Hi Collin,
thanks for the great work!
I'm trying to hook a method of a very simple test app, but dalvik_hook can't resolve its class.
I checked many times that the name is correct (even in the smali code) but it just can't hook it.
I added in the code some log debug strings. I tried this code with different android versions: 2.3.3, 4.1.2, 4.2.2, 4.3.
Could you please help me?
All the code (including the log) is here: https://github.com/boh717/ddi-testing

hi,
for yunos, dlopen libdvm.so is ok, however,
when I dlsym dvmFindLoadedClass:
"_Z18dvmFindLoadedClassPKc",
"dvmFindLoadedClass"
it will always return NULL

Hi, I am very impressed the research VirtualSwindle based on ddi tool. :)
So, I want to use this tool to see method call. But, when I hook a method with ddi tool, some apps crash with segmentation fault.

I just hooked a method named toString() as the sample code strmon.c. My toy app works well; but some apps crash with segmentation fault. For example, I tried hooking toString() in the application Kakao talk, which is famous messenger app in Korea.

I asked this issue to Collin by mail. He answered it is likely that the function is called by multiple threads. It will lead to a crash. I confirmed that kakaotalk is implemented with threads.

So, my question is how can I make this tool work in multithread environment. Do you have any idea? Can you give me a hint where I should modify the tool?

According to @odexcide on Twitter, when hooking things in system_server, ddi always crashes even with a pass through hook.

The conversation started here but moved to Collin's private email. The following is the part that precedes the move to private email.

<@odexcide> @jduck @collinrm Have u been able to hook system_server successfully w/ DDI? Always crashes even with a pass through hook for me.
<@collinrm> @odexcide @jduck what Android version?
<@odexcide> @collinrm @jduck 4.2.2 Galaxy Nexus
<@odexcide> @collinrm @jduck The crash doesn't have my lib in the back trace and looks like it is coming from JIT. The same hook in apps works fine.
<@collinrm> @odexcide @jduck hooking code in system_server works, 4.2.2 should also not be an issue. Does it crash when executing the hook? or earlier?
<@odexcide> @collinrm @jduck It will hook successfully but will crash later during exec. short after other times after a while. Same result in emulator.
<@jduck> @odexcide @collinrm maybe stuff is getting moved and pointers hard coded? I'm not familiar with the internals of ddi
<@collinrm> @odexcide @jduck does it ever execute or crash on the first try?
<@odexcide> @collinrm @jduck Executes sometimes but always crashes...getting some log and more info for you

Great tool. I am experiencing crashing issues that don't appear to be directly related to my interception code. After running apps for some time, I eventually get a crash (in libdvm.so), look at the tombstone file, and then may or may not see my interception library. If my library is involved, it is often not the last call in the stack trace, but a few calls back (mapping to some JNI routine I call). I do not see anything obvious in the logs. Final crash is in libdvm.so or libc, any ideas on how to debug?

Also I do not seem able to hijack my own Apps. I am writing apps with ADT 23.0.2.1259578. The app seems to crash immediately when I attempt to inject it. Anyone else experiencing this?

first of all thank you develop a good android hooking framework :-)

i was success some method hooking but i was fail hooking "getPackageInfo".
getPackageInfo was patched
but, my native function "sb21_getPackageInfo" was not called

Did you know what the problem is?

1. "dalvik_dump_class(&dex, "Landroid/content/pm/PackageManager;");" result==================

01-08 13:49:13.354: I/dalvikvm(16192): 56: 0x6d617968 getPackageInfo (Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

1. source code===================================================================

static void* sb21_getPackageInfo(JNIEnv *env, jobject obj, jobject str, jint i)
{
// patch code
}

dalvik_hook_setup(&sb21,
"Landroid/content/pm/PackageManager;",
"getPackageInfo",
"(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;",
3,
sb21_getPackageInfo);

