can not hook method

[galenzhao]

写了个测试demo， 发现log显示hook成功， 但是app运行的代码并没有被hook掉，

01-08 15:03:42.143 I/YAHFA_HOOK( 5058): update time: Mon Jan 08 15:03:42 GMT+08:00 2018 01-08 15:03:42.144 I/YAHFA ( 5058): Start hooking with item lab.galaxy.changephoneinfo.Hook_Function_Text 01-08 15:03:42.156 D/YAHFA ( 5058): target method param count is 1 01-08 15:03:42.156 I/YAHFA-Native( 5058): Start findAndBackupAndHook for static method parserText(Ljava/lang/String;)Ljava/lang/String; 01-08 15:03:42.156 W/YAHFA-Native( 5058): not enough capacity. Allocating... 01-08 15:03:42.156 I/YAHFA-Native( 5058): Allocating done 01-08 15:03:42.157 I/YAHFA-Native( 5058): target method is at 0xef8bd0c8, hook method is at 0xef8bd018, backup method is at 0xef8bcff0 01-08 15:03:42.157 I/YAHFA-Native( 5058): hook and backup done 01-08 15:03:42.157 I/YAHFA ( 5058): Start hooking with item lab.galaxy.changephoneinfo.Hook_Function_Hook 01-08 15:03:42.157 D/YAHFA ( 5058): target method param count is 1 01-08 15:03:42.157 I/YAHFA-Native( 5058): Start findAndBackupAndHook for non-static method functionToBeHook(Ljava/lang/String;)V 01-08 15:03:42.157 I/YAHFA-Native( 5058): target method is at 0xef8bd0f0, hook method is at 0xef8be610, backup method is at 0xef8be5e8 01-08 15:03:42.157 I/YAHFA-Native( 5058): hook and backup done

hook类静态方法，

public class Hook_Function_Text {
public static String className = "com.example.galenzhao.targethook.MainActivity";
public static String methodName = "parserText";
public static String methodSig = "(Ljava/lang/String;)Ljava/lang/String;";

//public static String hook(Object thiz, String text){
public static String hook(String text) {
    //Log.i("YAHFA_HOOK", "hooked object is: "+thiz);
    Log.i("YAHFA_HOOK", "hook before is: "+backup(text));

    return "hooked text!";
}

public static String backup(String text){
    Log.i("HOOK", "useless: "+text);

    return null;
}
}

hook类方法，

public class Hook_Function_Hook {
public static String className = "com.example.galenzhao.targethook.MainActivity";
public static String methodName = "functionToBeHook";
public static String methodSig = "(Ljava/lang/String;)V";

public static void hook(Object thiz, String string){
    Log.i("YAHFA_HOOK", "before hook: "+thiz);

    backup(thiz, string+"\nhooked!");

    Log.i("YAHFA_HOOK", "after hook");
}

public static void backup(Object thiz, String string){
    Log.i("YAHFA_Hook", "["+thiz+"]old string: "+string);
}
}

这个是demo的activity代码，

public static String parserText(String string) {
    //return stringFromJNI()+'\n'+string;
    return string;
}

public void functionToBeHook(String string) {
    //String text = this.parserText(string);
    String text = MainActivity.parserText(string);

    // Example of a call to a native method
    TextView tv = (TextView) findViewById(R.id.sample_text);
    tv.setText(text);
}

把插件和demo放到virtualhook里边后， 运行只有上边那些log， demo里方法被执行的时候， 并没有调用到新写的hook，

是我哪里写的不对么？

[rk700]

系统版本是什么

[galenzhao]

----Easy DeviceInfo : Generated device information------ Device Charging : Not Charging Ringermode : normal Time (ms) : 1515468653074 Formatted Time (24Hrs) : 11:30:53 AM Language : en IMEI : unknown User-Agent : Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4A Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/63.0.3239.111 Mobile Safari/537.36__Dalvik/2.1.0 (Linux; U; Android 6.0.1; Redmi 4A MIUI/V8.5.7.0.MCCMIED) IMSI : unknown SIM Serial Number : unknown Manufacturer : Xiaomi Model : Redmi_4A OS Codename : Marshmallow OS Version : 6.0.1 Country : cn Display Resolution : 1280x720 Display Version : MMB29M Phone Number : unknown Carrier : china_unicom Radio Version : NS_PACK-1.103461.1.110954.1_V046 Product : rolex Device : rolex Board : QC_Reference_Phone Hardware : qcom BootLoader : unknown Email ID : unknown

Latitude : 0.0 Longitude : 0.0 Fingerprint : Xiaomi/rolex/rolex:6.0.1/MMB29M/V8.5.7.0.MCCMIED:user/release-keys Screen Density : XHDPI Installer Store : com.android.vending Network Available : true Running on emulator : false Build Brand : Xiaomi Build Host : mi-server Build Tag : release-keys Build Time : 1506479103000 Build User : builder Build Version Release : 6.0.1 Screen Display ID : 0 Build Version Codename : REL Build Version Increment : V8.5.7.0.MCCMIED Build Version SDK : 23 Build ID : MMB29M Supported ABIS : arm64-v8a_armeabi-v7a_armeabi Supported 32 bit ABIS : armeabi-v7a_armeabi Supported 64 bit ABIS : arm64-v8a Device Rooted : false Battery Percentage : 67% is Wifi enabled : true

[xiangjun-zeng]

