mjx0 / andkittyinjector Goto Github PK

View Code? Open in Web Editor NEW

130.0 5.0 57.0 672 KB

Inject a shared library into a process using ptrace

License: MIT License

Makefile 1.39% Batchfile 3.66% C++ 51.15% CMake 0.49% C 43.32%

android injector linux ptrace reverse-engineering

andkittyinjector's Introduction

AndKittyInjector

Android shared library injector based on ptrace with help of KittyMemoryEx.

Requires C++11 or above.
Inject from /data for Android

Support:

Tested on Android 5.0 ~ 14
ABI arm, arm64, x86, x86_64
Inject emulated arm64 & arm32 via libhoudini.so or libndk_translation.so
Bypass android linker namespace restrictions
memfd dlopen support
App launch monitor
Hide lib segments from /maps
Hide lib from linker solist ( dladdr & dl_iterate_phdr )

How to use:

Make sure to chmod +x or 755

Usage: ./path/to/AndKittyInjector [-h] [-pkg] [-pid] [-lib] [ options ]

Required arguments:
   -pkg                Target app package.
   
   -lib                Library path to inject.

Optional arguments:
   -h, --help          show available arguments.
   
   -pid                Target app pid.
   
   -dl_memfd           Use memfd_create & dlopen_ext to inject library, useful to bypass path restrictions.

   -hide_maps          Try to hide lib segments from /proc/[pid]/maps.

   -hide_solist        Try to remove lib from linker or NativeBridge solist.
   
   -watch              Monitor process launch then inject, useful if you want to inject as fast as possible.
   
   -delay              Set a delay in microseconds before injecting.

Notes:

Do not start a thread in library constructor, instead use JNI_OnLoad:

extern "C" jint JNIEXPORT JNI_OnLoad(JavaVM* vm, void *key)
{
    // key 1337 is passed by injector
    if (key != (void*)1337)
        return JNI_VERSION_1_6;

    KITTY_LOGI("JNI_OnLoad called by injector.");

    JNIEnv *env = nullptr;
    if (vm->GetEnv((void**)&env, JNI_VERSION_1_6) == JNI_OK)
    {
        KITTY_LOGI("JavaEnv: %p.", env);
        // ...
    }
    
    std::thread(thread_function).detach();
    
    return JNI_VERSION_1_6;
}

When using -watch to inject as soon as the target app launches, you may need to use -delay as well, especially when injecting emulated lib.
When using -dl_memfd and it fails then legacy dlopen will be called.

Compile:

Make sure to have NDK, cmake and make installed and added to OS environment path.
Set NDK_HOME to point to NDK folder
You can check both ndk-build.bat and cmake-build.bat

git clone --recursive https://github.com/MJx0/AndKittyInjector.git
cd AndKittyInjector/AndKittyInjector
ndk-build.bat

Credits:

andkittyinjector's People

Contributors

Stargazers

Watchers

Forkers

losenineai seeflowerx heckerstone lanbaicode jiemking imzpy ldzspace alex5402 revealedsouleven yfw123 greyfeathervoid crackercat netstu ugreek85 kingking888 fengjixuchui jyotidwi gavz xyxdaily npc2000 voidkenny andnixsh mikacybertron openchatgpts primody pythonzz bags432 fluttergo x4317350 asdlei99 king-maple z422616225 sayedmahmud wxwang0104 xiaotujinbnb nkr00711 mickelfeng toumobsiab shadowxiaomo iiiimmmyyy df13954 x20888450 sivasakthi-it-services bluegatar be4utifulb0y xiabei-cy 1sland99 hiramsgit mrhao12333 shuaibibobo gmh5225 icodein 0xcybershinigami

andkittyinjector's Issues

how can I contact you?

i want write u PM about autoskillz (copy of AS)
if u have telegram, check t.me/wergity_mods/6130

环境雷电模拟器
I: inject_lib: Stopped target process threads.
I: inject_lib: Attaching to target process...
I: inject_lib: Attached successfully.
I: injectLibrary: [native=x86 | lib=arm].
W: injectLibrary: Library EMachine is not native.
I: injectLibrary: Searching for NativeBridge implementation...
I: injectLibrary: Found NativeBridge "libhoudini.so" version 3.
I: emuInject: Using NativeBridge namespace (3).

Injection Failed

My device is Android-13 (one+)

An error occurred when I injected in Android

I: Library Path: /data/local/tmp/libS.so
I: Use memfd dlopen: 0
I: Hide lib from maps: 0
I: Hide lib from solist: 0
I: Use app watch: 0
I: Inject delay: 0
I: inject_lib: Stopped target process threads.
I: inject_lib: Attaching to target process...
I: inject_lib: Attached successfully.
I: injectLibrary: [native=arm64 | lib=arm64].
I: injectLibrary: lib handle = 0x0.
I: injectLibrary: lib Base = 0x0.
E: injectLibrary: failed )':
E: injectLibrary: calling dlerror...
E: injectLibrary: dlopen failed: couldn't map "/data/local/tmp/libS.so" segment 1: Permission denied
I: inject_lib: Killing target process...
E: Injection failed.

