{"id":18960958,"url":"https://github.com/androguard/goauld","last_synced_at":"2025-07-26T12:07:57.096Z","repository":{"id":255743484,"uuid":"647452408","full_name":"androguard/goauld","owner":"androguard","description":"Dynamic injection tool for Linux/Android","archived":false,"fork":false,"pushed_at":"2024-12-27T08:55:42.000Z","size":10867,"stargazers_count":105,"open_issues_count":0,"forks_count":7,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-31T05:02:23.315Z","etag":null,"topics":["injection","instrumentation","linux","reverse-engineering","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/androguard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-30T20:17:46.000Z","updated_at":"2025-03-31T00:08:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"dfb0d7da-1b27-491a-a5a9-797adc3077c6","html_url":"https://github.com/androguard/goauld","commit_stats":null,"previous_names":["androguard/goauld"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/androguard%2Fgoauld","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/androguard%2Fgoauld/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/androguard%2Fgoauld/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/androguard%2Fgoauld/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/androguard","download_url":"https://codeload.github.com/androguard/goauld/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247601447,"owners_count":20964864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["injection","instrumentation","linux","reverse-engineering","rust"],"created_at":"2024-11-08T14:10:20.375Z","updated_at":"2025-04-07T06:04:27.540Z","avatar_url":"https://github.com/androguard.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"![banner](https://github.com/androguard/goauld/blob/main/assets/web/goauld.png)\n\n# Goauld\n\n\u003e Dynamic injection tool for Linux/Android process via /proc/pid/mem, for the [Androguard Project](https://github.com/androguard/androguard).\n\nGoauld is a simple tool that will allow you to inject a piece of code (a shared libary) in a process without using Ptrace syscall, directly via /proc/pid/mem.\n\nIt is a mix between multiple nice projects, like [intruducer](https://github.com/vfsfitvnm/intruducer/tree/master), [linjector-rs](https://github.com/erfur/linjector-rs), and many others,\nwhere I tried to take the best parts and add new features. This project has been created for educational purpose, and as a first debugging tool for Androguard.\n\nInstead of directly hijacking the current flow of a binary, Goauld will create 2 payloads and will hijack a libc function (default: malloc), and wait a call to this function from the binary to start\nthe injection.\n\nBasically, the design of Goauld is the following:\n * Find three addresses, A1: one of a libc function, A2: a variable in the libc, A3: the dlopen function from the libc\n * Create two payloads in memory, P1 and P2\n * Open /proc/pid/mem in order to inject P1 at A1\n * Wait a trigger of the libc function to execute P1 in order to allocate some space in N1\n * Execute P1, and use A2 as a mechanism for threads synchronizations and as a way to communicate with the command line tool\n * Inject at N1 the P2 payload and jump on it\n * Load the shared library via P2\n * Jump back to the A1 libc function to return to the original flow\n\n\n P1 payload (@A1):\n * sync other threads with the A2 variable\n * call the mmap syscall for the P2 payload\n * write the new allocated address N1 into the A2 variable\n * write a loop jump in the N1 address\n * write P2 in N1\n * jump to the N1 address\n\n P2 payload (@N1):\n * call A3 the dlopen function from the libc to load the shared library\n * Restore the original context\n * Jump back to the A1 address\n\n## Features\n\n* Shared Library injection\n* `Linux`/`Android`\n* `x86`, `x86_64`, `aarch64`\n\n\n## Build\n\nYou can build it and run it via cargo directly.\n\n```sh\ncargo build --release --bin goauld-cli\n```\n\n\nOr you can compile some shared library:\n```sh\nrustc ./examples/evil.rs --crate-type cdylib --out-dir ./target/debug/examples\n```\n\n### Android\n\nBuild (via cargo-ndk) and copy the cli binary on the Android Phone:\n```sh\ncargo ndk -t arm64-v8a build --release --bin goauld-cli\nadb push target/aarch64-linux-android/release/goauld-cli /data/local/tmp\nadb shell chmod 755 /data/local/tmp/goauld-cli\n```\n\n\n## Examples\n\nBe sure you have the right to write into /proc/PID/mem (defined in this following variable):\n```sh\nsudo sysctl kernel.yama.ptrace_scope=0\n```\n\nOn one terminal, you can run the example victim binary (it is a specific program with a forced alloc to trigger the malloc function):\n```sh\ncargo build --example victim_alloc\n./target/debug/examples/victim_alloc\n```\n\n\nAnd in another terminal, you can inject a shared libary into this binary (you need to find out the PID):\n```sh\ncargo run --release --bin goauld-cli -- --pid PID --file target/debug/examples/libevil.so --debug\n```\n\n\n### Linux\n\n#### With Frida\n\nYou can inject [Frida Gadget](https://frida.re/docs/gadget/) shared library directly in a remote process to perform any advance hooks with Javascript.\n\n```sh\ncargo run --release --bin goauld-cli -- --pid PID --file ~/frida/binaries/frida-gadget-16.3.3-linux-x86_64.so --debug\nfrida -H localhost Gadget -l examples/frida_gadget/test.js\n```\n\n### Android\n\nFind out the application to infect and use the cli binary to inject and run the frida gadget shared library for example:\n```sh\nps -A |grep package_name\n\nYou can copy and change the context of the shared library (but the tool will do it):\n```sh\nadb push frida-gadget-16.3.3-android-arm64.so /data/local/tmp/frida-gadget-android-arm64.so\nchcon -v u:object_r:apk_data_file:s0 f/data/local/tmp/frida-gadget-android-arm64.so\n```\n\nIf you have injected the frida gadget library, in another terminal, you can connect with the frida command line to the Android Phone to the infected process,\nlike for example to display a tiny message, but you can also start to hijack any functions:\n```sh\nfrida -U -f re.frida.Gadget -l toast.js\n```\n\n```sh\nx:/data/local/tmp # cat frida-gadget-android-arm64.config\n{\n        \"interaction\" : {\n                \"type\": \"script\",\n                \"path\": \"/data/local/tmp/test.js\"\n        }\n}\n```\n\n```sh\nx:/data/local/tmp # cat test.js\nJava.perform(function () {\n    var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext();\n\n    Java.scheduleOnMainThread(function() {\n            var toast = Java.use(\"android.widget.Toast\");\n            toast.makeText(Java.use(\"android.app.ActivityThread\").currentApplication().getApplicationContext(), Java.use(\"java.lang.String\").$new(\"Hello from your Goauld !\"), 1).show();\n    });\n});\n```\n\n```sh\nx:/data/local/tmp # ./goauld-cli --pid PID --file frida-gadget-android-arm64.so\n```\n\n## Caveats\n\nThe tool has been tested on all supported architectures, but if you encounter any bugs, please create a new [issue](https://github.com/androguard/goauld/issues) to fix it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandroguard%2Fgoauld","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandroguard%2Fgoauld","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandroguard%2Fgoauld/lists"}