[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-2228":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":12,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":12,"stars7d":14,"stars30d":15,"stars90d":13,"forks30d":13,"starsTrendScore":16,"compositeScore":17,"rankGlobal":8,"rankLanguage":8,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":8,"pushedAt":8,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":13,"starSnapshotCount":13,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},2228,"ptehooker","xiaokanghub\u002Fptehooker","xiaokanghub",null,"Python",143,60,1,0,5,22,3,5.36,"GNU General Public License v2.0",false,"main",true,[],"2026-06-12 02:00:39","# ptehooker\n\n**ARM64 Android 无痕 Hook 框架** — 基于 KernelPatch KPM + PTE UXN 陷阱 + VMA-less ghost 内存,\n实现跨进程零字节修改、零 `.so` 注入、零 `TracerPid` 的 hook。\n\n- 发想来自看雪论坛 [thread-290718](https:\u002F\u002Fbbs.kanxue.com\u002Fthread-290718.htm) 第 7.2 节\"方案 C\"骨架的工程落地\n- 对付常见用户态反作弊(CRC 扫描、`\u002Fproc\u002Fmaps` 扫描、TracerPid 检查、ArtMethod 字段扫描等)都能过\n- 面向 ARM64 Android,API 30-35,kernel 4.9 \u002F 5.4 \u002F 5.10\n\n## 快速开始\n\n```python\nimport ptehook\n\nsess = ptehook.attach(\"com.target.app\")\n\nsess.java_hook(\n \"Lcom\u002Ftarget\u002FLicense;\", \"isVIP\", \"()Z\",\n replace=1, # 让 isVIP() 恒返回 true\n unsafe_bridge=True, # DBI 修好后安全\n wait_jit=True, # entry_point 迁至 JIT 私有页,stealth 最优\n jit_watch=True, # UAF 修好后可用,自动应对 ART tier 升级\n)\nsess.run()\nsess.close()\n```\n\n## 完整文档\n\n**→ [`docs\u002FARCHITECTURE_AND_USAGE.md`](docs\u002FARCHITECTURE_AND_USAGE.md)** — 技术架构 \u002F 威胁模型 \u002F 构建部署 \u002F API 参考 \u002F 排错 \u002F 对比 Frida\n\n## 仓库结构\n\n```\nptehooker\u002F\n├── test_kmod\u002F KPM 内核模块\n│ ├── ptehook_planc_v2.c 主文件:ctl 命令 + fault handler\n│ ├── dbi_kern.{c,h} ARM64 DBI 重编译引擎\n│ ├── ghost_mm.{c,h} VMA-less 物理页分配\n│ └── Makefile.planc\n│\n├── pte_hookctl\u002F Python host + 设备侧 C 工具\n│ ├── ptehook\u002F 类 Frida 高层 API (Session, Action)\n│ ├── kpm_client.py ctl 命令封装\n│ ├── shellcode.py ARM64 shellcode 生成\n│ ├── dex_parser.py APK → method_idx\n│ ├── art_offsets.py per-Android-API 的 ArtMethod 偏移表\n│ ├── device_scanner.c 设备侧 C 程序(编译成 pte_scan)\n│ ├── examples\u002F 使用示例\n│ └── tests\u002F 29 个单元测试\n│\n└── docs\u002F 架构和使用文档\n```\n\n## 构建与依赖\n\n### 依赖\n\n- Android 设备 + Root + [APatch](https:\u002F\u002Fgithub.com\u002Fbmax121\u002FAPatch) v0.12.2+\n- Android NDK r21+(有 `aarch64-linux-android29-clang`)\n- Python 3.8+\n- 本仓库作为 [KernelPatch](https:\u002F\u002Fgithub.com\u002Fbmax121\u002FKernelPatch) 的下游 KPM,需要本地有 KernelPatch 源码\n\n### 构建 KPM\n\n```bash\nexport KP_DIR=\u002Fpath\u002Fto\u002FKernelPatch # 必填\nexport NDK_DIR=\u002Fpath\u002Fto\u002Fandroid-ndk-r21\u002Ftoolchains\u002Fllvm\u002Fprebuilt\u002Flinux-x86_64 # 必填\ncd test_kmod\nmake -f Makefile.planc\n# 产出: ptehook_planc_v2.kpm\n```\n\n### 