1. dalvik_hook debug info==========================================================
   gDvm = 0x41642e18
   dalvik_hook: class Landroid/content/pm/PackageManager;
   class = 0x416eb060
   getPackageInfo((Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) = 0x6d645968
   nativeFunc 415e5e59
   insSize = 0x3 registersSize = 0x3 outsSize = 0x0
   shorty LLI
   name getPackageInfo
   arginfo 0
   noref access 501
   access 501
   patched getPackageInfo to: 0x7479d828

Hi thanks for the great tool! However I found I cannot hook functions like android.telephony.SmsManager.sendTextMessage. By turning the debug option in dalvik_hook.c (h->debug_me = 1), I found the reason is class android.telephony.SmsManager resolved to NULL

The log is:

E/hook-dexstuff(  238): dvmInitClass = 0x4075bd49
E/hook-dexstuff(  238):   _Z36dvmFindVirtualMethodHierByDescriptorPK11ClassObjectPKcS3_ = 0x4075c72d
E/hook-dexstuff(  238): _Z31dvmFindDirectMethodByDescriptorPK11ClassObjectPKcS3_ = 0x4075c7c1
E/hook-dexstuff(  238): _Z17dvmIsStaticMethodPK6Method = 0x40739fed
E/hook-dexstuff(  238): dvmAllocObject = 0x40746715
E/hook-dexstuff(  238): _Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9__va_list = 0x40751481
E/hook-dexstuff(  238): _Z14dvmCallMethodAP6ThreadPK6MethodP6ObjectbP6JValuePK6jvalue = 0x40751339
E/hook-dexstuff(  238): _Z22dvmAddToReferenceTableP14ReferenceTableP6Object = 0x40742995
E/hook-dexstuff(  238): _Z16dvmSetNativeFuncP6MethodPFvPKjP6JValuePKS_P6ThreadEPKt = 0x4075a637
E/hook-dexstuff(  238): _Z15dvmUseJNIBridgeP6MethodPv = 0x4073ef75
E/hook-dexstuff(  238): _Z20dvmDecodeIndirectRefP6ThreadP8_jobject = 0x4073bc99
E/hook-dexstuff(  238): _Z21dvmLinearSetReadWriteP6ObjectPv = 0x4074004b
E/hook-dexstuff(  238): _Z22dvmGetCurrentJNIMethodv = 0x4073f169
E/hook-dexstuff(  238): _Z20dvmFindInstanceFieldPK11ClassObjectPKcS3_ = 0x4075c59d
E/hook-dexstuff(  238): _Z16dvmCallJNIMethodPKjP6JValuePK6MethodP6Thread = 0x4073ece1
E/hook-dexstuff(  238): _Z17dvmDumpAllClassesi = 0x4075a685
E/hook-dexstuff(  238): _Z12dvmDumpClassPK11ClassObjecti = 0x4075a681
E/hook-dexstuff(  238): _Z18dvmFindLoadedClassPKc = 0x4075a645
E/hook-dexstuff(  238): _Z16dvmHashTableLockP9HashTable = 0x4073a1a7
E/hook-dexstuff(  238): _Z18dvmHashTableUnlockP9HashTable = 0x4073a1ad
E/hook-dexstuff(  238): _Z14dvmHashForeachP9HashTablePFiPvS1_ES1_ = 0x407374a1
E/hook-dexstuff(  238): _Z13dvmInstanceofPK11ClassObjectS1_ = 0x40736025
E/hook-dexstuff(  238): gDvm = 0x4079c1a8
E/hook-dexstuff(  238): dalvik_hook: class Landroid/telephony/SmsManager;
E/hook-dexstuff(  238): class = 0x0
E/hook-dexstuff(  238): target_cls == 0
E/hook-dexstuff(  238): dalvik_hook: class Ljava/lang/String;
E/hook-dexstuff(  238): class = 0x40a060b8
E/hook-dexstuff(  238): equalsIgnoreCase((Ljava/lang/String;)Z) = 0x435fb6a8
E/hook-dexstuff(  238): nativeFunc 0
E/hook-dexstuff(  238): insSize = 0x2  registersSize = 0xe  outsSize = 0x2
E/hook-dexstuff(  238): shorty ZL
E/hook-dexstuff(  238): name equalsIgnoreCase
E/hook-dexstuff(  238): arginfo 0
E/hook-dexstuff(  238): noref 
E/hook-dexstuff(  238): access 1
E/hook-dexstuff(  238): access 101
E/hook-dexstuff(  238): patched equalsIgnoreCase to: 0x4a19e344

Why the class cannot be resolved? java.lang.String works fine.