遇到相同问题，最新的是5.1上可以hook成功 6.0不行。貌似是这个原因

[galenzhao]

jni的hook是正常的， 我直接跑这个自带的demo，changephoneinfo的可以修改serialid， 其他mac addr啥的java hook的 也都没效果，

[rk700]

原始的demoHookPlugin有试过么？

[galenzhao]

神奇了， 我直接用没改过的demohookplugin，hook我自己写的demo， 没有效果， 我自己的demo代码：

            java.io.File file = new java.io.File("/etc/hosts");
            file.canRead();

            Map<String, String> postData = new HashMap<>();
            postData.put("param1", "");
            postData.put("anotherParam", "");
            HttpPostAsyncTask task = new HttpPostAsyncTask(postData);
            task.execute("http://httpbin.org/");

HttpPostAsyncTask：

        // This is getting the url from the string we passed in
        URL url = new URL(params[0]);

        // Create the urlConnection
        HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();

没有任何效果，但是我导入了一个其他的app，有个log出现了，

01-09 16:52:21.766 I/YAHFA-Native(22553): init to SDK 23 01-09 16:52:21.769 E/YAHFA (22553): hello world from jni 01-09 16:52:21.769 I/YAHFA (22553): Start hooking with item lab.galaxy.demeHookPlugin.Hook_AssetManager_open 01-09 16:52:21.770 D/YAHFA (22553): target method param count is 1 01-09 16:52:21.771 I/YAHFA-Native(22553): Start findAndBackupAndHook for non-static method open(Ljava/lang/String;)Ljava/io/InputStream; 01-09 16:52:21.771 W/YAHFA-Native(22553): not enough capacity. Allocating... 01-09 16:52:21.778 I/YAHFA-Native(22553): Allocating done 01-09 16:52:21.778 I/YAHFA-Native(22553): target method is at 0x7060f2f8, hook method is at 0xef84fdd8, backup method is at 0xef84fdb0 01-09 16:52:21.779 I/YAHFA-Native(22553): hook and backup done 01-09 16:52:21.779 I/YAHFA (22553): Start hooking with item lab.galaxy.demeHookPlugin.Hook_URL_openConnection 01-09 16:52:21.781 D/YAHFA (22553): target method param count is 0 01-09 16:52:21.781 I/YAHFA-Native(22553): Start findAndBackupAndHook for non-static method openConnection()Ljava/net/URLConnection; 01-09 16:52:21.781 I/YAHFA-Native(22553): target method is at 0x7045f5e8, hook method is at 0xef84fea8, backup method is at 0xef84fe80 01-09 16:52:21.781 I/YAHFA-Native(22553): hook and backup done 01-09 16:52:21.781 I/YAHFA (22553): Start hooking with item lab.galaxy.demeHookPlugin.Hook_File_init 01-09 16:52:21.782 D/YAHFA (22553): target method param count is 1 01-09 16:52:21.782 I/YAHFA-Native(22553): Start findAndBackupAndHook for non-static method (Ljava/lang/String;)V 01-09 16:52:21.782 I/YAHFA-Native(22553): target method is at 0x705f30d0, hook method is at 0xef84ff78, backup method is at 0xef84ff50 01-09 16:52:21.782 I/YAHFA-Native(22553): hook and backup done 01-09 16:52:21.782 I/YAHFA (22553): Start hooking with item lab.galaxy.demeHookPlugin.Hook_TelephonyManager_getDeviceId 01-09 16:52:21.783 D/YAHFA (22553): target method param count is 0 01-09 16:52:21.783 I/YAHFA-Native(22553): Start findAndBackupAndHook for non-static method getDeviceId()Ljava/lang/String; 01-09 16:52:21.783 I/YAHFA-Native(22553): target method is at 0x70618c68, hook method is at 0xef850020, backup method is at 0x0 01-09 16:52:21.783 W/YAHFA-Native(22553): Origin method is null. Cannot call origin 01-09 16:52:21.783 I/YAHFA-Native(22553): hook and backup done 01-09 16:52:21.883 W/YAHFA (22553): open file /system/framework/QPerformance.jar

但是 我没有这个app的代码，不知道他是怎么写的，

我把我的demo整个prj上传一下， https://github.com/galenzhao/testhook 如果方便的话能不能看看是什么问题，

谢谢，

刚刚接触这些方面的内容， 可能是我哪里写的有问题，

[xiangjun-zeng]

说下我的测试现象，使用的是修改手机参数案例。从两个地方添加Demo结果不一样 ,1.克隆app处安装 hook成功，2.外置存储 安装，hook失败 怀疑virtualapp加载dex 问题，导致hook的位置 不全

[xujiaoyong]

确实是的，我也是MIUI 6.0版本，用demo可以hook住File方法，但是openURLConnection和TelephonyManager.getDeviceId都不能被hook，提示hook done，但是真正调用的时候并没有起到作用。同样的apk和同样的demoHookPlugin在另外一个MIUI6.0上居然正常运行。。。。

[rk700]

应该与dex编译为oat有关，比如方法入口被硬编码或者内联优化了

如果可以的话，对比下oat文件中方法的机器指令，可以用oatdump

[AllenMeex]

@xiangjun-zeng 我的情况跟你一样，部分手机(目前测到vivo x7/x9) 部分方法在外置存储安装app的情况下Hook失败，无法调用到hook方法，log里没看到异常。直接克隆已安装app可以正常Hook