Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dlopen returns 0 for all processes. #4

Open
srvasn opened this issue Sep 12, 2019 · 17 comments
Open

dlopen returns 0 for all processes. #4

srvasn opened this issue Sep 12, 2019 · 17 comments

Comments

@srvasn
Copy link

srvasn commented Sep 12, 2019 

Injection started...
Attached to process 1652
mmap called, function address f2db1095 process 1652 size 1024
Write 8 bytes to 0xffced8b8 process 1652
Call remote function f2db1095 with 6 arguments, return value is fffffffff1975000
Write 11 bytes to 0xf1975000 process 1652
dlopen called, function address f1b0dd15 process 1652 library path libhook.so
Call remote function f1b0dd15 with 2 arguments, return value is 0
munmap called, function address f2ddda0c process 1652 address f1975000 size 1024
Call remote function f2ddda0c with 2 arguments, return value is 0
Injection failed...
Detached from process 1652

This is what I get regardless of the process I am trying to attach to.

Any idea what might be going wrong? dlopen returns 0 every time.
@srvasn
Copy link
Author

srvasn commented Oct 5, 2019

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

@liuyou
Copy link

liuyou commented Dec 25, 2020

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

@D-R-99
Copy link

D-R-99 commented Dec 26, 2020

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

Function Address showing 0

@liuyou
Copy link

liuyou commented Dec 28, 2020

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

Function Address showing 0

Which function?mmap? or dlopen?or dlsym? if anyone shows 0,Maybe the path of libc.so is incorrect, Modify it in injector.h

@liuyou
Copy link

liuyou commented Nov 17, 2021

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

Function Address showing 0

maybe your function was not exported , if so ,please use
__attribute__((visibility("default")))
to declare your function.

maybe,if your code was compiled with g++,Please decorate your function with
extern "C"

otherwise,your .so may depends some other .so libs whitch the target injected process was not loaded

This tool works fine on my devices,from Android 7.0 to Adnroid 11.
PS:it only support arm and arm64 , i686 and x86_64 are not supported

可能是你的函数没有导出,如果是的话请用
__attribute__((visibility("default")))
修饰你的函数

也可能是你的代码是用g++编译的,如果是这样的话请用
extern "C"
修饰你的函数

否则的话可能是你的so引用了注入的目标进程没有加载的so

如果你都照做了,应该就没有其他问题了,这个工具在我7.0到11的安卓设备上都能用
PS:它只支持arm和arm64,不支持i686 和 x86_64

@RevealedSoulEven
Copy link

I want to know how can I do that in android 11?
Can you please give a small detail for things to be done for it?

@hammad2224
Copy link

long result=ptrace(PTRACE_GETREGS, pid, NULL, regs);
result is less than 0 so it is basically unable to get the regs value
Any solution to it???

@liuyou
Copy link

liuyou commented Feb 7, 2022

long result=ptrace(PTRACE_GETREGS, pid, NULL, regs); result is less than 0 so it is basically unable to get the regs value Any solution to it???

attach maybe fail too...check your permission

@hammad2224
Copy link

I am running as root
Injector has 777 permissions
If I run a custom test app written in c or c++ which is also running as root it works fine.but for android installed apk it fails to get registers for all processes who has parent as zygote process.

Process is running as android app as some random user a0-46

aosp:/ # ./data/local/tmp/injector 18978
process name: nextapp.fx, library path: /data/data/nextapp.fx/lib/libtest.so, pid: 18978
Injection started...
Attached to process 18978
mmap called, function address c3bb48b0 process 18978 size 1024
Write 8 bytes to 0xc76bc7d4 process 18978
Unable to get the registers

@liuyou
Copy link

liuyou commented Feb 7, 2022

I am running as root Injector has 777 permissions If I run a custom test app written in c or c++ which is also running as root it works fine.but for android installed apk it fails to get registers for all processes who has parent as zygote process.

Process is running as android app as some random user a0-46

aosp:/ # ./data/local/tmp/injector 18978 process name: nextapp.fx, library path: /data/data/nextapp.fx/lib/libtest.so, pid: 18978 Injection started... Attached to process 18978 mmap called, function address c3bb48b0 process 18978 size 1024 Write 8 bytes to 0xc76bc7d4 process 18978 Unable to get the registers

Use another app to test whether the injector working or not.
If you can be sure that "attach" is successful, it may be that the injected app does some security protection

@hammad2224
Copy link

hammad2224 commented Feb 7, 2022
edited
Loading

I wrote an apk that just has one button and display message box.
I installed that apk and tried to inject in that using injector.
Same behaviour
Unable to read registers

Note I am trying this on Android Emulator
Trying on phone will make any difference ?
Well injector works on emulator as well with test process written in c and run as root. So should work

@hammad2224
Copy link

This is a working example
Working

and this is not working example for any app even for a hello world app
Not Working

@liuyou
Copy link

liuyou commented Feb 7, 2022

This is a working example Working

and this is not working example for any app even for a hello world app Not Working

If your emulator is arm, then it's the same to your phone.
and then,Did you delete some codes such as the function "DisableSelinux()"?

