和 hook 都必须定义为 static ，那么返回值呢？是不是不能随便定义？

5. 如果实现xposed中的 param.getResult和param.setResult的功能？

麻烦了，谢谢

我在Android O上测试，hook不成功，如果hook jni直接崩溃。测试设备Nexus 6p。同样的代码在Nexus 5 6.0上可以hook成功。