rootcloak
rootcloak copied to clipboard
devadvance
Native hooking using our library
LD_PRELOAD is command thing in *nix world. http://www.catonmat.net/blog/simple-ld-preload-tutorial-part-2/ We can use our "system" code and/or real system code then.
Since Android supports wrapping (ie. we can use LD_PRELOAD) we could create library to fake some system calls (fopen, etc). and then just run on rooted device "setprop wrap.com.package.name LD_PRELOAD=/path/to/lib/librootcloak.so" after every device boot.
Ideas?
I think this is worth at least a proof of concept.
Are we aware of any kind of potential performance hit? Could this potentially break in newer NDK?
If it does make it into RootCloak, I'd imagine it'd be a toggle.
#define _GNU_SOURCE
#include <stdio.h>
#include <dlfcn.h>
#include <android/log.h>
FILE *fopen(const char *path, const char *mode) {
printf("In our own fopen, opening %s\n", path);
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "path %s, mode %s", path, mode);
FILE *(*original_fopen)(const char*, const char*);
original_fopen = dlsym(RTLD_NEXT, "fopen");
return (*original_fopen)(path, mode);
}
and I use
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_SRC_FILES := rootcloak.c
LOCAL_CFLAGS := -fPIC -shared
LOCAL_LDLIBS := -llog
LOCAL_MODULE := librootcloak
include $(BUILD_SHARED_LIBRARY)
It was built but nothing happened after aj setprop-ed it :D i.e: setprop wrap.com.devadvance.rootinspect LD_PRELOAD=./data/local/librootcloak.so Nothing in logs...
I think I need to start from scratch and test this with very simple example :D
Performance hit from this should be basically none. @pylerSM: Need to use the absolute path for it. I'm attempting to test it, but it causes root inspector to crash at launch with EOFException
07-06 18:58:20.193 353 353 W Zygote : Error reading pid from wrapped process, child may have died 07-06 18:58:20.193 353 353 W Zygote : java.io.EOFException 07-06 18:58:20.193 353 353 W Zygote : at libcore.io.Streams.readFully(Streams.java:83) 07-06 18:58:20.193 353 353 W Zygote : at java.io.DataInputStream.readInt(DataInputStream.java:103) 07-06 18:58:20.193 353 353 W Zygote : at com.android.internal.os.ZygoteConnection.handleParentProc(ZygoteConnection.java:805) 07-06 18:58:20.193 353 353 W Zygote : at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:255) 07-06 18:58:20.193 353 353 W Zygote : at com.android.internal.os.ZygoteInit.runSelectLoop(ZygoteInit.java:1194) 07-06 18:58:20.193 353 353 W Zygote : at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1116) 07-06 18:58:20.193 353 353 W Zygote : at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:134)
Google finds me several other people with the same error and no solution.
@NHellFire maybe this will help.
It says:
LD_PRELOAD is not useful because zygote already forked JVM
And it offers another approach but only for your own process... :-(
@NHellFire Okey, i use now setprop wrap.com.devadvance.rootinspect LD_PRELOAD=/data/local/librootcloak.so
but I wasnt able to get even your exception you got.. Maybe you can show what you do?
@hahaopsmeow: We're not modifying the environment directly, we're telling Android to run the app in a wrapper. Which is documented in the debugging native code Android docs.
@pylerSM: What Android version are you testing on? Maybe it doesn't support wrappers. I'm using rooted stock marshmallow on my S5 I put mine in / to make sure it's readable by everyone and ran: setprop wrap.com.devadvance.rootinspect LD_PRELOAD=/librootcloak.so
I wonder if my problems are caused be SELinux.
Works as root: root@klte:/ # LD_PRELOAD=/librootcloak.so date In our own fopen, opening /proc/stat Thu Jul 7 22:01:07 BST 2016
Shell user: shell@klte:/ $ LD_PRELOAD=/librootcloak.so date CANNOT LINK EXECUTABLE: couldn't map "/librootcloak.so" segment 2: Permission denied page record for 0xb6eac04c was not found (block_size=32)
I'll need to check with a custom kernel.
SELinux definitely interferes. I encountered this when doing RootCloak Plus (cydia-based). You have to turn off enforcement.
On Thu, Jul 7, 2016, 17:08 Nathan Rennie-Waldock [email protected] wrote:
@hahaopsmeow https://github.com/hahaopsmeow: We're not modifying the environment directly, we're telling Android to run the app in a wrapper. Which is documented in the debugging native code Android docs.
