Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/MJx0/AndKittyInjector

Inject a shared library into a process using ptrace
https://github.com/MJx0/AndKittyInjector

android injector linux ptrace reverse-engineering

Last synced: about 2 months ago
JSON representation

Inject a shared library into a process using ptrace

Host: GitHub
URL: https://github.com/MJx0/AndKittyInjector
Owner: MJx0
License: mit
Created: 2023-09-28T02:56:30.000Z (12 months ago)
Default Branch: main
Last Pushed: 2023-11-24T05:22:38.000Z (10 months ago)
Last Synced: 2024-06-01T20:45:55.102Z (4 months ago)
Topics: android, injector, linux, ptrace, reverse-engineering
Language: C++
Homepage:
Size: 656 KB
Stars: 126
Watchers: 5
Forks: 55
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # AndKittyInjector

Android shared library injector based on ptrace with help of [KittyMemoryEx](https://github.com/MJx0/KittyMemoryEx).

Requires C++11 or above.

Inject from /data for Android

 Support: 


- [x] Tested on Android 5.0  ~ 14

- [x] ABI arm, arm64, x86, x86_64

- [x] Inject emulated arm64 & arm32 via libhoudini.so or libndk_translation.so

- [x] Bypass android linker namespace restrictions

- [x] memfd dlopen support

- [x] App launch monitor

- [x] Hide lib segments from /maps

- [x] Hide lib from linker solist ( dladdr & dl_iterate_phdr )

 How to use: 


Make sure to chmod +x or 755

```text

Usage: ./path/to/AndKittyInjector [-h] [-pkg] [-pid] [-lib] [ options ]

Required arguments:

   -pkg                Target app package.

   

   -lib                Library path to inject.

Optional arguments:

   -h, --help          show available arguments.

   

   -pid                Target app pid.

   

   -dl_memfd           Use memfd_create & dlopen_ext to inject library, useful to bypass path restrictions.

   -hide_maps          Try to hide lib segments from /proc/[pid]/maps.

   -hide_solist        Try to remove lib from linker or NativeBridge solist.

   

   -watch              Monitor process launch then inject, useful if you want to inject as fast as possible.

   

   -delay              Set a delay in microseconds before injecting.

   ```

Notes: 


- Do not start a thread in library constructor, instead use JNI_OnLoad:

```cpp

extern "C" jint JNIEXPORT JNI_OnLoad(JavaVM* vm, void *key)

{

    // key 1337 is passed by injector

    if (key != (void*)1337)

        return JNI_VERSION_1_6;

    KITTY_LOGI("JNI_OnLoad called by injector.");

    JNIEnv *env = nullptr;

    if (vm->GetEnv((void**)&env, JNI_VERSION_1_6) == JNI_OK)

    {

        KITTY_LOGI("JavaEnv: %p.", env);

        // ...

    }

    

    std::thread(thread_function).detach();

    

    return JNI_VERSION_1_6;

}

```

- When using -watch to inject as soon as the target app launches, you may need to use -delay as well, especially when injecting emulated lib.

- When using -dl_memfd and it fails then legacy dlopen will be called.

 Compile: 


- Make sure to have NDK, cmake and make installed and added to OS environment path.

- Set NDK_HOME to point to NDK folder

- You can check both [ndk-build.bat](AndKittyInjector/ndk-build.bat) and [cmake-build.bat](AndKittyInjector/cmake-build.bat)

```shell

git clone --recursive https://github.com/MJx0/AndKittyInjector.git

cd AndKittyInjector/AndKittyInjector

ndk-build.bat

```

Credits: 


[arminject](https://github.com/evilsocket/arminject)

[injectvm-binderjack](https://github.com/Chainfire/injectvm-binderjack)

[TinyInjector](https://github.com/shunix/TinyInjector)

[am_proc_start](https://gist.github.com/vvb2060/a3d40084cd9273b65a15f8a351b4eb0e#file-am_proc_start-cpp)