dlfunc icon indicating copy to clipboard operation
dlfunc copied to clipboard
verified publisher icon rk700

InMemoryDexClassLoader path does not work on pie or earlier

Open nift4 opened this issue 10 months ago • 5 comments

Hi,

thanks for this library :) I've been using this in my music player app to access some hidden APIs in libmedia.so / libaudioclient.so - however, while testing on emulators, I noticed that version 0.1.1 only works on Android Q or later, on P for example it only prints following message to logcat: cannot find class lab/galaxy/dlfunc/JNIHelper I found that 0.1.0 works fine on older Android versions, however the change to InMemoryDexClassLoader codepath obviously was done to fix a bug. So I was thinking, is it fine to just use older codepath from version 0.1.0 before Q based on checking sdk level at runtime or will I run into problems? Or maybe you have any tips related to why 0.1.1 doesn't work on Nougat to Pie versions?

Thanks, Nick

nift4 avatar Feb 25 '25 15:02 nift4

I implemented that idea in my fork for now: https://github.com/nift4/dlfunc/blob/ede150fda4915366226e361bd4c916e22383dc80/dlfunc/src/main/jni/dlfunc.c#L102

nift4 avatar Feb 25 '25 19:02 nift4

不知道为什么,原版dlfunc测试5.1系统,7系统,15系统全部正常,但有台11系统dlfunc_dlopen和dlfunc_dlsym获取到的全都为null

shuajinanhai avatar Mar 15 '25 06:03 shuajinanhai

@shuajinanhai it works for me on Android 11 emulator

nift4 avatar Mar 15 '25 09:03 nift4

在11系统上 dlfunc_init(env); void* handle6 = dlfunc_dlopen(env, "/apex/com.android.runtime/lib64/bionic/libc.so", RTLD_LAZY); LOGE("dlfunc handle=%p", handle6); void* addr6 = dlfunc_dlsym(env, handle6, "open"); LOGE("dlfunc sym=%p", addr6); 这个没问题 dlfunc handle=0x9a66bdbb06dd0339 dlfunc sym=0x740ca3375b40

dlfunc_init(env);
void* dlfunc_handle = dlfunc_dlopen(env, "libart.so", RTLD_LAZY);
LOGE("dlfunc handle=%p", dlfunc_handle);
void* dlfunc_sym = dlfunc_dlsym(env, dlfunc_handle, "_ZN3art11ClassLinker40MakeInitializedClassesVisiblyInitializedEPNS_6ThreadEb");
LOGE("dlfunc sym=%p", dlfunc_sym);

dlfunc handle=0x0 dlfunc sym=0x0

对比其他几个,比如shadowhook ,fake_dlopen都是没问题

shuajinanhai avatar Mar 15 '25 09:03 shuajinanhai

@shuajinanhai maybe the library you are trying to load is outside art namespace, on new android version (since Android 8) I use dlfunc to get access to ld-android.so and then use that to create unrestricted namespace, it's based on a method by Billy Laws but works on non-arm64: https://github.com/AkaneTan/Gramophone/blob/214ee60fe0690ed634cd9ac6a5b763194cdf8782/app/src/main/cpp/android_linker_ns.cpp

nift4 avatar Mar 15 '25 09:03 nift4