Android App Penetration Testing & Frida Hooks

Advanced Frida Scripting: Dynamic Hooking of JNI_OnLoad and Unexported Native Symbols

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Advanced Frida Hooking

Frida has revolutionized mobile application penetration testing, offering unparalleled capabilities for dynamic instrumentation. While basic hooking of exported functions is straightforward, real-world Android applications often employ sophisticated obfuscation and anti-tampering techniques. This necessitates advanced methods to interact with critical native components, specifically targeting JNI_OnLoad and unexported native symbols. This guide will delve into these advanced Frida scripting techniques, providing practical examples and a deep understanding of their underlying mechanisms.

Why Advanced Hooking is Essential

Many security-sensitive operations in Android applications are performed in native libraries (C/C++), accessed via the Java Native Interface (JNI). Understanding and manipulating these native functions is crucial for bypasses, data exfiltration, and vulnerability discovery. However, directly hooking functions like JNI_OnLoad or symbols not listed in the library’s export table presents unique challenges that standard Frida approaches cannot solve.

Hooking JNI_OnLoad: Catching Native Initialization

The JNI_OnLoad function is a critical entry point for native libraries. It’s called by the Android runtime (ART) when a native library is loaded via System.loadLibrary() or System.load(). Its primary purpose is to perform initialization tasks, such as registering native methods with the Java Virtual Machine (JVM) using RegisterNatives and returning the JNI version. The challenge with JNI_OnLoad is that it often executes very early, sometimes before your Frida script has fully attached and instrumented the process.

The Challenge and the Solution: Intercepting Library Loading

If you simply try to attach to JNI_OnLoad using Module.findExportByName('libnative-lib.so', 'JNI_OnLoad') in a standard onEnter function of your Frida script, you might miss its execution if the library is loaded very early. A more robust approach involves intercepting the library loading mechanism itself.

On Android, native libraries are loaded using functions like dlopen or android_dlopen_ext. By hooking these functions, we can gain control precisely at the moment a new library is loaded. Inside our dlopen hook, we can then scan the newly loaded module for JNI_OnLoad and attach to it.

Frida Script for JNI_OnLoad Hooking

Java.perform(function () {    console.log('[*] Script loaded successfully');    // Hook dlopen or android_dlopen_ext to catch library loading    const dlopen = Module.findExportByName(null, 'dlopen');    if (dlopen) {        Interceptor.attach(dlopen, {            onEnter: function (args) {                this.library_path = args[0].readUtf8String();            },            onLeave: function (retval) {                if (this.library_path && this.library_path.includes('libnative-lib.so')) {                    console.log('[*] libnative-lib.so loaded! Path: ' + this.library_path);                    const JNI_OnLoad_ptr = Module.findExportByName('libnative-lib.so', 'JNI_OnLoad');                    if (JNI_OnLoad_ptr) {                        console.log('[*] Found JNI_OnLoad at: ' + JNI_OnLoad_ptr);                        Interceptor.attach(JNI_OnLoad_ptr, {                            onEnter: function (args) {                                console.log('[*] JNI_OnLoad called!');                                console.log('    -> VM: ' + args[0]);                                console.log('    -> reserved: ' + args[1]);                                // You can inspect the JNIEnv* (args[0]) here if needed                                // For example, to enumerate registered native methods after JNI_OnLoad returns                            },                            onLeave: function (retval) {                                console.log('[*] JNI_OnLoad returned: ' + retval);                            }                        });                    } else {                        console.log('[-] JNI_OnLoad not found in libnative-lib.so');                    }                }            }        });        console.log('[*] Hooked dlopen');    } else {        console.log('[-] dlopen not found, trying android_dlopen_ext');        const android_dlopen_ext = Module.findExportByName(null, 'android_dlopen_ext');        if (android_dlopen_ext) {            Interceptor.attach(android_dlopen_ext, {                onEnter: function (args) {                    this.library_path = args[0].readUtf8String();                },                onLeave: function (retval) {                    if (this.library_path && this.library_path.includes('libnative-lib.so')) {                        console.log('[*] libnative-lib.so loaded! Path: ' + this.library_path);                        const JNI_OnLoad_ptr = Module.findExportByName('libnative-lib.so', 'JNI_OnLoad');                        if (JNI_OnLoad_ptr) {                            console.log('[*] Found JNI_OnLoad at: ' + JNI_OnLoad_ptr);                            Interceptor.attach(JNI_OnLoad_ptr, {                                onEnter: function (args) {                                    console.log('[*] JNI_OnLoad called!');                                    console.log('    -> VM: ' + args[0]);                                    console.log('    -> reserved: ' + args[1]);                                },                                onLeave: function (retval) {                                    console.log('[*] JNI_OnLoad returned: ' + retval);                                }                            });                        } else {                            console.log('[-] JNI_OnLoad not found in libnative-lib.so');                        }                    }                }            });            console.log('[*] Hooked android_dlopen_ext');        } else {            console.log('[-] Neither dlopen nor android_dlopen_ext found.');        }    }});

Hooking Unexported Native Symbols: Beyond the Export Table

Many critical native functions are not explicitly exported by a library. This means they won’t appear in the dynamic symbol table (readily accessible via Module.findExportByName or tools like nm). These ‘unexported’ or ‘private’ symbols are often internal helper functions, static functions, or part of obfuscation strategies. To hook them, we need more advanced techniques.

