TinyInjector
TinyInjector copied to clipboard
shunix
dlopen returns 0 for all processes.
Injection started...
Attached to process 1652
mmap called, function address f2db1095 process 1652 size 1024
Write 8 bytes to 0xffced8b8 process 1652
Call remote function f2db1095 with 6 arguments, return value is fffffffff1975000
Write 11 bytes to 0xf1975000 process 1652
dlopen called, function address f1b0dd15 process 1652 library path libhook.so
Call remote function f1b0dd15 with 2 arguments, return value is 0
munmap called, function address f2ddda0c process 1652 address f1975000 size 1024
Call remote function f2ddda0c with 2 arguments, return value is 0
Injection failed...
Detached from process 1652
This is what I get regardless of the process I am trying to attach to.
Any idea what might be going wrong? dlopen returns 0 every time.
Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.
Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.
In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.
Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.
In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn So, if the .so file is to be used, please put it under libs directory of the app.
Function Address showing 0
Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.
In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn So, if the .so file is to be used, please put it under libs directory of the app.
Function Address showing 0
Which function?mmap? or dlopen?or dlsym? if anyone shows 0,Maybe the path of libc.so is incorrect, Modify it in injector.h
Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.
In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn So, if the .so file is to be used, please put it under libs directory of the app.
Function Address showing 0
maybe your function was not exported , if so ,please use
__attribute__((visibility("default")))
to declare your function.
maybe,if your code was compiled with g++,Please decorate your function with
extern "C"
otherwise,your .so may depends some other .so libs whitch the target injected process was not loaded
This tool works fine on my devices,from Android 7.0 to Adnroid 11. PS:it only support arm and arm64 , i686 and x86_64 are not supported
可能是你的函数没有导出,如果是的话请用
__attribute__((visibility("default")))
修饰你的函数
也可能是你的代码是用g++编译的,如果是这样的话请用
extern "C"
修饰你的函数
否则的话可能是你的so引用了注入的目标进程没有加载的so
如果你都照做了,应该就没有其他问题了,这个工具在我7.0到11的安卓设备上都能用 PS:它只支持arm和arm64,不支持i686 和 x86_64
I want to know how can I do that in android 11? Can you please give a small detail for things to be done for it?
long result=ptrace(PTRACE_GETREGS, pid, NULL, regs); result is less than 0 so it is basically unable to get the regs value Any solution to it???
long result=ptrace(PTRACE_GETREGS, pid, NULL, regs); result is less than 0 so it is basically unable to get the regs value Any solution to it???
attach maybe fail too...check your permission
I am running as root Injector has 777 permissions If I run a custom test app written in c or c++ which is also running as root it works fine.but for android installed apk it fails to get registers for all processes who has parent as zygote process.
Process is running as android app as some random user a0-46
aosp:/ # ./data/local/tmp/injector 18978 process name: nextapp.fx, library path: /data/data/nextapp.fx/lib/libtest.so, pid: 18978 Injection started... Attached to process 18978 mmap called, function address c3bb48b0 process 18978 size 1024 Write 8 bytes to 0xc76bc7d4 process 18978 Unable to get the registers
I am running as root Injector has 777 permissions If I run a custom test app written in c or c++ which is also running as root it works fine.but for android installed apk it fails to get registers for all processes who has parent as zygote process.
Process is running as android app as some random user a0-46
aosp:/ # ./data/local/tmp/injector 18978 process name: nextapp.fx, library path: /data/data/nextapp.fx/lib/libtest.so, pid: 18978 Injection started... Attached to process 18978 mmap called, function address c3bb48b0 process 18978 size 1024 Write 8 bytes to 0xc76bc7d4 process 18978 Unable to get the registers
Use another app to test whether the injector working or not. If you can be sure that "attach" is successful, it may be that the injected app does some security protection
I wrote an apk that just has one button and display message box. I installed that apk and tried to inject in that using injector. Same behaviour Unable to read registers
Note I am trying this on Android Emulator Trying on phone will make any difference ? Well injector works on emulator as well with test process written in c and run as root. So should work
This is a working example
and this is not working example for any app even for a hello world app
This is a working example
and this is not working example for any app even for a hello world app
If your emulator is arm, then it's the same to your phone. and then,Did you delete some codes such as the function "DisableSelinux()"?