@pylerSM https://github.com/pylerSM: What Android version are you testing on? Maybe it doesn't support wrappers. I'm using rooted stock marshmallow on my S5 I put mine in / to make sure it's readable by everyone and ran: setprop wrap.com.devadvance.rootinspect LD_PRELOAD=/librootcloak.so
I wonder if my problems are caused be SELinux.
Works as root: root@klte:/ # LD_PRELOAD=/librootcloak.so date In our own fopen, opening /proc/stat Thu Jul 7 22:01:07 BST 2016
Shell user: shell@klte:/ $ LD_PRELOAD=/librootcloak.so date CANNOT LINK EXECUTABLE: couldn't map "/librootcloak.so" segment 2: Permission denied page record for 0xb6eac04c was not found (block_size=32)
I'll need to check with a custom kernel.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/devadvance/rootcloak/issues/62#issuecomment-231207910, or mute the thread https://github.com/notifications/unsubscribe/ADHc2VegXjssAINWC6QnhTBvyXj6AkM0ks5qTWrOgaJpZM4JGDfq .
NHellFire , I tested it on Genymotion 6.0 device. But I will look on it...
Edit: Yes, your method works. LD_PRELOAD=./data/app/com.devadvance.rootcloak2.debug-1/lib/x86/librootcloak.so date seems to work fine
but not sure if we can use our .so not for true binary like "date" but for another ".so" file.
But we need to somehow wrap it using setprop wrap bla bla :D
if I tried to run setprop wrap.com.devadvance.rootinsp LD_PRELOAD=/data/app/com.devadvance.rootcloak2.debug-1/lib/x86/librootcloak.so and they I launched RootInspector. I get no messgae in log, even no " Error reading pid from wrapped process, child may have died"
Another way could be create modified version of libraries (check for su files, superuser.apk in so), disable for loadLibrary ("myawesomerootdetecklibrary") and run System.load("/data/local/myawesomerootdetecklibrary_patched.so")
I tried with root inspector on my S6 with permissive kernel, I get the same exception @nhellfire does
I'll do some testing in the emulator when I've got time. Android is supposed to still allow it as it's needed for debugging memory leaks in native apps. If I can get my old phone working again, I'll try in CM too.. maybe Samsung patched it to not allow it.
Good :) I think I will also hack it on my old Samsung phone, emulator can have undefined behaviour in this case.
findAndHookMethod("java.lang.Runtime", lpparam.classLoader, "loadLibrary", String.class, ClassLoader.class, new XC_MethodReplacement() { @Override protected Object replaceHookedMethod(MethodHookParam param) throws Throwable { String libname = (String) param.args[0];
String soLibrary = "/data/lib" + libname + ".so";
File patchedLibrary = new File(soLibrary);
//
if (patchedLibrary.exists()) {
System.load("/data/libHelloWorld.so");
XposedBridge.log("called");
} else {
XposedBridge.invokeOriginalMethod(param.method, param.thisObject, param.args);
}
return null;
}
}
);
does anybody know why it fails? /data/libHelloWorld.so is just original *.so file from /data/app/packagename/lib bla bla...
java.lang.UnsatisfiedLinkError:No implementation found for java.lang.String com.pyler.myapplication.MainActivity.messageFromNativeCode()
When in my app replace System.loadLibrary("HelloWorld") with System.load("/data/libHelloWorld.so"), it works fine ...
ok, Root Inspector with that library works as expected on my Nexus 7 with CM13 but on my S6 and @NHellFire's S5 it crashes, I wonder if Samsung intentionally broke it so this may not be a solution for all devices
I compiled an arm64 library, LD_PRELOAD=/data/tmp/librootcloak.so date works as expected, wrapping always gives me an exception
For the emulator, I had to use this, otherwise I got the same error as my S5.
/data/local/rootcloak-wrapper.sh (make sure to chmod 755):
#!/system/bin/sh
export LD_PRELOAD=/data/local/librootcloak.so
exec $*
And setprop: setprop wrap.com.blah "logwrapper /data/local/rootcloak-wrapper.sh"
But when you do this and setprop wrap. (rootinspector package) "logwrapper /data/local/rootcloak-wrapper.sh", have you got any logs in logcat with lines "path %s mode %s"?
I tested it on Genymotion Nexus 6P 6.0 and still no luck, no logs in logcat.