Techniques for Unexported Symbols

  1. Offset-Based Hooking (Requires Static Analysis): This is the most common and reliable method. It involves using a disassembler (like IDA Pro or Ghidra) to locate the function’s address relative to the base address of its containing module.
  2. Signature Scanning: More dynamic but complex, this involves searching for specific byte patterns (signatures) in memory that uniquely identify the function.
  3. Trampoline/Proxy Hooking: If an exported function calls the unexported target, you can hook the exported function and manipulate its control flow to reach your target.

Detailed Walkthrough: Offset-Based Hooking

Let’s focus on offset-based hooking, as it provides a robust and precise way to target unexported functions.

Step 1: Identify the Target Function via Static Analysis

First, you need to open the native library (e.g., libnative-lib.so) in a disassembler (IDA Pro or Ghidra). Locate the unexported function you wish to hook. Let’s assume you’ve found a function named my_secret_function that is not exported.

Step 2: Calculate the Offset

In your disassembler, note the absolute address of my_secret_function. Also, identify the base address of the module (libnative-lib.so). The offset is simply Absolute_Address - Base_Address.

For example, if libnative-lib.so loads at base address 0x7000000000 and my_secret_function is at 0x7000001234, then the offset is 0x1234.

Step 3: Craft Your Frida Script

Once you have the offset, you can calculate the function’s runtime address by adding the offset to the actual base address of the module as loaded in memory by the target process. Frida’s Module.getBaseAddress() provides this.

Frida Script for Offset-Based Hooking

Java.perform(function () {    console.log('[*] Script loaded for unexported symbol hooking');    const moduleName = 'libnative-lib.so';    const targetModule = Process.findModuleByName(moduleName);    if (targetModule) {        console.log('[*] Found module: ' + moduleName + ' at base: ' + targetModule.base);        // Assume 0x1234 is the offset found via static analysis        const unexportedFunctionOffset = new NativePointer(0x1234);         // Calculate the runtime address of the unexported function        const unexportedFunctionAddress = targetModule.base.add(unexportedFunctionOffset);        console.log('[*] Attempting to hook unexported function at: ' + unexportedFunctionAddress);        // Example: Hooking a function that takes two ints and returns an int        Interceptor.attach(unexportedFunctionAddress, {            onEnter: function (args) {                console.log('[*] unexportedFunction called!');                console.log('    -> Arg 1: ' + args[0].toInt32());                console.log('    -> Arg 2: ' + args[1].toInt32());                // Modify arguments if needed                // args[0] = new NativePointer(100);            },            onLeave: function (retval) {                console.log('[*] unexportedFunction returned: ' + retval.toInt32());                // Modify return value if needed                // retval.replace(200);            }        });        console.log('[*] Successfully attached to unexported function.');    } else {        console.log('[-] Module ' + moduleName + ' not found.');    }});

In this example, new NativePointer(0x1234) represents the offset you discovered. The targetModule.base.add(unexportedFunctionOffset) operation dynamically calculates the correct memory address at runtime.

Considerations for Offset Hooking

  • Architecture Specificity: Offsets are architecture-dependent (ARM, ARM64, x86). Ensure your static analysis matches the target device’s architecture.
  • Relocation: While offsets are generally stable for a given library version and architecture, some highly dynamic libraries might have variations. Always verify.
  • Function Signature: You need to know the calling convention and argument types of the unexported function to correctly interpret onEnter arguments and onLeave return values. This also comes from static analysis.

Conclusion

Mastering the techniques for hooking JNI_OnLoad and unexported native symbols significantly elevates your capabilities in Android app penetration testing. By understanding how to intercept library loading and leverage static analysis for offset-based hooking, you gain access to critical code paths that are often protected from simpler instrumentation. These advanced methods are indispensable for reversing complex anti-tampering measures, analyzing proprietary algorithms, and uncovering deep-seated vulnerabilities within native Android applications.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Frida #JNI #Native Hooking #Penetration Testing

Related Technical Guides

Building Custom Frida Stalker Scripts: A Guide to Advanced Android Hooking & Tracing

May 30, 2026

Troubleshooting Frida Hooks for Android IPC: Common Pitfalls and Solutions

May 29, 2026

Beyond Basic Deobfuscation: Leveraging Dex2Jar & JADX for Complex Android Apps

May 29, 2026