[Q] Is Java native function unhookable? - Xposed General

I have used NDK development techs to create a simple Android App that connects remote server using socket.
The JNI method name is "public native static void doConnect(String ip,int port,String imei);"
While my attempt to hook it results in "java.lang.NoSuchMethodError"
Is Xposed not able to hook JNI functions?
PS: If there is a function hooked, how can I get the parameters it received?

XDAchushu10 said:
I have used NDK development techs to create a simple Android App that connects remote server using socket.
The JNI method name is "public native static void doConnect(String ip,int port,String imei);"
While my attempt to hook it results in "java.lang.NoSuchMethodError"
Is Xposed not able to hook JNI functions?
PS: If there is a function hooked, how can I get the parameters it received?
Click to expand...
Click to collapse
I've read this post: http://forum.xda-developers.com/xposed/creating-nfc-module-nosuchmethoderror-t2811440
The problem is that I didn't list the paramters in "findAndHookMethod".
And that's it! It's been solved.

Related

[Q] Can Xposed hook native methods?

Letts assume there is a method
public static native boolean doSomething(params...);
which gets called by regular Java code.
Can Xposed hook it?
EDIT: I'm wrong, see rovo's answer.
Yes, native methods can be hooked. However, in case this is for an app's code, it has to be done after System.loadLibrary(), otherwise the latter overwrites the hook. Ideally, the framework should take care of this itself, but it's not straight-forward and the has been vey little need for this.
rovo89 said:
Yes, native methods can be hooked. However, in case this is for an app's code, it has to be done after System.loadLibrary(), otherwise the latter overwrites the hook. Ideally, the framework should take care of this itself, but it's not straight-forward and the has been vey little need for this.
Click to expand...
Click to collapse
I've always assumed this wasn't the case. Just to clarify, Xposed is able to hook native functions, but not (native) C/C++ code/libraries? I've read more than once it can't so I'm a bit confused. Thanks for the correction.
GermainZ said:
Just to clarify, Xposed is able to hook native functions, but not (native) C/C++ code/libraries?
Click to expand...
Click to collapse
Correct. Only JNI functions can be hooked, i.e. those which are declared in and called by Java code.
How to do it "after System.loadLibrary()"?
How you go about hooking such methods? I am trying to hook some API methods, mainly the ones declared in the "Connectivity" class one such example is "isTetheringSupported" however I am struggling to do so as when I hook the method directly, the hook is never executed as I believe it is being called via the java.lang.reflect.Method invoke method, and when I try and hook that method I get the following error "java.lang.NoSuchMethodError: java.lang.reflect.Method#invoke()#exact"
hwhh_1 said:
How you go about hooking such methods? I am trying to hook some API methods, mainly the ones declared in the "Connectivity" class one such example is "isTetheringSupported" however I am struggling to do so as when I hook the method directly, the hook is never executed as I believe it is being called via the java.lang.reflect.Method invoke method, and when I try and hook that method I get the following error "java.lang.NoSuchMethodError: java.lang.reflect.Method#invoke()#exact"
Click to expand...
Click to collapse
Are you talking about EdXposed? If so it should be noted that hook not working for a particular method can also be a result of art compiler optimizations. E.g. if the method is simple and not called from many places, compiler will include body of such method directly into methods that call that method. It's called inlining. So while you can see method at source code level, during runtime it's empty and never called as original body became part of another method. To overcome this you have to find a different strategy, e.g. hook such methods that are less likely to become inlined.
C3C076 said:
Are you talking about EdXposed? If so it should be noted that hook not working for a particular method can also be a result of art compiler optimizations. E.g. if the method is simple and not called from many places, compiler will include body of such method directly into methods that call that method. It's called inlining. So while you can see method at source code level, during runtime it's empty and never called as original body became part of another method. To overcome this you have to find a different strategy, e.g. hook such methods that are less likely to become inlined.
Click to expand...
Click to collapse
In order to see if it inlined, there is a setting in EDXPOSED to deoptimize boot image.

[Q] Hook and run outside

Hello,
Im looking to hook a method(gaining some info) and then execute command externally from the hook. Is there a way to run code from the xposed module app after the hook is applied?
Yes,
If method from class then XposedHelpers.callMethod(params);
If from helper (nothing with UI, activity, etc) then simply Helper.doSomething()
If something other, try to use intents (broadcast intent after executing method, receive it via receiver and perform your code.

[DEV]Invoking methods from other apps

Is there a way to invoke other app's method from my app using Xposed?
I know I can hook and modify calls made by destination app, but how about invoking functions myself?
matejdro said:
Is there a way to invoke other app's method from my app using Xposed?
I know I can hook and modify calls made by destination app, but how about invoking functions myself?
Click to expand...
Click to collapse
Not directly as your app runs in different process than app you want to call.
However, you can use some kind of IPC technique.
One example is to hook foreign app and register broadcast receiver within its context which will listen for broadcasts
sent from your own app. You can then execute code (e.g. call methods) within foreign app when broadcast is received.
Ah good idea, did not think of registering broadcast receiver. Thanks!

