inject-hook-cflumen icon indicating copy to clipboard operation
inject-hook-cflumen copied to clipboard
verified publisher icon Chainfire

No surefire way to bypass linker namespaces on Android 7.0 Nougat

Open Chainfire opened this issue 7 years ago • 4 comments

Linker namespace were introduced in Android 7.0 Nougat. The linker prevents libraries from outside of the namespace-permitted paths to be loaded into a binary.

There are a couple of ways to bypass linker namespaces, one is setting LD_LIBRARY_PATH before executing the binary that is being injected. That is not always a workable solution, though.

From Android 8.0 onwards, linker namespaces are relaxed for libraries loaded from tmpfs, so on 8.0+ we can simply move the library to be injected to /dev, but this still does not always leave us with an option for 7.0.

Chainfire avatar Dec 18 '18 16:12 Chainfire

From other projects, it seems like moving to /dev and using /system/lib/libandroid_runtime.so's context (it varies between Android versions) may work.

Chainfire avatar May 17 '19 14:05 Chainfire

Nice

allcs21 avatar Sep 26 '19 15:09 allcs21