I'm looking at a smali file and I want to hook this one method that is marked native:

.method public static native doLog(Ljava/lang/String;Ljava/lang/String);

DDI Hooked it fine, my callback method gets called, but as soon as I try to call the original method I get a segfault. Is this something that is even possible with DDI? Is there a way to get a handle to the native function that was orginally targeted by doLog() before the hook was installed and then just invoke that directly?

Both /ddi/examples/strmon/jni/mon.c and /ddi/examples/smsdispatch/jni/smsdispatch.c cause compilation errors (on latest NDK toolchains):

ddi/examples/strmon/jni/mon.c: In function 'my_log':
ddi/examples/strmon/jni/mon.c:47:2: error: format not a string literal and no format arguments [-Werror=format-security]
ddi/examples/strmon/jni/mon.c: In function 'my_log2':
ddi/examples/strmon/jni/mon.c:52:3: error: format not a string literal and no format arguments [-Werror=format-security]

ddi/examples/smsdispatch/jni/smsdispatch.c: In function 'my_log':
ddi/examples/smsdispatch/jni/smsdispatch.c:49:2: error: format not a string literal and no format arguments [-Werror=format-security]
ddi/examples/smsdispatch/jni/smsdispatch.c: In function 'my_log2':
ddi/examples/smsdispatch/jni/smsdispatch.c:54:3: error: format not a string literal and no format arguments [-Werror=format-security]

We can work around these errors by adding LOCAL_DISABLE_FORMAT_STRING_CHECKS := true to the modules' Android.mk.
Though, I'm quite sure @jduck will soon properly fix mon.c and smsdispatch.c.

I'm trying to hook a static method that wraps Android.Log in this application I'm playing with. I couldn't find any examples that show how to hook a static method. I took a guess at the callback function signature so I think that is where my issue might be, but I'm not sure. Little help?

I do the hook setup and the method signature is:

Logger;->i(Ljava/lang/String;Ljava/langString;)V

So I specify 2 as the number of parameters (since there is no this object for static invocations).

I've also tried setting infoHook.sm = 1 after the dalvik_hook_setup call but that didn't help either.

I then make my callback function look like this:

static void* Logger_i(JNIEnv *env, jclass clazz, jobject tag, jobject message) {
  jvalue args[2];
  args[0].l = tag;
  args[1].l = message;

  dalvik_prepare(&d, &infoHook, env);
  (*env)->CallStaticVoidMethodA(env, clazz, infoHook.mid, args);
  dalvik_postcall(&d, &infoHook);

  // ... snip printers that just log the tag/message to my .log file
}

Its pretty inconvenient to use dexstuff_defineclass, because it could be many classes in dex, including local, anonymous classes. I have found the next method in dalvik:

/*
 * private static String[] getClassNameList(int cookie)
 *
 * Returns a String array that holds the names of all classes in the
 * specified DEX file.
 */
static void Dalvik_dalvik_system_DexFile_getClassNameList(const u4* args,
    JValue* pResult)
{
    int cookie = args[0];
    DexOrJar* pDexOrJar = (DexOrJar*) cookie;
    Thread* self = dvmThreadSelf();

    if (!validateCookie(cookie))
        RETURN_VOID();

