Modify Android linker to provide loading module and hook function

Overview

fake-linker

License

Chinese document click here

Project description

Modify Android linker to provide loading module and plt hook features.Please check the detailed principle modify linker to implement plt hook

Supported Android

Android version: Android 5.0 ~ Android 11+. Support instructions: x86, x86_64, arm, arm64

Build

  1. Source build

Add it as an Android Library to the Android project,the main module adds its dependencies.Change build.gradle buildApi variable,compile the specified Api level.

  1. Use build library

Download the latest version of the binary file, decompress it, add the aar file as a library to the project dependencies, and import the header file under the include directory into the Hook module for use.

  1. Build configuration

Refer to FakeXposed configuration scripts build.py and build.gradle

Hook module development

  1. Copy the export header file (the source code is in the export directory under the cpp directory) to the Hook module.
  2. Implement the fake_load_library_init export function in linker_export.h.
  3. Call various implementation methods, check the definition of RemoteInvokeInterface in linker_export.h.
  4. Normally implement Hook methods such as: open, dlopen, dlsym method, etc., the method must be exported.
  5. Hook module distinguishes Android7.0 or lower (no namespace, soinfo handle), Android7.0 and above (namespace, soinfo handle).

Java initialization

  1. Install the library correctly to the specified location, install the fake-linker and Hook modules to the path that the application has access to, such as: /data/local/tmp, you can call the system method to load directly. The module has integrated the installation executable file, and the Java layer calls the method under the FileInstaller class to install, and various different platform architectures have been processed inside.
  2. Set the fake-linker module through FileInstaller. The Hook module requires different selinux and uid, gid file attributes.
  3. Load and initialize the fake-linker module, call the FakeLinker.initFakeLinker method, internally load the Hook module and call back the fake_load_library_init method to complete the module initialization.

Other description

  1. The project is different from directly setting the LD_PRELOAD environment variable. Direct setting usually cannot intercept the dlsym method, because once intercepted, you need to implement the search symbol yourself and the higher version has the caller address restriction, and the module passes the transfer module fake- linker provides calling dlsym method, so Hook module can intercept dlsym and provide more Linker related functions.
  2. Each version of Android Linker has corresponding modifications, so the module depends on the api level of the phone, and the corresponding modules can be loaded at different levels. When loading manually, you need to pay attention to Api 25 directly use the library of Api 24

Note

  1. When hooking the system process, please do a good job of deleting the backup to avoid the situation that the system process is dead and cannot be booted due to an error.
  2. Relocate the loaded module according to the module loading time.

Usage example

  1. Set the Hook module as the global library remote->CallCommonFunction(kCFAddSoinfoToGlobal, kSPAddress, nullptr, kSPNull, nullptr, &error_code);.
  2. Relocate some loaded modules remote->CallCommonFunction(kCFCallManualRelinks, kSPAddress, nullptr, kSPNames, libs, &error_code);.
    static const RemoteInvokeInterface *remote;
    // Hook the jni function RegisterNatives
    static jint HookJniRegisterNatives(JNIEnv *env, jclass c, const JNINativeMethod *methods, jint nMethods) {
        LOG("start register native function %p", __builtin_return_address(0));
        jint ret = original_functions->RegisterNatives(env, c, methods, nMethods);
        if (ret != JNI_ERR && !original_functions->ExceptionCheck(env)) {
            std::string cls = JNIHelper::GetClassName(env, c);
            for (int i = 0; i < nMethods; ++i) {
                LOG("native register class: %s, method name: %s, function signature: %s, register address: %p", cls.c_str(), methods[i].name, methods[i].signature, methods[i].fnPtr);
            }
        }
        return ret;
    }
    