@NHellFire
I tested a game to see how it detects xposed and got a lots of logged fopen calls, yes. Other functions that'd need to be wrapped are stat() as some apps may just use that to check for existence On 12 Jul 2016 10:03, "pyler" [email protected] wrote:
but when you do this and setprop wrap. (rootinspector package) "logwrapper /data/local/rootcloak-wrapper.sh"
have you any logs in logcat with "path %s mode %s"?
I tested it on Genymotion Nexus 6P 6.0 and still no luck, no logs in logcat.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devadvance/rootcloak/issues/62#issuecomment-231980540, or mute the thread https://github.com/notifications/unsubscribe/ABGAax8rWTCWT8BxqcFBpTameFzVq01-ks5qU1hcgaJpZM4JGDfq .
I think RootCloakPlus lib can be easily ported https://github.com/devadvance/rootcloakplus/blob/master/jni/rootcloakplus.cy.cpp now.
rootcloak-wrapper.sh and librootcloak.so to /data/local... chmod them to 755. setproped.
Then I launched root inspector and I was not able to see any logs.
Nexus 7 2012 and Android 5.1...
Most of the code from RootCloak Plus is fairly portable, though there might be some work that needs to be done for how I filter reading magic files. That was an interesting bit of interception.
Working for me in the emulator:
130|root@generic_x86_64:/ # logcat -c; logcat | grep ROOTCLOAK
07-14 19:49:30.991 3350 3375 I ROOTCLOAK: path /system/xbin/su, mode r
07-14 19:49:31.005 3377 3377 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.024 3378 3378 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.073 3379 3379 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.108 3380 3380 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.127 3382 3382 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.137 3383 3383 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.148 3384 3384 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.790 3384 3384 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:31.807 3384 3384 I ROOTCLOAK: path /proc/self/task/3384/maps, mode re
07-14 19:49:31.944 3393 3393 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:32.647 3393 3393 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:32.692 3393 3393 I ROOTCLOAK: path /proc/self/task/3393/maps, mode re
07-14 19:49:33.006 3403 3403 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:33.175 3403 3403 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:33.186 3403 3403 I ROOTCLOAK: path /proc/self/task/3403/maps, mode re
07-14 19:49:33.250 3412 3412 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:33.417 3412 3412 I ROOTCLOAK: path /proc/stat, mode re
07-14 19:49:33.424 3412 3412 I ROOTCLOAK: path /proc/self/task/3412/maps, mode re
07-14 19:49:33.483 3350 3375 I ROOTCLOAK: path /system/xbin/su, mode r
I just put lib and shell script in /data/local/ and chmod 755 both:
130|root@generic_x86_64:/ # getprop | grep wrap
[wrap.com.devadvance.rootinspect]: [logwrapper /data/local/rootcloak-wrapper.sh]
root@generic_x86_64:/ # ls -ll /data/local/*rootcloak*
-rwxr-xr-x root root 5936 2016-07-10 15:40 librootcloak.so
-rwxr-xr-x root root 71 2016-07-10 23:16 rootcloak-wrapper.sh
Here's my current source I'm testing:
#define _GNU_SOURCE
// stat
#include <libgen.h>
#include <sys/stat.h>
#include <string.h>
// fopen
#include <stdio.h>
// readdir
#include <dirent.h>
// Required by all
#include <dlfcn.h>
#include <android/log.h>
#include <errno.h>
FILE *fopen(const char *path, const char *mode) {
printf("In our own fopen, opening %s\n", path);
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "fopen(): path %s, mode %s", path, mode);
char *fname = basename(path);
if (strcasecmp("su", fname) == 0 || strcasecmp("daemonsu", fname) == 0 || strcasecmp("superuser.apk", fname) == 0) {
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "fopen(): Hiding su file %s", path);
errno = ENOENT;
return NULL;
}
static FILE *(*original_fopen)(const char*, const char*) = NULL;
if (!original_fopen) {
original_fopen = dlsym(RTLD_NEXT, "fopen");
}
return original_fopen(path, mode);
}
int stat(const char *path, struct stat *buf) {
printf("In our own stat, stat()'ing %s\n", path);
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "stat(): path %s", path);
char *fname = basename(path);
if (strcasecmp("su", fname) == 0 || strcasecmp("daemonsu", fname) == 0 || strcasecmp("superuser.apk", fname) == 0) {
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "stat(): Hiding su file %s", path);
errno = ENOENT;
return -1;
}