    DvmDex* pDvmDex;
    if (pDexOrJar->isDex)
        pDvmDex = dvmGetRawDexFileDex(pDexOrJar->pRawDexFile);
    else
        pDvmDex = dvmGetJarFileDex(pDexOrJar->pJarFile);
    assert(pDvmDex != NULL);
    DexFile* pDexFile = pDvmDex->pDexFile;

    int count = pDexFile->pHeader->classDefsSize;
    ClassObject* arrayClass =
        dvmFindArrayClassForElement(gDvm.classJavaLangString);
    ArrayObject* stringArray =
        dvmAllocArrayByClass(arrayClass, count, ALLOC_DEFAULT);
    if (stringArray == NULL) {
        /* probably OOM */
        ALOGD("Failed allocating array of %d strings", count);
        assert(dvmCheckException(self));
        RETURN_VOID();
    }

    int i;
    for (i = 0; i < count; i++) {
        const DexClassDef* pClassDef = dexGetClassDef(pDexFile, i);
        const char* descriptor =
            dexStringByTypeIdx(pDexFile, pClassDef->classIdx);

        char* className = dvmDescriptorToDot(descriptor);
        StringObject* str = dvmCreateStringFromCstr(className);
        dvmSetObjectArrayElement(stringArray, i, (Object *)str);
        dvmReleaseTrackedAlloc((Object *)str, self);
        free(className);
    }

    dvmReleaseTrackedAlloc((Object*)stringArray, self);
    RETURN_PTR(stringArray);
}

Seems exactly what i need!

Tried to use this code this way:

void getClassNameList(struct dexstuff_t *d, JNIEnv *env, int cookie)
{
    jvalue pResult = { 0 };
    u4 args[2] = { (u4) cookie, (u4) NULL };
    d->dvm_dalvik_system_DexFile[4].fnPtr( args , &pResult );

    jobjectArray arr = pResult.l;

    int i, size = (*env)->GetArrayLength(env, arr);

    for (i = 0; i < size; i++) {
        jstring string = (jstring) (*env)->GetObjectArrayElement(env, arr, i);
        const char *rawString = (*env)->GetStringUTFChars(env, string, 0);
        log("class in dex: %s\n", rawString);
        // Don't forget to call `ReleaseStringUTFChars` when you're done.
    }
}

but get segfault on GetArrayLength with error:

W/dalvikvm( 7457): Invalid indirect reference 0x4114d2c0 in decodeIndirectRef
E/dalvikvm( 7457): VM aborting
F/libc ( 7457): Fatal signal 11 (SIGSEGV) at 0xdeadd00d (code=1), thread 7457 (ndroid.contacts)

can you help me, what am i doing wrong? thanks.

Hi, I am trying to create a logging functionality for a app I am writing. To test ddi, I ran strmon example with my app but it does not seem to work?? My app has some compareTo string operations. Can someone tell me what I am doing wrong? basically I am able to call hijack on my app but strmon.log is always empty. My app does not get killed and is working fine? could u please let me know how to use ddi strmon on my own app?

Even if I run a simple piece of code in my app; strmon.log does not seem to record it. Example code

String str = "Hello World";
String anotherString = "hello world";
Object objStr = str;
System.out.println( str.compareTo(anotherString) );

Also for com.android.contacts it just prints libstrmon: started and does not print anything else? I am really confused and would like some help to get started.

== Build libdalvikhook ==

cd dalvikhook
cd jni
ndk-build

The following is error message when I follow the instructions, Could you help me?

