JavaTweakHook: A Lightweight Android Java Method Hook Framework without Xposed

Design Background The mainstream Java‑level hook framework on Android is Xposed, which requires recompiling the ART VM, is bulky, and can be detected by apps. To avoid Xposed dependence, a lightweight hook framework (JavaTweak) was created, tested on Android 5.0‑8.1, and built on ideas from Legend, SandHook, and YAHFA.

Common Framework Comparison

Xposed : Most popular, supports Android 5‑8, requires native ART recompilation, and provides XposedBridgeAPI‑xx.jar for Java plugins.

SandHook : Inline hook with annotation style, supports Android 9, works without root for internal app hooks only.

Legend : Pure Java implementation of ART hook, works up to Android 6, uses annotation‑style hooks.

YAHFA : Designed for reverse engineering, uses static hook classes, supports up to Android 10, but more cumbersome.

Hook Process

Creating an Empty Method – In Java a Method object maps to an ArtMethod in native; from Android 7.0 empty methods can no longer be created dynamically, so stub methods are pre‑allocated.

Copying Original Method Data – Fields of ArtMethod are copied to the stub using memcpy to avoid version‑specific field mismatches.

Constructing Assembly Trampoline – The quick_compiled_code_ entry of ArtMethod is replaced with a trampoline that sets R0 to the hook method's ArtMethod address and jumps to its entry point.

Adjusting Backup Method Attributes – The backup method is made accessible, JIT is disabled, and access flags are set appropriately for different Android versions.

Native Layer Functions The native side registers JNI methods, loads javatweak.dex into the default class loader, monitors class loading via DexFile_defineClassNative , and hooks ClassLinker::DefineClass to intercept newly loaded classes.

Java Layer Functions All Java code resides in com.android.guobao.liao.apptweak . Key classes include:

JavaTweakStub.java – Provides 100 private stub methods for Android 7.0+.

JavaTweakCallback.java – Callback invoked by native code on class load.

JavaTweakBridge.java – Wraps native nativeHookMethod and offers hookJavaMethod and callOriginalMethod APIs.

JavaTweak.java – Contains the public JavaTweak class and inner classes named JavaTweak_* that implement specific app hooks.

Example: JavaTweak_12306 hooks static logging methods and an instance initialization method in the target app, demonstrating the need for matching signatures (static vs. instance).

Framework Usage

Compile Native Library – Use Android NDK ndk-build to produce libjavahook.so .

Create Android Test Project – Add the compiled libjavahook.so to libs/armeabi , place two buttons for static and instance hook tests, and request the READ_PHONE_STATE permission.

Add Hook Code – Implement hook logic in the inner JavaTweak_demo class.

Run and Observe – Push javatweak.dex to /data/local/tmp , install the demo APK, and view hook logs and UI changes in Logcat.

Limitations

Tested only on real devices with Android 5.0‑8.1; Android 9+ may fail due to symbol lookup issues.

Does not support constructor hooks or cross‑process injection; injection must be handled by an external system.

Hooking may cause app crashes; delayed hooking can mitigate some problems.

Modular Design JavaTweak is intended to be embedded as a module within the larger AndroidTweak system, which provides process injection and additional reverse‑engineering utilities, similar to a lightweight Android Cydia.

Note: All code snippets shown are for reference; the actual source is available on GitHub at https://github.com/liaoguobao/javahook .