ByteDance's Android PLT Hook Framework bhook Open Source

ByteDance has open‑sourced bhook, an Android PLT hook framework that supports Android 4.1‑12 (API level 16‑31) and the ABIs armeabi‑v7a, arm64‑v8a, x86 and x86_64 under the MIT license. The article first explains why native hooking is needed as Android apps extend into the native layer, comparing inline hook and PLT hook, and noting that PLT hook offers controllable stability for online use but is limited to functions accessed via the PLT table.

It then dives into the ELF file format, describing the execution view, the dynamic section (.dynamic), data sections (.bss, .data, .rodata, .data.rel.ro), code sections (.text, .init_array, .plt), symbol tables (.dynstr, .dynsym, .hash, .gnu.hash), and how the linker performs relocation using mmap, mprotect, and init_array.

The core of bhook is presented: a DL monitor that hooks dlopen, android_dlopen_ext, and dlclose to detect newly loaded or unloaded shared libraries; a trampoline‑based hook mechanism that replaces GOT entries with a management function, maintains a proxy list, and prevents recursive or circular calls by tracking an execution stack; and a native crash‑catching module that uses sigsetjmp/siglongjmp to protect memory reads/writes from SIGSEGV and SIGBUS, with considerations for thread‑safety, async‑signal safety, and avoiding locks or heap allocations.

Code snippets are included, such as the TRY macro for signal handling:

int *p = NULL; TRY(SIGSEGV, SIGBUS) { *p = 1; } CATCH() { LOG("There was a problem, but it's okay."); } EXIT

and the list of internal symbols hooked in dlopen/android_dlopen_ext for Android 7.x linker and Android 8.0+ libdl.so.

The article concludes with best‑practice guidelines for using the crash‑catching module and a brief note about ByteDance’s Client Infrastructure team and its hiring.