A hooking framework for commercial Android emulators (雷电模拟器, NOX, BlueStacks).
As you may know, these commercail emulators use x86 (kernel) and arm (user land) mixed-mode method to accelerate the emulation and this makes it difficult to hook the native arm libraries. This emulator hooking framework is intented to solve this problem.
- Modify the jni/realinject.c file. You can hook functions both by address or by the function's symbol name:
static struct hook_t eph1;
static struct hook_t eph_sendto;
...
...
/*On BlueStacks*/
//hook_by_addr(&eph1, "arm/libc.so", target_addr, hook_func1);
/*Other emulators*/
hook_by_name(&eph_sendto, "nb/libc.so", "sendto", hook_sendto);
Notice: If you are hooking system libraries like "libc.so", please make sure you are giving the right path of the arm version binary.
-
Run
ndk-build -
Push the following 3 binary to android /data/local/tmp directory:
libs/x86/stalkerlibs/x86/libinject.solibs/armeabi/librealinject.so
Or just run push.cmd.
- On android, type
./stalker [pid].
- For NOX emulator, you should use the Android 5.1.1 instead of the default 4.4.2.
- Also see this repo: XEHook.
Thanks to these 大神s' work. They made my life much easier. https://github.com/zhengmin1989/TheSevenWeapons/tree/master/LiBieGou