构建设备侧工具\n\n```bash\n$NDK_DIR\u002Fbin\u002Faarch64-linux-android29-clang -O2 -static \\\n -o pte_scan pte_hookctl\u002Fdevice_scanner.c\n```\n\n### 部署到设备\n\n```bash\nexport ADB_SERIAL=\u003Cyour-device-serial>\n\n# 一次性准备 superkey\nadb -s $ADB_SERIAL shell \"su -c 'mkdir -p \u002Fdata\u002Fadb\u002Fptehook && \\\n echo YOUR_APATCH_SUPERKEY > \u002Fdata\u002Fadb\u002Fptehook\u002Fsuperkey && \\\n chmod 600 \u002Fdata\u002Fadb\u002Fptehook\u002Fsuperkey'\"\n\n# 推送\nadb -s $ADB_SERIAL push test_kmod\u002Fptehook_planc_v2.kpm pte_scan \u002Fdata\u002Flocal\u002Ftmp\u002F\nadb -s $ADB_SERIAL shell \"su -c 'chmod 755 \u002Fdata\u002Flocal\u002Ftmp\u002Fpte_scan'\"\n\n# 加载 KPM\nSK=$(adb -s $ADB_SERIAL shell \"su -c 'cat \u002Fdata\u002Fadb\u002Fptehook\u002Fsuperkey'\")\nadb -s $ADB_SERIAL shell \"su -c '\u002Fdata\u002Fadb\u002Fkpatch $SK kpm load \u002Fdata\u002Flocal\u002Ftmp\u002Fptehook_planc_v2.kpm'\"\n```\n\n### 运行 hook 脚本\n\n```bash\ncd pte_hookctl\nADB_SERIAL=\u003Cyour-device-serial> python3 examples\u002Fhook_testapk.py\n```\n\n### 跑单元测试\n\n```bash\npython3 pte_hookctl\u002Ftests\u002Ftest_shellcode.py\n# Ran 29 tests in 0.006s \u002F OK\n```\n\n## 和 Frida \u002F LSPlant \u002F wxshadow 的差异\n\n| 维度 | Frida | LSPlant | wxshadow | **ptehooker** |\n|---|---|---|---|---|\n| 目标进程注入 .so | ✅ | ✅ Zygisk | ✅ | **❌** |\n| ptrace 目标 | ✅ | ❌ | ✅ spawn | **❌** |\n| 改代码段字节 | ✅ | ✅ | ✅ 隐 | **❌** |\n| 改 ArtMethod 字节 | — | ✅ | — | **❌ (默认)** |\n| `\u002Fproc\u002Fmaps` 留痕 | ✅ | ✅ | ✅ | **❌ VMA-less** |\n| JS 热更 | ✅ | ❌ | ✅ | ❌ |\n| Java onEnter+onLeave | ✅ | ✅ | ✅ | ⚠️ 仅 Native |\n| `\u002Fproc\u002Fpagemap` PFN 一致 | ❌ | ❌ | ❌ | **✅** |\n\n不做 Frida 能做的所有事,**做 Frida 做不到的 stealth**。如需 JS 热更 \u002F spawn 注入 \u002F 完整 Java onLeave —— 用 Frida。\n\n## 已知限制\n\n- **ART 13 Nterp-only 方法无法 hook** — Nterp fast path 不读 entry_point。需要 `wait_jit=True` 等 ART 自然 JIT。\n- **Kernel 6.1+ maple tree 下 `hide-vma` 未实现** — 核心 hook 路径(UXN\u002FDBI\u002Fghost)不受影响。\n- **Java `onEnter+onLeave`** — 7.2 trap 模式下不支持(需要 LSPlant 式 ArtMethod clone,工程量大)。\n\n详见 [`docs\u002FARCHITECTURE_AND_USAGE.md`](docs\u002FARCHITECTURE_AND_USAGE.md#十已知限制--诊断指南)。\n\n## License\n\nGPL-2.0(KernelPatch 框架本身 GPL-2.0,下游 KPM 必须兼容)。见 [`LICENSE`](LICENSE)。\n\n## 致谢\n\n- 看雪 [@kilozl](https:\u002F\u002Fbbs.kanxue.com\u002Fthread-290718.htm) 师傅的\"方案 C\"方向性启发\n- [@bmax121](https:\u002F\u002Fgithub.com\u002Fbmax121) 的 APatch \u002F KernelPatch 框架\n- 所有在 ART \u002F ARM64 \u002F Linux kernel mm 领域留下公开资料的研究者\n","ptehooker 是一个针对 ARM64 架构 Android 设备的无痕 Hook 框架,基于 KernelPatch KPM、PTE UXN 陷阱和 VMA-less ghost 内存技术实现跨进程零字节修改和零 `.so` 注入。它能够绕过常见的用户态反作弊检测机制,如 CRC 扫描、`\u002Fproc\u002Fmaps` 扫描、TracerPid 检查等。此项目适用于需要在不被察觉的情况下对特定应用进行功能修改或调试的场景,特别是在安全研究和逆向工程领域。支持 Android API 30-35 和内核版本 4.9 \u002F 5.4 \u002F 5.10。",2,"2026-06-11 02:48:58","CREATED_QUERY"]