C:\Android\ddi\dalvikhook\jni>ndk-build
Android NDK: WARNING:C:/Android/ddi/dalvikhook/jni/Android.mk:dalvikhook: LOCAL_
LDLIBS is always ignored for static libraries
Android NDK: WARNING:C:/Android/ddi/dalvikhook/jni/Android.mk:dalvikhook: non-sy
stem libraries in linker flags: -ldvm ../../../adbi/instruments/base/obj/local/a
rmeabi/libbase.a
Android NDK: This is likely to result in incorrect builds. Try using LOCAL_S
TATIC_LIBRARIES
Android NDK: or LOCAL_SHARED_LIBRARIES instead to list the library dependenc
ies of the
Android NDK: current module
[armeabi] Compile arm : dalvikhook <= dexstuff.c
C:/Android/ddi/dalvikhook/jni/dexstuff.c: In function 'mydlsym':
C:/Android/ddi/dalvikhook/jni/dexstuff.c:23:2: warning: format '%x' expects argu
ment of type 'unsigned int', but argument 5 has type 'void ' [-Wformat=]
log("%s = 0x%x\n", name, ret)
^
C:/Android/ddi/dalvikhook/jni/dexstuff.c: In function 'dexstuff_resolv_dvm':
C:/Android/ddi/dalvikhook/jni/dexstuff.c:30:2: warning: format '%x' expects argu
ment of type 'unsigned int', but argument 4 has type 'void *' [-Wformat=]
log("dvm_hand = 0x%x\n", d->dvm_hand)
^
C:/Android/ddi/dalvikhook/jni/dexstuff.c: In function 'dexstuff_loaddex':
C:/Android/ddi/dalvikhook/jni/dexstuff.c:97:2: warning: format '%x' expects argu
ment of type 'unsigned int', but argument 4 has type 'char *' [-Wformat=]
log("dexstuff_loaddex, path = 0x%x\n", path)
^
C:/Android/ddi/dalvikhook/jni/dexstuff.c:103:2: warning: format '%x' expects arg
ument of type 'unsigned int', but argument 4 has type 'jobject' [-Wformat=]
log("cookie = 0x%x\n", pResult.l)
^
C:/Android/ddi/dalvikhook/jni/dexstuff.c: In function 'dexstuff_defineclass':
C:/Android/ddi/dalvikhook/jni/dexstuff.c:117:2: warning: format '%x' expects arg
ument of type 'unsigned int', but argument 4 has type 'void *' [-Wformat=]
log("sys classloader = 0x%x\n", cl)
^
C:/Android/ddi/dalvikhook/jni/dexstuff.c:118:2: warning: format '%x' expects arg
ument of type 'unsigned int', but argument 4 has type 'struct Object *' [-Wforma
t=]
log("cur m classloader = 0x%x\n", m->clazz->classLoader)
^
C:/Android/ddi/dalvikhook/jni/dexstuff.c:127:2: warning: format '%x' expects arg
ument of type 'unsigned int', but argument 4 has type 'void *' [-Wformat=]
log("class = 0x%x\n", ret)
^
[armeabi] Compile thumb : dalvikhook <= dalvik_hook.c
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c: In function 'dalvik_hook':
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c:52:3: warning: format '%x' expects a
rgument of type 'unsigned int', but argument 4 has type 'void *' [-Wformat=]
log("class = 0x%x\n", target_cls)
^
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c:76:3: warning: format '%x' expects a
rgument of type 'unsigned int', but argument 6 has type 'struct Method *' [-Wfor
mat=]
log("%s(%s) = 0x%x\n", h->method_name, h->method_sig, h->method)
^
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c:82:4: warning: format '%x' expects a
rgument of type 'unsigned int', but argument 4 has type 'DalvikBridgeFunc' [-Wfo
rmat=]
log("nativeFunc %x\n", h->method->nativeFunc)
^
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c:113:4: warning: format '%x' expects
argument of type 'unsigned int', but argument 5 has type 'void *' [-Wformat=]
log("patched %s to: 0x%x\n", h->method_name, h->native_func)
^
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c: In function 'dalvik_prepare':
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c:133:4: warning: format '%x' expects
argument of type 'unsigned int', but argument 4 has type 'jclass' [-Wformat=]
log("cls = 0x%x\n", h->cls)
^
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c:141:4: warning: format '%x' expects
argument of type 'unsigned int', but argument 4 has type 'jmethodID' [-Wformat=]

log("mid = 0x%x\n", h-> mid)
^

C:/Android/ddi/dalvikhook/jni/dalvik_hook.c: In function 'dalvik_postcall':
C:/Android/ddi/dalvikhook/jni/dalvik_hook.c:173:3: warning: format '%x' expects
argument of type 'unsigned int', but argument 5 has type 'void *' [-Wformat=]
log("patched BACK %s to: 0x%x\n", h->method_name, h->native_func)
^
[armeabi] StaticLibrary : libdalvikhook.a

DDI can hook the javax pacakage?

