dlopen returns 0 for all processes. about tinyinjector HOT 19 OPEN

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

from tinyinjector.

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

from tinyinjector.

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

Function Address showing 0

from tinyinjector.

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

Function Address showing 0

Which function?mmap? or dlopen?or dlsym? if anyone shows 0,Maybe the path of libc.so is incorrect, Modify it in injector.h

from tinyinjector.

Never mind, I figured it out. To anybody who might be reading this, arminject does not work anymore due to subsequent linker namespace hardeing in Bionic.

In Android 7.0 or later versions, dlopen has been restricted by Google that .so file cannot be opened if not under app namespace and not in the while list. Reference: https://developer.android.com/about/versions/nougat/android-7.0-changes?hl=zh-cn
So, if the .so file is to be used, please put it under libs directory of the app.

Function Address showing 0

maybe your function was not exported , if so ,please use
__attribute__((visibility("default")))
to declare your function.

maybe，if your code was compiled with g++,Please decorate your function with
extern "C"

otherwise,your .so may depends some other .so libs whitch the target injected process was not loaded

This tool works fine on my devices,from Android 7.0 to Adnroid 11.
PS:it only support arm and arm64 , i686 and x86_64 are not supported

可能是你的函数没有导出，如果是的话请用
__attribute__((visibility("default")))
修饰你的函数

也可能是你的代码是用g++编译的，如果是这样的话请用
extern "C"
修饰你的函数

否则的话可能是你的so引用了注入的目标进程没有加载的so

如果你都照做了，应该就没有其他问题了，这个工具在我7.0到11的安卓设备上都能用
PS:它只支持arm和arm64，不支持i686 和 x86_64

from tinyinjector.

I want to know how can I do that in android 11?
Can you please give a small detail for things to be done for it?

from tinyinjector.

long result=ptrace(PTRACE_GETREGS, pid, NULL, regs);
result is less than 0 so it is basically unable to get the regs value
Any solution to it???

from tinyinjector.

long result=ptrace(PTRACE_GETREGS, pid, NULL, regs); result is less than 0 so it is basically unable to get the regs value Any solution to it???

attach maybe fail too...check your permission

from tinyinjector.

I am running as root
Injector has 777 permissions
If I run a custom test app written in c or c++ which is also running as root it works fine.but for android installed apk it fails to get registers for all processes who has parent as zygote process.

Process is running as android app as some random user a0-46

aosp:/ # ./data/local/tmp/injector 18978
process name: nextapp.fx, library path: /data/data/nextapp.fx/lib/libtest.so, pid: 18978
Injection started...
Attached to process 18978
mmap called, function address c3bb48b0 process 18978 size 1024
Write 8 bytes to 0xc76bc7d4 process 18978
Unable to get the registers

from tinyinjector.

I am running as root Injector has 777 permissions If I run a custom test app written in c or c++ which is also running as root it works fine.but for android installed apk it fails to get registers for all processes who has parent as zygote process.

Process is running as android app as some random user a0-46

aosp:/ # ./data/local/tmp/injector 18978 process name: nextapp.fx, library path: /data/data/nextapp.fx/lib/libtest.so, pid: 18978 Injection started... Attached to process 18978 mmap called, function address c3bb48b0 process 18978 size 1024 Write 8 bytes to 0xc76bc7d4 process 18978 Unable to get the registers

Use another app to test whether the injector working or not.
If you can be sure that "attach" is successful, it may be that the injected app does some security protection

from tinyinjector.

I wrote an apk that just has one button and display message box.
I installed that apk and tried to inject in that using injector.
Same behaviour
Unable to read registers

Note I am trying this on Android Emulator
Trying on phone will make any difference ?
Well injector works on emulator as well with test process written in c and run as root. So should work

from tinyinjector.

This is a working example

and this is not working example for any app even for a hello world app

from tinyinjector.

This is a working example

and this is not working example for any app even for a hello world app

If your emulator is arm, then it's the same to your phone.
and then,Did you delete some codes such as the function "DisableSelinux()"?

from tinyinjector.

yes emulator is arm based.
nope nothing is deleted its absolutely same as in github source.

seems like no android app regardless of security level does not give register info.
is it something to do with userspace for each program?

from tinyinjector.

the injector and the libagent.so both are in the application namespace with 777 permissions.
Call remote function e8ae7009 with 2 arguments, return value is 0
can someone guide me please what i am doing wrong??

here is the libagent code

`#include <stdio.h>
#include <stdbool.h>
#include <unistd.h>

attribute((visibility("default")))
attribute((constructor))
void entrypoint()
{
//printf("entrypoint() called\n");
FILE* fp;

fp = fopen("/data/local/tmp/logs.txt", "w+");

fprintf(fp, "[+] lib loaded ...%d\n", getpid());

fclose(fp);

}`

a10s:/ # ./data/data/com.example.helloworld/injector 18283
process name: com.example.helloworld, library path: /data/data/com.example.helloworld/libagent.so, pid: 18283
Injection started...
Attached to process 18283
mmap called, function address eae8fe95 process 18283 size 1024
Write 8 bytes to 0xffa31ec0 process 18283
Call remote function eae8fe95 with 6 arguments, return value is ffffffffec4ba000
Write 46 bytes to 0xec4ba000 process 18283
dlopen called, function address e8ae7009 process 18283 library path /data/data/com.example.helloworld/libagent.so
Call remote function e8ae7009 with 2 arguments, return value is 0
munmap called, function address eaebc064 process 18283 address ec4ba000 size 1024
Call remote function eaebc064 with 2 arguments, return value is 0
Injection failed...
Detached from process 18283

from tinyinjector.

Bad injection script for android

from tinyinjector.

@MafiaBoys any better injection method you know of ?

from tinyinjector.