chickenhook

Introduction: A linux / android hooking framework
More: Author   ReportBugs   
Tags:
Build & Test
macOS macOS Build & Test
Linux Linux Build & Test

ChickenHook logo

General

ChickenHook is a multi architecture hooking framework.

Supported architectures: x86, arm64, x86_64 (experimental) Supported platforms: Android, Linux

Example usage

Linux

Hack some applications using ChickenHook + StaticInjector (Linux Wrapper)

See more at: StaticInjector

Here are some examples hacks using StaticInjector

Firefox

Check this video (Please enable subtitles):

Skype

Check this video (Please enable subtitles):

http://img.youtube.com/vi/kbrenIx8OrI/0.jpg

Read more in our wiki: How to create a linux attack (skype example) "How to create a linux attack (step by step guide)")

Android

Hook AndroidRuntime (ART)

See more at: ChickenTime

Requirements

  • ant

Linux and MacOS

  • cmake
  • make

Android

  • Android SDK
  • Android NDK
  • Android Studio (Optional)

Usage

  1. Create the hook function (the function that should be called instead of the original function)

example here shows a hook function for libc's open

ssize_t my_read(int __fd, void *__buf, size_t __count) {
    __android_log_print(ANDROID_LOG_DEBUG, "my_read", "read called [-] %d", __fd);

    // <== add your code before real call here

    // yeah we're inside! But sometimes you want to call the original function also.
    // For this purpose we try to retrieve the corresponding trampoline.
    // So let's retrieve our trampoline in order to call the original function "read"
    int res = -1;
    ChickenHook::Trampoline trampoline;
    if (ChickenHook::Hooking::getInstance().getTrampolineByAddr((void *) &read, trampoline)) {
        __android_log_print(ANDROID_LOG_DEBUG, "my_read",
                            "hooked function call original function");
        printLines(hexdump(static_cast<const uint8_t *>(__buf), __count, "read"));

        // retrieve the real read call address
        ssize_t (*_read)(int, void *, size_t) =(ssize_t (*)(int, void *,
                                                            size_t)) trampoline.getRealCallAddr();
        // if read != nullptr we have a valid address and call it
        // if read ==nullptr we have to copy the original code of read.
        if (_read == nullptr) {
            // !! WARNING !! This is a very risky workaround.
            // * Race condition can lead to crashes
            // * Multithreading and semaphores in target function or it's callee's can lead to deadlocks
            trampoline.copyOriginal();
            res = read(__fd, __buf, __count);
            trampoline.reinstall();
        } else {
            // Very save method. Available for most of all functions
            res = _read(__fd, __buf, __count);
        }
    } else {
        __android_log_print(ANDROID_LOG_DEBUG, "my_read",
                            "hooked function cannot call original function");
    }

    // <== manipulate results here

    return res;
}
  1. Inject the trampoline (enable the hook)
    ChickenHook::Hooking::getInstance().hook((void *) &read, (void *) &my_read);

Build

Currently ChickenHook can be build for Linux and Android and MacOs.

Linux

ant configure-linux compile-linux test-linux

artifacts will be in build/libs/

Android

Use as an Android Studio project or:

ant configure-android compile-android test-android

MacOS

ant configure-mac compile-mac test-mac install-mac

artifacts will be in ./artifactsOut

Include in your Project

  1. Fetch artifacts via ANT
    <target name="artifacts">
        <mkdir dir="artifacts"/>
        <get src="https://dev.azure.com/ChickenHook/ChickenHook/_apis/build/builds/101/artifacts?artifactName=ChickenHook&amp;api-version=5.1&amp;%24format=zip" dest="artifacts/ChickenHook.zip"/>
        <unzip src="artifacts/ChickenHook.zip" dest="artifacts/"/>

        <get src="https://dev.azure.com/ChickenHook/ChickenHook/_apis/build/builds/99/artifacts?artifactName=BeaEngine&amp;api-version=5.1&amp;%24format=zip" dest="artifacts/BeaEngine.zip"/>
        <unzip src="artifacts/BeaEngine.zip" dest="artifacts/"/>
    </target>
  1. Include into your CMake project Includes
target_include_directories(${PROJECT_NAME} PUBLIC
        ${CMAKE_SOURCE_DIR}/artifacts/ChickenHook/${CMAKE_SYSTEM_NAME}-${CMAKE_SYSTEM_PROCESSOR}/include/
        ${CMAKE_SOURCE_DIR}/artifacts/BeaEngine/${CMAKE_SYSTEM_NAME}-${CMAKE_SYSTEM_PROCESSOR}/include/
        )

Static libraries

target_link_libraries(${PROJECT_NAME}
        # add chickenhook here
        ${CMAKE_SOURCE_DIR}/artifacts/ChickenHook/${CMAKE_SYSTEM_NAME}-${CMAKE_SYSTEM_PROCESSOR}/lib/libChickenHook.a
        ${CMAKE_SOURCE_DIR}/artifacts/BeaEngine/${CMAKE_SYSTEM_NAME}-${CMAKE_SYSTEM_PROCESSOR}/lib/libBeaEngine_s_d_l.a
        log
        dl
        )

Other Projects

Project Description
ChickenHook A linux / android / MacOS hooking framework
BinderHook Library intended to hook Binder interface and manipulate events
RestrictionBypass Android API restriction bypass for all Android Versions
AndroidManifestBypass Android API restriction bypass for all Android Versions
..
Apps
About Me
GitHub: Trinea
Facebook: Dev Tools