I was fail call "dalvik_dump_class(javax/class)".

Hello!
I modified the code in SMSDispatch.java and want to compile it and get a modified ddiclasses.dex.
Can somebody tell me how I can do that? My understanding is that I need to use Eclipse / Android Studio create a apk and extract the classes.dex from the apk. But which configuration exactly do I need and what should I include? ddiclasses.dex (which I converted to a jar to take a look at the classes) includes /android/support/v4 - is it necessary?

Thanks for any help.

Hi Colin

i was trying to hook String.intern() but it made the application crash with a SEGV_MAPERR while doing (*env)->CallObjectMethod(...).

#define SEGV_MAPERR (__SI_FAULT|1) /* address not mapped to object */

The strmon example works properly so I do not understand what's going on.

Below is a screenshot of the crash log from logcat. I highlighted in green my lib that has been injected.

The offset 0x000017bc refers to the line 92.

Do you have an idea of what could cause this?

Hi,
I try to hook the static method. But, when the original method is invoked, some exceptions are thrown. The example is as follow.

Java static method: Lexample;->test()V

My hook method:
void sb_test(JNIEnv _env) {
dalvik_prepare(&d, &sb, env);
(_env)->CallStaticVoidMethod(env, sb.cls, sb.mid); // Exception is here!!
dalvik_postcall(&d, &sb);
}

Is there any problem? Thank for very much!

Hi
I'm trying to hook method makeText of class android/widget/Toast
But it crash.
Please let me know code is wrong or current your library still not support?

////////Code Start

void do_patch()
{
dalvik_hook_setup(&sb1, "Landroid/widget/Toast;", "makeText", "(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;", 4, makeText);
dalvik_hook(&d, &sb1);

}

// patches
static void* makeText(JNIEnv *env, jobject context ,jobject txt, jint time)
{
log("Prepare Hook Toast\n")
dalvik_prepare(&d, &sb1, env);
jclass Toast = NULL;
jobject toast = NULL;
jmethodID makeText = NULL;

log("FindClass Toast\n")
Toast = (*env)->FindClass(env, "android/widget/Toast");
if(NULL == Toast)
{
    log("FindClass failed")
    return;
}
log("Method name = %s\n",sb1.method_name)

log("Get parameters\n")

jmethodID mid = (*env)->GetMethodID(env, (*env)->GetObjectClass(env, txt), "toString", "()Ljava/lang/String;");
jstring string = (jstring)((*env)->CallObjectMethod(env, txt, mid));
const char* utf = (*env)->GetStringUTFChars(env, string, 0);
if (utf) {
    log("txt : %s , time = %d\n", utf,time)
    (*env)->ReleaseStringUTFChars(env, string, utf);
}

log("Prepare CallStaticObjectMethod\n")
toast = (*env)->CallStaticObjectMethod(env, Toast, sb1.mid, context,txt,time);  //Crash at this line of code
if ( NULL == toast) 
{
    log("CALLSTATICOBJECT FAILED")
    return;
}

log("dalvik_postcall\n")
dalvik_postcall(&d, &sb1);

//Just test
return NULL;

}

/////Code End
Thanks you very much

I see it do "su" before run hijack. Is that mean the device must be rooted? I want use this technique in my app. And do the steps (copy *.so, get pid, run hijack) in a subclass of Application in my APP. But my customer's device may not be rooted. Is this possible to do that?

How can I use the arthook method ?

When i try to execute "./hijack -d -p 1283 -l /data/local/tmp/libexample.so" i am facing "./hijack: 1: Syntax error: word unexpected (expecting ")") this issue..

Can any one help me for this issue