{"id":23094222,"url":"https://github.com/vfsfitvnm/intruducer","last_synced_at":"2025-08-23T01:06:22.860Z","repository":{"id":50934981,"uuid":"439105845","full_name":"vfsfitvnm/intruducer","owner":"vfsfitvnm","description":"A Rust crate to load a shared library into a Linux process without using ptrace.","archived":false,"fork":false,"pushed_at":"2023-06-02T18:16:58.000Z","size":77,"stargazers_count":132,"open_issues_count":1,"forks_count":15,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-04T10:43:24.646Z","etag":null,"topics":["android","dlopen","elf","injection","linux","ptrace"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vfsfitvnm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-16T19:33:16.000Z","updated_at":"2025-03-21T07:15:11.000Z","dependencies_parsed_at":"2022-08-25T13:00:59.888Z","dependency_job_id":null,"html_url":"https://github.com/vfsfitvnm/intruducer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/vfsfitvnm/intruducer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vfsfitvnm%2Fintruducer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vfsfitvnm%2Fintruducer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vfsfitvnm%2Fintruducer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vfsfitvnm%2Fintruducer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vfsfitvnm","download_url":"https://codeload.github.com/vfsfitvnm/intruducer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vfsfitvnm%2Fintruducer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271727512,"owners_count":24810561,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-22T02:00:08.480Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","dlopen","elf","injection","linux","ptrace"],"created_at":"2024-12-16T21:58:14.734Z","updated_at":"2025-08-23T01:06:22.834Z","avatar_url":"https://github.com/vfsfitvnm.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Intruducer\n\u003e The intruder introducer!\n\nA [Rust](https://www.rust-lang.org/) crate to load a shared library into a Linux process without using `ptrace`. This is a portable rewrite of [dlinject](https://github.com/DavidBuchanan314/dlinject).\n\n![example](https://user-images.githubusercontent.com/46219656/146436105-b4f29bd0-e98b-498b-b75c-5ce3680974da.gif)\n\n## Compatibility\nIt should work for `x86`, `x86-64`, `arm` and `aarch64`, for both Linux and Android.\n\n## Example\n```sh\n# Build binary\ncargo build --example intruducer\n# Build victim\ncargo build --example victim\n# Build library\nrustc ./examples/evil.rs --crate-type cdylib --out-dir ./target/debug/examples\n\n# Execute the victim\ncd ./target/debug/examples\n./victim\n\n# Within a new shell\ncd ./target/debug/examples\n./intruducer -l ./libevil.so `pidof victim`\n```\n\n## How it works\n1) Retrieve the instruction pointer (`ip`) of the target process reading `/proc/\u003cpid\u003e/syscall`;\n2) Open `/proc/\u003cpid\u003e/mem` and backs up the content at `ip`;\n3) Generate the two payloads, and saves the last one to a file.\n4) Write the first payload to the target process memory at `ip` - the execution flow is now altered.\n5) The first payload loads and executes the second payload.\n6) The second payload restores the original code, calls `dlopen` and branches to `ip` - the original execution flow is resumed.\n\n## Caveats\n- It makes large applications crash when a lot of computing is going on - this happens when a thread is executing the first payload and another one is executing the second payload, which restores the original code. A possible solution consists in freezing every thread but one using `/sys/fs/cgroup/freezer`, let this one perform the whole task and then thawing all the others. However, this only seemed to reduce the chance of crashes.\n- A register (`x28`) will be clobbered on `aarch64` - I found no way to branch to an absolute virtual address without using a register.\n- When targeting an Android application, both library and second payload binary blob will be copied to its native library directory - changing the security context to `u:object_r:apk_data_file:s0` is not enough for the library file.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvfsfitvnm%2Fintruducer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvfsfitvnm%2Fintruducer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvfsfitvnm%2Fintruducer/lists"}