运行后提示找不到process

I: Couldn't find process id of 20273

injection failed(arena breakout)

Process Name: com.proximabeta.mf.uamo
I: Library Path: /data/local/tmp/libneoware.so
I: Use memfd dlopen: 0
I: Hide lib from maps: 0
I: Hide lib from solist: 0
I: Use app watch: 1
I: Inject delay: 0
I: Monitoring com.proximabeta.mf.uamo...
I: inject_lib: Stopped target process threads.
I: inject_lib: Attaching to target process...
I: inject_lib: Attached successfully.
I: injectLibrary: [native=arm64 | lib=arm64].
E: callFunction: Target process terminated (11).
E: getAllMaps err couldn't find any map
I: injectLibrary: lib handle = 0x0.
I: injectLibrary: lib Base = 0x0.
E: injectLibrary: failed )':
E: injectLibrary: calling dlerror...
E: callFunction failed, Not attached to 12602.
E: callFunction failed, Not attached to 12602.
E: PTRACE_SETREGS failed, Not attached to 12602.
E: injectLibrary: failed to restore registers.
I: inject_lib: Killing target process...
E: Injection failed.

When using LD emulator x86_64Error injecting arm64 into

When I execute x86_64 in LD emulator An error occurred during x86_64 Inject Arm64. The following is the error content

SoInfoPatch: soinfo->base offset = 0x10.
I: SoInfoPatch: soinfo->next offset = 0x28.
W: injectLibrary: Library EMachine is not native.
I: injectLibrary: [native=0x3e | lib=0xb7].
I: injectLibrary: Searching for native bridge...
I: injectLibrary: Found native bridge "libhoudini.so" version 3.
I: injectLibrary: lib handle = 0x0
E: injectLibrary: failed )':
E: injectLibrary: calling dlerror...
E: injectLibrary: [��SkIn.so" needed or dlopened by "(unknown)" is not accessible for the namespace "(anonymous)"
E: Injection failed.

好奇

应该可以直接将要注入的so内容写入游戏中，然后通过调用memfd_create 再DlopenMem 类似
https://github.com/Dr-TSNG/ZygiskOnKernelSU/blob/42503e7cfe13bc0c089652f4a57cd07094a1e3ca/loader/src/common/dl.cpp#L47
这样就能绕过 namespace限制了吧

imGui

Can imgui library injected using this?

An error occurred while using injection within the speed of light virtual machine

When I use the Speed of Light virtual machine in Android 13

An error occurred while using injection within the speed of light virtual machine

The following is the error message content

Library Path: /data/local/tmp/libSk.so
I: Use memfd dlopen: 1
I: Hide lib from maps: 0
I: Hide lib from solist: 0
I: Use app watch: 0
I: Inject delay: 1500000
I: inject_lib: Stopped target process threads.
I: inject_lib: Attaching to target process...
I: inject_lib: Attached successfully.
I: injectLibrary: [native=arm64 | lib=arm64].
I: nativeInject: memfd_rand(11) = vEbrkV1r7Xu.
E: nativeInject: Failed to open remote memfd file, errno = Read-only file system.
W: nativeInject: android_dlopen_ext failed.
I: nativeInject: falling back to legacy dlopen.
I: getJavaVM: JNI_GetCreatedJavaVMs = 0x7052d9b9d0.
I: injectLibrary: lib handle = 0x3922324f2b59889.
I: injectLibrary: lib Base = 0x6e72563000.
I: inject_lib: Continuing target process...
I: callEntryPoint: JavaVM(0x70d8f9c1c0) | SecretKey(1337) | JNI_OnLoad(0x6e725e8a58).
E: callFunction: Target process exited (0).
I: callEntryPoint: Calling JNI_OnLoad(0x70d8f9c1c0, 1337) returned 0.
W: callEntryPoint: Unexpected returned value 0.
E: callFunction failed, Not attached to 1599.
E: callFunction failed, Not attached to 1599.
E: callFunction failed, Not attached to 1599.
E: PTRACE_SETREGS failed, Not attached to 1599.
E: injectLibrary: failed to restore registers.
I: Injection took 198.252709 MS.
I: Injection succeeded.

mjx0 / andkittyinjector Goto Github PK

andkittyinjector's Introduction

AndKittyInjector

Support:

How to use:

Notes:

Compile:

Credits:

andkittyinjector's People

Contributors

Stargazers

Watchers

Forkers

andkittyinjector's Issues

Recommend Projects

Recommend Topics

Recommend Org