[Q] Is static members shared between processes in XPosed hook class?

Here's what I think XPosed does:
1. Before zygote_init, hook all apis and insert xposed_before_xxx and xposed_after_xxx method (where xxx is the name of the api).
2. Load modules. Load hook class, realize it and keep it in memory of zygote. For each injecting method, add it to the private list of xposed_before/after_xxx.
3. When an new app loads (forks from zygote), it also forked the hook class and the hooked method.
4. When an app calls xxx, it actually runs xposed_before_xxx first, and the latter calls every inject method in its private list. Then the original api is called. Then xposed_after_xxx is called, and deals with itself's list.
So for each app, hook class is individual after forking from zygote. So, static members are not shared. Cause each hook class has only one instance in an app, static members act the same as non-static members. Am I right?
And by the way, how does a xposed module to communicate between processes? I've seen a post realizing its own rpc by getting context and creating a service. Any simpler ways for just single direction transferring? Currently I'm using XSharedPreference and SharedPreference, but then then the hook method can't write back anything (such as logging). Any ideas to solve this?
Thanks for reading my long & poor English...

Hooking native code from xposed module?

Hello!
I am sorry if this may be confusing as I am quite sure I don't use the right terms. What I want to do is hook native library calls/syscalls made from native code within an app. I want to use xposed to launch the code that hooks the library/system call - but I do not know how to do and how the android system will complicate things for me.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Another thought was to, as previously at the startup of the app launch jni code. But in this case find the local symbol table and modify it to jump to my hook - but I am not sure if different jni code run in the same memory space and have access to mess with each other. [And also, how often would I need to redo this modification, would android reload/restart of the app destroy my changes]
Hopefully I didn't come off as too confusing. Thanks for the help!
I think you asked me this in my thread but Ill answer it here.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
I have hooked native code with xposed and LD_PRELOAD, you can manipulate the data via your LD_PRELOAD lib. I do not know if its been linked to public code yet. LD_PRELOAD does not require Xposed to work(just makes it easier to manage imo). Also note that i have not tested this using the newer Android OS'es(>4.4). Not (yet)necessary for my use case. I would recommend getting LD_PRELOAD to work without Xposed first. Then add the Xposed integration
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
I have not tried via ptrace, also note that some apps will ptrace itself for protection against reversing. LD_PRELOAD works fine for me. Personally I use LD_PRELOAD to modify the arguments and the return values but most of the time just for logging information.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Ptrace to me sounds more complex but it does sound cool to attempt. No sudo is needed for the app that you are hooking using LD_PRELOAD.
t436h05t said:
I think you asked me this in my thread but Ill answer it here.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
I have hooked native code with xposed and LD_PRELOAD, you can manipulate the data via your LD_PRELOAD lib. I do not know if its been linked to public code yet. LD_PRELOAD does not require Xposed to work(just makes it easier to manage imo). Also note that i have not tested this using the newer Android OS'es(>4.4). Not (yet)necessary for my use case. I would recommend getting LD_PRELOAD to work without Xposed first. Then add the Xposed integration
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
I have not tried via ptrace, also note that some apps will ptrace itself for protection against reversing. LD_PRELOAD works fine for me. Personally I use LD_PRELOAD to modify the arguments and the return values but most of the time just for logging information.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Ptrace to me sounds more complex but it does sound cool to attempt. No sudo is needed for the app that you are hooking using LD_PRELOAD.
Click to expand...
Click to collapse
Thanks! Is there a nice way to set LD_PRELOAD on app startup using Xposed or do you simply run the shell command when configuring which apps to hook?
Wropzter said:
Thanks! Is there a nice way to set LD_PRELOAD on app startup using Xposed or do you simply run the shell command when configuring which apps to hook?
Click to expand...
Click to collapse
Hooking the app and setting your native hooks is easy in Xposed, after you hook your package just load your lib with your hooks.
System.load("/data/data/org.xxx.app/lib/xxx.so");
The application will default use the preloaded lib you injected(same as LD_PRELOAD without the mess of bash).
It took more time to write code that would enable and disable the hooks inside the hook lib.
Now I have got it working with LD_PRELOAD manually, but using Xposed I do not seem to be able to load the library before libc - that is my replacement function is never called as the symbol was already loaded. Are you using the deprecated IXposedHookCmdInit to be able to load the package earlier? [If I remember correctly you were also hooking libc]
This is my code for the Xposed App.
if (lpparam.packageName.equals("app.to.hook")) {
System.load("/data/data/app.to.hook/lib/hook.so");
XposedBridge.log("Loaded native hook");
}

Categories

Resources