One, foreword

Before writing “install X guide Xposed installation and configuration”, someone feedback mobile phone root risk is larger, and the operation cost is high, what method is not root can achieve hook or don’t need Xposed can play plug-in? So there is this article, leave Xposed, with you free root hook!

Second, the VirtualApp

1. Introduction to VirtualApp

At present, VA is widely used in plug-in development, no perceptual thermal update, automation, multi-open and other technical fields, but it is not limited to this. Android itself is an extremely open platform, and the Feature of running APK without installation opens up infinite possibilities —– it all depends on your imagination.

Thanks to asLody, it is said that he wrote this project only in the second year of high school, I admire him

  • VirtualApp project address:
  1. Github.com/asLody/Virt…

2. The principle of VirtualApp

VirtualApp spooks a set of framework code to implement that all applications started in its process run in a virtual space.

  • VirtualApp source code learning and principle analysis
  1. Blog.csdn.net/leif_/artic…
  2. Blog.csdn.net/ganyao93954…

3. Problems with VirtualApp usage

Github code, the author has not continued to open source updates, you can see all the subsequent modifications, are operating on the author’s commercial version, so there may be some bugs in use.

In fact, you can see the “commercial version”, regardless of stability and compatibility, have done a lot of repair and change, the most important is to support Dalvik and Art Java Hook(API with Xposed), unfortunately in the author did not open source, we can not personally in order to learn to buy the “commercial version” ~

Special note: the author makes it clear that if the project needs to be put into commercial use, please purchase the “commercial edition”. Here we only do technology learning to use

4. VirtualHook is introduced

As mentioned above, we cannot Hook with the “commercial version” of VirtualApp. To be precise, the author did not disclose the Api of Hook.

Next I would like to introduce another project based on VirtualApp transformation — VirtualHook. The difference between VirtualApp and VirtualHook is not to be mixed up, thanks to rK700 open source VirtualHook and YAHFA

1) VirtualHook Project address:
  1. Github.com/rk700/Virtu…
2) VirtualHook Composition:

VirtualHook is a tool for hooking application without root permission. It is based on two projects:

  • VirtualApp. It’s a plugin framework which allows running applications in its virtual space.
  • YAHFA . It’s a hook framework for ART which allows hooking Java method of the application.
3) VirtualHook injection
  • The key point,VirtualHookModify theVirtualAppThe core code, provide Hook injection code window
  • The following is theVirtualAppinsideVClienImplKey code for class injection
    DexClassLoader dexClassLoader = new DexClassLoader(apkPath,
            VEnvironment.getDalvikCacheDirectory().getAbsolutePath(),
            libPath,
            appClassLoader);
    // YAHFA do hook 
    HookMain.doHookDefault(dexClassLoader, appClassLoader);
Copy the code
public void findAndBackupAndHook(Class targetClass, String methodName,
String methodSig, Method hook, Method backup);
Copy the code

Third, YAHFA

1. YAHFA is introduced

YAHFA(Yet Another Hook Framework for ART) is an Art-based Hook Framework that supports the Hook and replacement of Java methods in Android 5.0 to 9.0 versions. VirtualHook is a root-free Hook implemented by YAHFA.

  • From watch snow forum:
  1. Bbs.pediy.com/thread-2167…
  • YAHFA Project Address:
  1. github.com/rk700/YAHFA

2. YAHFA principle

I can’t quite understand the principle, but I still post the analysis process of others to you. If you want to understand it, please share it with me:

  • When you write, it looks like the author’s blog is down, but put it in anyway

Rk700. Making. IO / 2017/03/30 /…

  • CSDN a blogger shared the principle of analysis

Blog.csdn.net/zhu92903326…

3.YAHFA Hook

Explain the relevant variables and methods:

  • ClassName: Specifies the name of the class to hook
  • MethodName: Specifies the method to hook
  • MethodSig: Specifies the method signature to hook
  • Hook () : This method is the logic that your hook methods need to handle
  • Backup () : is a call to the original method, generally do not need to rewrite what
1) Common methods

Such as the log.e () method. The code is as follows:

public class Hook_Log_e { public static String className = "android.util.Log"; public static String methodName = "e"; public static String methodSig = "(Ljava/lang/String; Ljava/lang/String;) I"; public static int hook(String tag, String msg) { Log.w("YAHFA", "in Log.e(): "+tag+", "+msg); return backup(tag, msg); } public static int backup(String tag, String msg) { Log.w("YAHFA", "Log.e() should not be here"); return 1; }}Copy the code
2) Static methods