static int (*original_stat)(const char*, struct stat*) = NULL;
if (!original_stat) {
original_stat = dlsym(RTLD_NEXT, "stat");
}
return (int) original_stat(path, buf);
}
int lstat(const char *path, struct stat *buf) {
printf("In our own lstat, lstat()'ing %s\n", path);
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "stat(): path %s", path);
char *fname = basename(path);
if (strcasecmp("su", fname) == 0 || strcasecmp("daemonsu", fname) == 0 || strcasecmp("superuser.apk", fname) == 0) {
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "stat(): Hiding su file %s", path);
errno = ENOENT;
return -1;
}
static int (*original_lstat)(const char*, struct stat*) = NULL;
if (!original_lstat) {
original_lstat = dlsym(RTLD_NEXT, "lstat");
}
return (int) original_lstat(path, buf);
}
struct dirent *readdir(DIR *dirp) {
printf("In our own readdir\n");
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "readdir()");
static struct dirent *(*original_readdir)(DIR*);
if (!original_readdir) {
original_readdir = dlsym(RTLD_NEXT, "readdir");
}
struct dirent* ret = original_readdir(dirp);
if (ret == NULL) {
return ret;
}
printf("readdir(): d_name = %s\n", ret->d_name);
__android_log_print(ANDROID_LOG_INFO, "ROOTCLOAK", "readdir(): d_name = %s", ret->d_name);
unsigned int found = 0;
do {
if (strcasecmp("su", ret->d_name) == 0 || strcasecmp("daemonsu", ret->d_name) == 0 || strcasecmp("superuser.apk", ret->d_name) == 0) {
printf("Found su file, reading next...");
ret = original_readdir(dirp);
printf(" done!\n");
} else {
found = 0;
}
} while (found == 1 && ret != NULL);
return ret;
}
I've patched various functions that are used for checking file existence, including readdir() for ls. With this version, root inspector's native checks only report found for pm list. I've also tidied the code a little, including making original_blah static so that dlsym() only needs to be called once, rather than for each call.
root@generic_x86_64:/ # ls -ll /system/xbin/su
-rwsr-xr-x root shell 10280 2016-05-16 20:04 su
root@generic_x86_64:/ # LD_PRELOAD=/data/local/librootcloak.so ls -ll /system/xbin/su <
In our own fopen, opening /proc/stat
In our own lstat, lstat()'ing /system/xbin/su
/system/xbin/su: No such file or directory
execlp("ls", "ls", path, (char *)0); // check for path execlp("pm", "pm", "list", "packages", (char *)0); // check for packages, replace with "users" maybe?
so I believe execlp should be "hooked"
or maybe hooked strstr for second paramter
Oh, but now I get Error reading pid error on Genymotion: *1: http://pastebin.com/NusmhKJv
"executing /data/local/rootcloak-wrapper.sh failed: No such file or directory"
but I have it 130|root@vbox86p:/ # ls -ll /data/local -rwxr-xr-x root root 9508 2016-07-15 05:32 librootcloak.so -rwxr-xr-x root root 72 2016-07-12 04:56 rootcloak-wrapper.sh
same code, just compiled for ARM gave me:
root@tilapia:/data/app/com.devadvance.rootcloak2.debug-2/lib/arm # LD_PRELOAD=./librootcloak.so date WARNING: linker: librootcloak.so: unused DT entry: type 0x6ffffffe arg 0xcf4 WARNING: linker: librootcloak.so: unused DT entry: type 0x6fffffff arg 0x2
after I ignored it, setproped it I got same error: Error reading pid error (list like *1)
@pylerSM, try creating a world readable directory in /data
also, pm is Java, does rootcloak hide packages from pm list packages?
replacing packages with something else may not work because the app is expecting packages, it may crash or just refuse to work
https://android.googlesource.com/platform/frameworks/base/+/android-6.0.0_r3/cmds/pm/src/com/android/commands/pm/Pm.java#330
So, if RootCloaks hooks Android API to get Installed Apps, it should work without needing to touch execlp. Just check Binder.getCaller API to see if SHELL/ROOT UID and then fake app list. Hook getInstalledPackages even for "android" package. WIP Patch: https://github.com/devadvance/rootcloak/pull/69
my /data drw-rw-rw- root root 2000-01-03 04:43 local
Yeah, I think hooking getInstalledPackages() from java would be better than patching exec
https://github.com/NHellFire/librootcloak there's the full source I'm working with.
https://github.com/devadvance/rootcloak/pull/69
Well, but I am still unable to make it working.. i used /data/local, /cache/, /tmp .. I chmoded everything to 777 for sure, lol. still nothinh. "executing /(location)/rootcloak-wrapper.sh failed: No such file or directory"
@pylerSM, is your path correct?
is the path to sh in the script correct?
does it work if you run it manually?
