shadowhook v2.0.0

[caikelun]

Announcements

1. Compatible with Android 16.

At this moment, it is compatible up to Android 16 QPR1 Beta3.

New Features

1. Added instruction-level intercept functionality.

Hook and Intercept Overview, Intercept and Unintercept

2. "Mode" is no longer a global setting; each hook proxy function can specify its own mode.

Default Hook Mode

3. Added multi mode.

On the same hook target function, multi mode proxy functions can coexist with shared mode proxy functions. Compared to shared mode, multi mode does not prevent recursive call loops between proxy functions, but it does offer better performance.

Default Hook Mode, Proxy functions in multi mode

4. Added an API and initialization parameters for globally disabling shadowhook.

Disabling shadowhook

Bug Fixes

1. Fixed a rare crash in the unhooked function during unhooking.

The crash occurred because the unhooked function might be executing a trampoline instruction in an ELF gap during unhooking. If the trampoline instruction was immediately cleared, a SIGILL would occur. The trampoline instruction in the ELF gap is now cleared lazily.

2. Fixed a crash that could occur when hooking a function whose address ends with FF4, FF8, or FFC.

This was caused by a memory bounds check bug in the trampo module.

Improvements

1. Overall stability improvements.

• Disabled the "Use 16-byte (aarch64) and 8-byte (aarch32) jumps at hooked locations" option in the release version; only 4-byte instruction jumps are currently used.
• Expanded the island type, adding the ability to use the address space of unused functions in the ELF as an island trampoline.

2. Optimized the execution speed of the shadowhook_hook_sym_addr() API.

For aarch64, we assume that the hooked function has at least one instruction. Therefore, when using 4-byte instruction jumps, it is no longer necessary to query symbol information to confirm the function length.

3. Optimized the performance of writing operation records.

• Avoided repeated requests for the caller lib_name within a short period of time.
• When specifying the hook location by address, the lib_name and sym_name are no longer actively queried.
• When operation records is enabled, the execution speed of all shadowhook_hook_*() APIs is also indirectly optimized.

公告

1. 兼容 Android 16。

此刻，兼容到 Android 16 QPR1 Beta3。

新特性

1. 新增了指令级 intercept 功能。

hook 和 intercept 概述，intercept 和 unintercept

2. “模式”不再是全局设置，每个 hook 代理函数可以指定自己的模式。

默认 hook 模式

3. 新增了 multi 模式。

在同一个 hook 目标函数上，“multi 模式的代理函数”可以与“shared 模式的代理函数”共存。相对于 shared 模式，multi 模式没有“避免代理函数之间形成递归环形调用”的能力，但是性能优于 shared 模式。

默认 hook 模式，multi 模式的代理函数

4. 新增了全局禁用 shadowhook 的 API 和初始化参数。

禁用 shadowhook

Bugs 修复

1. 修复了偶发的 unhook 时“被 unhook 函数”发生崩溃的 bug。

崩溃原因是：unhook 时，被 unhook 的函数可能正在执行 ELF gap 中的跳板指令，这时如果立刻将跳板指令清除，则会发生 SIGILL。现在将ELF gap 中的跳板指令改为延迟清除。

2. 修复了当被 hook 函数地址末尾是 FF4 或 FF8 或 FFC，hook 时有一定概率发生崩溃的 bug。

这是由于 trampo 模块的内存边界判断 bug 导致的。

改进

1. 优化了整体的稳定性。

• 在 release 版本中禁用了“在被 hook 位置使用 16 字节（aarch64）和 8 字节（aarch32）跳转”的选项，目前只使用 4 字节指令跳转。
• 扩展了 island 类型，新增了使用 ELF 中不使用的函数的地址空间作为 island 跳板的能力。

2. 优化了 shadowhook_hook_sym_addr() API 的执行速度。

对于 aarch64 来说，我们假设了被 hook 函数至少有一条指令。于是在使用 4 字节指令跳转时，不再需要先通过查询符号信息来确认函数的长度。

3. 优化了操作记录的写入性能。

• 避免了在短时间内多次重复获取 caller lib_name。
• 当通过地址指定 hook 位置时，不再主动查询 lib_name 和 sym_name。
• 当启用操作记录功能时，也间接优化了所有 shadowhook_hook_*() API 的执行速度。

---

This discussion was created from the release shadowhook v2.0.0.