    static void InitHook() {
        int error_code;
        // Add this hook module to the global module, which will affect all modules loaded later
        remote->CallCommonFunction(kCFAddSoinfoToGlobal, kSPAddress, nullptr, kSPNull, nullptr, &error_code);
         if (error_code != kErrorNo) {
            LOGE("init global soinfo error, error code: %x", error_code);
            return;
        }
        VarLengthObject<const char *> *libs;
        // Re-parse the import table of the following modules, because the following modules have been loaded before we have loaded them, and all re-links make their symbolic links to our Hook method
        // The java system code also mainly uses the following libraries, and relinking also means the core import function of Hook's java
        libs = VaArgsToVarLengthObject<const char *>(5, "libjavacore.so", "libnativehelper.so", "libnativeloader.so", "libart.so", "libopenjdk.so");
        remote->CallCommonFunction(kCFCallManualRelinks, kSPAddress, nullptr, kSPNames, libs, &error_code);
        // Hook JNI interface
        remote_->HookJniNative(offsetof(JNINativeInterface, RegisterNatives), (void *)HookJniRegisterNatives, nullptr);
    }
    C_API void fake_load_library_init(JNIEnv *env, void *fake_soinfo, const RemoteInvokeInterface *interface, 
    const char *cache_path, const char *config_path, const char *_process_name){
        remote = interface;
        InitHook();
    }
  3. For other more uses FakeXposed Xposedroot Shield detection,File redirection, etc.
Issues
  • 如何使用fake-linker 对app网络流量重定向

    如何使用fake-linker 对app网络流量重定向

    需求: 需将App 的流量强制重定向至socks5 代理

    现状: 已实现了一个socket connect 函数的动态库,计划使用fake-linker 加载这个so,然后利用so 库将网络流量重定向

    问题:参考文档,没有看明白如何使用已经实现好的so文件,或者是我对项目理解有误,麻烦指点下,谢谢。

    opened by fuqiangleon 14
  • android 7.1.1 crash

    android 7.1.1 crash

    在7.1.1 api 25上运行fake xposed

    ProxyLinker::Init();

    #if ANDROID_API >= ANDROID_API_N

    g_default_namespace_ptr = (android_namespace_t *) symbols.data->elements[5];
    g_soinfo_handles_map_ptr = (std::unordered_map<uintptr_t, soinfo *> *)
            symbols.data->elements[6];
    
    CHECK(g_default_namespace_ptr);
    CHECK(g_soinfo_handles_map_ptr);
    LOGV("find linker soinfo: %p, g_ld_debug_verbosity:%p, g_default_namespace: %p, g_soinfo_handles_map: %p, link_image: %p",
         solist_ptr, g_ld_debug_verbosity_ptr, g_default_namespace_ptr, g_soinfo_handles_map_ptr, link_image_ptr);
    

    linker_globals.cpp:884: Init CHECK 'g_soinfo_handles_map_ptr' failed

    opened by marvinguo 1
Owner
sanfengAndroid
专注于Android逆向安全
sanfengAndroid
MMUit is a lightweight toolkit to explore and modify address translation for ARM64.

Overview MMUit is a lightweight toolkit to explore and modify address translation for ARM64. C/C++ interface detailed information on VA, TTE, TCR etc

Alexander Hude 37 Feb 13, 2022
Security product hook detection

HookDump EDR function hook dumping Please refer to the Zeroperil blog post for more information https://zeroperil.co.uk/hookdump/ Building source In o

zeroperil 142 Jul 28, 2022
Hook up the OnePlus6(T) tri-state key in PostmarketOS!

OnePlus 6(T) tri-state key support in PostmarketOS As the name suggest, the goal of this little project is to hook up the OnePlus6(T) tri-state key in

Michele Perrone 7 Nov 14, 2021
use ptrace hook Hotspot JavaVM, instrument java bytecode

taycan 通过native层修改java层(JVM),使用JVMTI及JNI API可以修改java任意类、执行任意代码,完成hook、插入内存马、反射等功能。 适用环境 LINUX KERNEL version > 3.2 GLIBC > 2.15 openJDK/OracleJDK 1.8

null 26 Jul 12, 2022
The goal of arrowvctrs is to wrap the Arrow Data C API and Arrow Stream C API to provide lightweight Arrow support for R packages

The goal of arrowvctrs is to wrap the Arrow Data C API and Arrow Stream C API to provide lightweight Arrow support for R packages to consume and produce streams of data in Arrow format. Right now it’s just a fun way for me to learn about Arrow!