/data/rootcloak-wrapper.sh ls for example
if it couldn't access it you should be getting permission denied or
similar, not no such file or directory
On 15 Jul 2016 16:03, "pyler" [email protected] wrote:
#69 https://github.com/devadvance/rootcloak/pull/69
Well, but I am still unable to make it working.. i used /data/local, /cache/, /tmp .. I chmoded everything to 777 for sure, lol. still nothinh. "executing /(location)/rootcloak-wrapper.sh failed: No such file or directory"
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/devadvance/rootcloak/issues/62#issuecomment-232976569, or mute the thread https://github.com/notifications/unsubscribe-auth/ADEjADe42P3-1Ep69HG12cLNrHff3VB7ks5qV6FUgaJpZM4JGDfq .
1|root@vbox86p:/data/local # ls
librootcloak.so
rootcloak-wrapper.sh
tmp
root@vbox86p:/data/local # /data/local/rootcloak-wrapper.sh ls (your command)
/system/bin/sh: /data/local/rootcloak-wrapper.sh: No such file or directory
ehmmmmm :D
@pylerSM, check your script :P alternatively, look at @NHellFire's repo
@devadvance, pm list packages use the normal Android API, so no need to modify exec
so if it's run by a library in an app, it will have the same UID as the app so will be easy enough to do in the rootcloak module
pm list packages use the normal Android API, so no need to modify exec so if it's run by a library in an app, it will have the same UID as the app so will be easy enough to do in the rootcloak module
ahh, yes!
check your script :P
downloaded file from @NHellFire repo. Now works. WTF :D
And https://github.com/NHellFire/librootcloak/pull/1 we patched all native calls.
Now I will do on UI :D
@pylerSM is there a pragmatic way of checking this on a physical device?
Compile test build with my patch, install devadvance's root inspector. Then run RootCloak-Native App Hooking, install lib on first run, and enable RootInspector in provided setting. Then run RootInspector and Native checks page. Everything should be green except pm list packages (this is Java side)
Merged #70 and #72 into the 3.0beta branch. @pylerSM it looks good!
There are additional functions that Root Inspector isn't checking. I can work on migrating those functions from RootCloak Plus (e.g. access, fstat, etc.) and possibly switching out execl for execve (all exec* functions are actually "front-ends" for execve, see http://linux.die.net/man/3/execl).
Does this cover everything from apps like RootBeer as well? https://github.com/scottyab/rootbeer
For reference: https://github.com/devadvance/rootcloakplus/blob/master/jni/rootcloakplus.cy.cpp
Rootbear native just check for su paths using fopen - fine, we did it.
Port rootcloak plus library would be best, I think.
fstat is not needed, I believe. convert fd to filename, meh :dancer: https://github.com/devadvance/rootcloak/pull/73
Yeah, fstat isn't needed. File would first have to be opened by open/fopen (or similar).. and we're just patching them to return "does not exist".
Hey, recently i was discovering this issue. Google during signing up or using Android Pay uses DroidGuard which checks many strange things like mac address from /sys/class/net/ patch. What's more it also downloads small apk, which is stored on memory in less than one second so nobody can see it. It's called com.google.ccc.abuse.droidguard.droidguasso. I'm attaching droidguard cache which Android stores in /data/data/com.google.android.gms/app_dg_cache/. However, i wasn't able to catch com.google.ccc.abuse.droidguard.droidguasso, however i know it exists for a short time. Maybe you could analyse it with your hooking tools. http://artas182x.tk/DroidGuard.zip
@devadvance v3.0-beta_20160724_1 is broken. Regex thing broke it, sadly I dont fetch that commit so I wasnt able to see it until now.
root@vbox86p:/ # cd /data/local LD_PRELOAD=./librootcloak.so date Segmentation fault
temporary workaround is just comment it for now, see patch https://github.com/devadvance/rootcloak/pull/88 and re-release beta.
@NHellFire can you check it for possible future fix?