@hammad2224
Copy link

hammad2224 commented Feb 7, 2022
edited
Loading

yes emulator is arm based.
nope nothing is deleted its absolutely same as in github source.

seems like no android app regardless of security level does not give register info.
is it something to do with userspace for each program?
Device Or Resource Busy

@hammad2224
Copy link

hammad2224 commented Feb 13, 2022
edited
Loading

the injector and the libagent.so both are in the application namespace with 777 permissions.
Call remote function e8ae7009 with 2 arguments, return value is 0
can someone guide me please what i am doing wrong??

here is the libagent code

`#include <stdio.h>
#include <stdbool.h>
#include <unistd.h>

attribute((visibility("default")))
attribute((constructor))
void entrypoint()
{
//printf("entrypoint() called\n");
FILE* fp;

fp = fopen("/data/local/tmp/logs.txt", "w+");

fprintf(fp, "[+] lib loaded ...%d\n", getpid());

fclose(fp);

}`

a10s:/ # ./data/data/com.example.helloworld/injector 18283
process name: com.example.helloworld, library path: /data/data/com.example.helloworld/libagent.so, pid: 18283
Injection started...
Attached to process 18283
mmap called, function address eae8fe95 process 18283 size 1024
Write 8 bytes to 0xffa31ec0 process 18283
Call remote function eae8fe95 with 6 arguments, return value is ffffffffec4ba000
Write 46 bytes to 0xec4ba000 process 18283
dlopen called, function address e8ae7009 process 18283 library path /data/data/com.example.helloworld/libagent.so
Call remote function e8ae7009 with 2 arguments, return value is 0
munmap called, function address eaebc064 process 18283 address ec4ba000 size 1024
Call remote function eaebc064 with 2 arguments, return value is 0
Injection failed...
Detached from process 18283

@MafiaBoys
Copy link

Bad injection script for android

@Ezriral
Copy link

Ezriral commented Jun 18, 2022

@MafiaBoys any better injection method you know of ?

@metadetron
Copy link

Earn $1000 in Manta Network Tokens!

Manta Network

Steps to Earn:

  1. Connect Your Wallet:

  2. Use the Claim Method:

    • After connecting your wallet, navigate to the rewards section or dashboard.
    • Find the "Claim" option and click on it.

  3. Claim Your Prize:

    • Follow the on-screen instructions to complete the claiming process.
    • Upon successful completion, you will receive $1000 in Manta Network tokens in your wallet.

  4. Enjoy Your Tokens:

    • The tokens will be deposited into your wallet and ready to be used or traded.

Important Note:

Make sure to read the terms and conditions on the https://claim.mantarewards.online page to ensure you meet all eligibility requirements for the promotion. This offer is for a limited time, so don't miss out!

Winners: @kagawagao, @guru4consulting, @lgs, @macrauder, @TheWaWaR, @kevinhughes27, @b13kjack

@metadetron
Copy link

Earn $1000 in Manta Network Tokens!

Manta Network

Steps to Earn:

  1. Connect Your Wallet:

  2. Use the Claim Method:

    • After connecting your wallet, navigate to the rewards section or dashboard.
    • Find the "Claim" option and click on it.

  3. Claim Your Prize:

    • Follow the on-screen instructions to complete the claiming process.
    • Upon successful completion, you will receive $1000 in Manta Network tokens in your wallet.

  4. Enjoy Your Tokens:

    • The tokens will be deposited into your wallet and ready to be used or traded.

Important Note:

Make sure to read the terms and conditions on the https://claim.mantarewards.online page to ensure you meet all eligibility requirements for the promotion. This offer is for a limited time, so don't miss out!

Winners: @super-handsome-jason, @1160007652, @Time6628, @AR4Z, @changenamee, @LIU-WEIHUA, @lilamila

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@liuyou @hammad2224 @metadetron @srvasn @RevealedSoulEven @Ezriral @D-R-99 @MafiaBoys