Static methods and static methods are similar, the difference is that the static method in hook and Origin parameters, one Object parameter. Such as the uri.create () method. The code is as follows:

public class Hook_url { public static String className = "java.net.URI"; public static String methodName = "create"; public static String methodSig = "(Ljava/lang/String;) Ljava/net/URI;" ; Public static Object hook(String url) {// Change the url value url = "http://www.baidu.com"; return origin(url); } public static Object origin(String url) { Log.w("YAHFA", "String.startsWith() should not be here"); return url; }}Copy the code
3) Anonymous inner classes

An inner class is just a compile-time concept. Once compiled, two different classes will appear. For example, if the class outClass has an intClass in it, then the compiled class will have a class named outClass.class and an outClass$intClass.class. So specify a.b.c.utClass $intClass in className

4. Obtain the signature descriptor of the method

1) The method signature descriptor consists of the signature of the parameter in parentheses and the signature of the return value outside parentheses:
Public static int e(String tag, String MSG) corresponds to (Ljava/lang/String; Ljava/lang/String;) ICopy the code
2) Reference table for each type
  • Except for Boolean and long, which are Z and J, respectively, the other descriptors correspond to the uppercase first letter of the Java type name. In addition, the descriptor of void is V
File Desciptor Java Language Type
Z boolean
B byte
C char
S short
I int
J long
F float
D double
V void
[ array
L + type stroke +; Reference types
  • Description:
  1. Arrays are represented by [and two-dimensional arrays [[. For example:[Ljava/lang/String;The correspondingString[].

Lcom/ Tencent/WCDB /Cursor; Lcom/ Tencent/WCDB /Cursor; Lcom/ Tencent/WCDB /Cursor Adb: Ljava/lang/String; Ljava/lang/String; adb: Ljava/lang/String;

1. View Java classes javap -s java.awt.Label 2. Javap-s-bootclasspath "D:\Program Files\Android\android-sdk\platforms\ Android-25 \android.jar" javap-s-bootclasspath "D:\Program Files\Android\android-sdk\platforms\ Android-25 \android.jar" -classpath bin/classes android.app.Activity 3. View the class way of third-party Jar javap - s - the classpath "D: \ AMap_Location Jar" com. Amap. API. Location. AMapLocationCopy the code

VirtualHook with YAHFA tutorial

We use VirtualHook to do this. The general steps are as follows:

  1. git clone VirtualHookProject or download the source code
  2. newmoduleAnd configure it as a plug-in
  3. willmodulePack it into an APK and put it inside your phone
  4. inVirtualHookInside, clone the target App and load the plug-in APK

The project directory structure is as follows:

  • applibVirtualAppThe relevant code
  • YAHFAHookThe framework code
  • demoHookPluginIs a plug-inmodule

1. Configure the plug-in Module

Set meta-data in androidmanifest.xml for plugin module to true

<application
    android:label="@string/app_name">
    <meta-data
        android:name="yahfa.hook.plugin"
        android:value="true"
    />
</application>
Copy the code

2. Configure the Hook class

If we need to deal with the Hook e () method, a new Hook_Log_e class, and in the lab. The galaxy. Yahfa. HookInfo configuration (not configuration, Hook effect), the code is as follows:

public class HookInfo {
    public static String[] hookItemNames = {
           "lab.galaxy.yahfa.demoPlugin.Hook_Log_e",
    };
}
Copy the code

Note: The package name of the HookInfo class should be changed at the same time as the package name in the hookmain.dohookdefault () method, if needed.

public static void doHookDefault(ClassLoader patchClassLoader, ClassLoader originClassLoader) {
    try {
        Class<?> hookInfoClass = Class.forName("lab.galaxy.yahfa.HookInfo", true, patchClassLoader);
        String[] hookItemNames = (String[])hookInfoClass.getField("hookItemNames").get(null);
        for(String hookItemName : hookItemNames) {
            doHookItemDefault(patchClassLoader, hookItemName, originClassLoader);
        }
        hookInfoClasses.add(hookInfoClass);
    }
    catch (Exception e) {
        e.printStackTrace();
    }
}
Copy the code

3. Verify the results

  • Here I wrote a hook wechat launch page onCreate() method.
public class Hook_Wx_Launcher {
    public static String className = "com.tencent.mm.ui.LauncherUI";
    public static String methodName = "onCreate";
    public static String methodSig = "(Landroid/os/Bundle;)V";

    public static Activity LauncherUi;

    public static void hook(Object thiz, Bundle b) {
        Log.w("czc", "LauncherUI oncreate");
        return "";
    }

    public static void backup(Object thiz, Bundle b) {
        Log.w("YAHFA", "LauncherUI backup");
        return;
    }
}
Copy the code
  • Install the packaged plug-in APK, plug-in has a small icon on the left, to make a difference, while cloning wechat toVirtualHookinside

  • Hook successfully prints the log