@devadvance also I added auto library updater to update binary in /data/local everytime RootCloak app is updated. Handy I think.
https://github.com/devadvance/rootcloak/pull/87
Hmm, it worked fine for me. I'll do some testing, see if I can reproduce it
On 25 Jul 2016 13:51, "pyler" [email protected] wrote:
temporary workaround is just comment it for now, see patch #88 https://github.com/devadvance/rootcloak/pull/88 and re-release beta.
@NHellFire https://github.com/NHellFire can you check it for possible future fix?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devadvance/rootcloak/issues/62#issuecomment-234944171, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGAaxq7RYMLZsurwciNyK0zKSRvxeWsks5qZLFagaJpZM4JGDfq .
Hi guys... Some not good news are here: http://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268/page133
In short now SNED detects systemless root and if it is there it fails...
@pylerSM that is true. With systemless root boot.img is modified. It could be that it checks for it?
They can check everything.. it is very easy to see where new implementation goes and then check for new files.
Sadly, not many people work on this.
True. When I was looking on how to detect Xposed installed I instantly got 6 working methods in Java. I didn't start with have armor... There will be more...
On Tue, Jul 26, 2016 at 2:55 PM, pyler [email protected] wrote:
They can check everything.. it is very easy to see where new implementation goes and then check for new files.
Sadly, not many people work on this.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devadvance/rootcloak/issues/62#issuecomment-235258417, or mute the thread https://github.com/notifications/unsubscribe-auth/ATKUZsixazCicuUNlq0OdRmdBoPfRd4Gks5qZgO2gaJpZM4JGDfq .
I even know a few lines of code which disables any Xposed modification on the app with that code.
https://code.google.com/p/android/issues/detail?id=93752
Shit, looks like Lollipop has wraping screwed up.. Now I know why I could make it working on JB, Kitkat, MM (emulator, but has it disabled selinux?) but but not on LP.
It works only with SELinux enabled only on userdebug or eng builds.
Maybe we could hook (not sure if possible even)
WrapperInit main()
beforeHookedMethod
- disable selinux
afterHookedMethod
- enable selinux
or hook onCreate and then re-enable selinux.
Currently I will simple to fix it with just selinux disabling. https://github.com/devadvance/rootcloak/pull/92
Instead of disabling SELinux, we could use supolicy to use specific supolicy to enable wrapping and keep SELinux enforced. https://su.chainfire.eu/#selinux-policies
Edit: ok, nice fixed.
https://github.com/devadvance/rootcloak/pull/93
@devadvance please merge and re-release beta :) thanks
@pylerSM So far I'm unable to get it to crash with that code. It worked in the emulator and on my Desire HD.
Latest NDK and build tools 23... Please build APK for me to check even this.
Download and Install RootInspector: https://github.com/devadvance/rootinspector/releases/download/v1.0/com.devadvance.rootinspector-v1.0.apk
Steps: Download rootcloak app, open, go Native Root Detection -> Install library -> Remove native root detection -> Select RootInspector. Close app and open Root Inspector and Inspect via Native Code. Items should be green.
Two versions to test, regex off version works for me, regex on not. Test please :) apk.zip
@pylerSM I just flashed stock ROMs on both mobiles.. What should I install first to test? I will do it right now...
@pylerSM I just tried with regex on.
I did everything as you said and native detection goes all green.
note: when I tried native detection before running rootcloak it hunged up somehow. should I tty regex off
okey, seems like it (regex filtering) crashes only on emulator.. so disable it https://github.com/devadvance/rootcloak/pull/95
Well, fine, so issue is Genymotion emulator :dancer:
So I sent PR to enable it back on ARM devices https://github.com/devadvance/rootcloak/pull/95
I don't think it's worth disabling those checks for x86 devices just because it crashes in one emulator. I've tested AMIDuOS x86, Google's x86_64 and a Galaxy Tab 3 10.1 (x86) and it doesn't crash. Build tools 23.0.3 and NDK 11c.
Please test the specific one - Genymontion Nexus 6P 6.0. Emulator is good for development, so if it is broken on emulator. it makes everything slower.
It isn't broken on other emulators, or actual x86 devices.
On 2 Aug 2016 07:10, "pyler" [email protected] wrote:
Please test the specific one - Genymontion Nexus 6P 6.0. Emulator is good for development, so if it is broken on emulator. it makes everything slower.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devadvance/rootcloak/issues/62#issuecomment-236809437, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGAayrzucBeKYoLcR8ZnhdNK1Lqe5P2ks5qbt9fgaJpZM4JGDfq .