Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SoList hiding #95

Merged
merged 3 commits into from
Dec 5, 2024
Merged

Improve SoList hiding #95

merged 3 commits into from
Dec 5, 2024

Conversation

JingMatrix
Copy link
Contributor

Changes

  1. Export CMAKE symbols for clangd language server so that current project is more friendly for non-IDE users.
  2. Fix linker symbol lookup on Android 15 for some devices ([BUG]: Symbol resolution for /linker in Android 15 #63 )
  3. Drop module SoInfo from SoList to avoid detection

Why

In Bionic linker, the SoInfo structure has a field next, which points to the next loaded library in a linked list consisting of all loaded libraries.
Hence, a hooked app can easily find all loaded libraries.
Previously in ReZygisk, module library items are hidden by setting the pathname to be empty. This was futile for two reasons:

  1. The name field still keeps the library name
  2. An item with empty name or pathname is artificial and can be used to detect Zygisk.

By contrast, dropping the item from SoList is a widely used methods in many projects, such as the well-known Riru.
You can search keyword solist_remove_soinfo on GitHub to find them.

Checkmarks

  • The modified functions have been tested.
  • Used the same indentation as the rest of the project.
  • Updated documentation (changelog).

Additional information

If you have any additional information, write it here

@JingMatrix
improve: turn on CMAKE_EXPORT_COMPILE_COMMANDS
9bcbec9 
To make `clangd` work properly, one needs to make symbolic links
```
ln -sf $PWD/loader/build/tools/debug/arm64-v8a/compile_commands.json loader/build
```
@JingMatrix
Copy link
Contributor Author

To get a clear idea, this pull-request will log new items like this:

[ 2024-11-29T13:47:30.494    10242: 16356: 16356 I/zygisk-core64   ] Dropped SoList entry for liblspd.so loaded at /memfd:jit-cache-zygisk (deleted)

@JingMatrix JingMatrix force-pushed the main branch 2 times, most recently from e3cb1fb to e9498aa Compare November 29, 2024 21:29
@JingMatrix
Copy link
Contributor Author

Very interestingly, we cannot drop the soinfo of libzygisk.so loaded from /data/adb/rezygisk/lib64/libzygisk.so.
Otherwise, zygisk modules will fail to work, a testing commit is JingMatrix@c5ac305

@JingMatrix
Copy link
Contributor Author

I made an app to detect ReZygisk: JingMatrix/Demo.
Here are the results:

  1. No versions of ReZygisk ever passed the second test of solist;
  2. Current PR will help to pass the first test of solist

@ThePedroo ThePedroo mentioned this pull request Dec 2, 2024
Closed
3 tasks
@ThePedroo ThePedroo linked an issue Dec 2, 2024 that may be closed by this pull request
[BUG]: Symbol resolution for /linker in Android 15 #63
Closed
3 tasks
@JingMatrix
Copy link
Contributor Author

Current pull-request can be merged.

To bypass the test of Demo, here is idea of injecting libzygisk.so to be implemented later :

  1. In daemon, remote call dlopen to load libzygisk.so
  2. In libzygisk.so, move/copy its memory block to a new place, and return the new address back to daemon
  3. In daemon, remote call dlclose to clean all traces introduced by the dynamic linker, including the one of solist
  4. In daemon, remote call entry function using the new address returned in step 2

Basically, we now move the memory block of libzygisk.so instead of simply renaming it.

JingMatrix and others added 2 commits December 5, 2024 19:42
@JingMatrix @ThePedroo
fix: linker64 static symbols lookup with suffix
2935525 
On Android 15+ in some devices, the symbol names of some static variables such as `solist`, has a `llvm` suffix in its exported name.
Current commit handles this case and close PerformanC#63 as fixed.

Co-authored-by: ThePedroo <[email protected]>
@JingMatrix @ThePedroo
improve: drop soinfo records of loaded modules
f50005d 
In Bionic linker, the `soinfo` structure has a field `next`, which points to the next loaded library in a linked list consisting of all loaded libraries.
Hence, an injected process can easily find all loaded libraries.
Previously in ReZygisk, module library records are hidden by setting the `pathname` field to be empty, which is futile but easier to detect.
Current idea of dropping record can be found in the following commit:
RikkaApps/Riru@5d635e8
@ThePedroo ThePedroo merged commit 0c0e9fa into PerformanC:main Dec 5, 2024
1 check passed
@ThePedroo ThePedroo added confirmed This issue or pull request is confirmed to be done. enhancement New feature or request labels Dec 5, 2024
@JingMatrix JingMatrix mentioned this pull request Dec 5, 2024
Merged
ThePedroo added a commit that referenced this pull request Dec 5, 2024
@ThePedroo
merge: Improve SoList hiding (#95, #96)
6cb8f30 
This commit merges the pull request by JingMatrix that includes improvements for clangd users, fixes for devices which have llvm suffix in SoList related symbols, and improved hiding related to the SoList.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
confirmed This issue or pull request is confirmed to be done. enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG]: Symbol resolution for /linker in Android 15
2 participants
@JingMatrix @ThePedroo