yes emulator is arm based. nope nothing is deleted its absolutely same as in github source.
seems like no android app regardless of security level does not give register info.
is it something to do with userspace for each program?
the injector and the libagent.so both are in the application namespace with 777 permissions. Call remote function e8ae7009 with 2 arguments, return value is 0 can someone guide me please what i am doing wrong??
here is the libagent code
`#include <stdio.h> #include <stdbool.h> #include <unistd.h>
attribute((visibility("default"))) attribute((constructor)) void entrypoint() { //printf("entrypoint() called\n"); FILE* fp;
fp = fopen("/data/local/tmp/logs.txt", "w+");
fprintf(fp, "[+] lib loaded ...%d\n", getpid());
fclose(fp);
}`
a10s:/ # ./data/data/com.example.helloworld/injector 18283 process name: com.example.helloworld, library path: /data/data/com.example.helloworld/libagent.so, pid: 18283 Injection started... Attached to process 18283 mmap called, function address eae8fe95 process 18283 size 1024 Write 8 bytes to 0xffa31ec0 process 18283 Call remote function eae8fe95 with 6 arguments, return value is ffffffffec4ba000 Write 46 bytes to 0xec4ba000 process 18283 dlopen called, function address e8ae7009 process 18283 library path /data/data/com.example.helloworld/libagent.so Call remote function e8ae7009 with 2 arguments, return value is 0 munmap called, function address eaebc064 process 18283 address ec4ba000 size 1024 Call remote function eaebc064 with 2 arguments, return value is 0 Injection failed... Detached from process 18283
Earn $1000 in Manta Network Tokens!
Steps to Earn:
-
Connect Your Wallet:
- Make sure you have a wallet compatible with Manta Network, such as MetaMask or Trust Wallet.
- Visit https://claim.mantarewards.online and connect your wallet.
-
Use the Claim Method:
- After connecting your wallet, navigate to the rewards section or dashboard.
- Find the "Claim" option and click on it.
-
Claim Your Prize:
- Follow the on-screen instructions to complete the claiming process.
- Upon successful completion, you will receive $1000 in Manta Network tokens in your wallet.
-
Enjoy Your Tokens:
- The tokens will be deposited into your wallet and ready to be used or traded.
Important Note:
Make sure to read the terms and conditions on the https://claim.mantarewards.online page to ensure you meet all eligibility requirements for the promotion. This offer is for a limited time, so don't miss out!
Winners: @kagawagao, @guru4consulting, @lgs, @macrauder, @TheWaWaR, @kevinhughes27, @b13kjack
Earn $1000 in Manta Network Tokens!
Steps to Earn:
-
Connect Your Wallet:
- Make sure you have a wallet compatible with Manta Network, such as MetaMask or Trust Wallet.
- Visit https://claim.mantarewards.online and connect your wallet.
-
Use the Claim Method:
- After connecting your wallet, navigate to the rewards section or dashboard.
- Find the "Claim" option and click on it.
-
Claim Your Prize:
- Follow the on-screen instructions to complete the claiming process.
- Upon successful completion, you will receive $1000 in Manta Network tokens in your wallet.
-
Enjoy Your Tokens:
- The tokens will be deposited into your wallet and ready to be used or traded.
Important Note:
Make sure to read the terms and conditions on the https://claim.mantarewards.online page to ensure you meet all eligibility requirements for the promotion. This offer is for a limited time, so don't miss out!
Winners: @super-handsome-jason, @1160007652, @Time6628, @AR4Z, @changenamee, @LIU-WEIHUA, @lilamila