Dewey Dunnington 30 Aug 5, 2022
cavi is an open-source library that aims to provide performant utilities for closed hierarchies (i.e. all class types of the hierarchy are known at compile time).

cavi cavi is an open-source library that aims to provide performant utilities for closed hierarchies (i.e. all class types of the hierarchy are known

Baber Nawaz 5 Mar 9, 2022
LXC Manager provide a set of functions to visually manage LXC unprivileged containers.

LXC Manager provide a set of functions to visually manage LXC unprivileged containers. The applciation use LXC Api to manage LXC. To use the application you must have LXC installed on your linux machine.

Peter Cata 3 May 10, 2022
provide SFML Time utilities in pure C++20, no dependencies

SFML-Time-utilities-without-SFML provide SFML Time utilities in pure C++20, no dependencies Example int main() { Clock clock; Sleep(1000);

null 1 Apr 28, 2022
The libxo library allows an application to generate text, XML, JSON, and HTML output using a common set of function calls. The application decides at run time which output style should be produced.

libxo libxo - A Library for Generating Text, XML, JSON, and HTML Output The libxo library allows an application to generate text, XML, JSON, and HTML

Juniper Networks 242 Jul 19, 2022
Group project: writing our own printf function

0x11. C - printf By Julien Barbier, co-founder & CEO Concepts For this project, students are expected to look at these concepts: Group Projects Pair P

Pericles ADJOVI 3 Aug 8, 2022
Writing our own printf function, this is a project done under ALX Low Level Programming.

0x11. C - printf Writing our own printf function, this is a project done under ALX Low Level Programming. Resource secrets of printf Implementing prin

Ephantus Mwangi 3 Apr 18, 2022
The lightweight and modern Map SDK for Android and iOS

Open Mobile Maps The lightweight and modern Map SDK for Android (6.0+) and iOS (10+) openmobilemaps.io Getting started Readme Android Readme iOS Featu

Open Mobile Maps 89 Jul 6, 2022
Simple and lightweight pathname parser for C. This module helps to parse dirname, basename, filename and file extension .

Path Module For C File name and extension parsing functionality are removed because it's difficult to distinguish between a hidden dir (ex: .git) and

Prajwal Chapagain 3 Feb 25, 2022
Locate the current executable and the current module/library on the file system

Where Am I? A drop-in two files library to locate the current executable and the current module on the file system. Supported platforms: Windows Linux

Gregory Pakosz 366 Aug 7, 2022
An asynchronous directory file change watcher module for Windows, macOS and Linux wrapped for V

A V module for asynchronously watching for file changes in a directory. The module is essentially a wrapper for septag/dmon. It works for Windows, macOS and Linux.

null 16 Jul 29, 2022
Juice the carrots from ウマ娘プリティーダービー (Umamusume Pretty Derby) - Android implementation

Riru-CarrotJuicer Hooks the decryption function in libnative.so of ウマ娘プリティーダービー (Umamusume Pretty Derby), to allow inspecting the packets. For Windows

Huang Yue 27 Aug 9, 2022
[WIP] A Riru module tries to enable Magisk hide for isolated processes.

Riru-IsolatedMagiskHider Background Many applications now detect Magisk for security, Magisk provided "Magisk Hide" to prevent detection, but isolated

残页 509 Aug 5, 2022
Documenting the development of a simple first module.

Your First Module This guide will look at writing a complete module, with many common features in a reduced form. This includes the module initialisat

Open Multiplayer 16 Jun 3, 2021