oleavr / android-inject-custom Goto Github PK

Example showing how to use Frida for standalone injection of a custom payload

License: The Unlicense

Makefile 41.31% C 58.69%

android-inject-custom's Introduction

android-inject-custom

Example showing how to use Frida for standalone injection of a custom payload. The payload is a .so that uses Gum, Frida's low-level instrumentation library, to hook open() and print the arguments on stderr every time it's called. The payload could be any shared library as long as it exports a function with the name that you specify when calling inject_library_file_sync().

In our example we named it example_agent_main. This function will also be passed a string of data, which you can use for application-specific purposes.

Note that only the build system is Android-specific, so this example is easily portable to all other OSes supported by Frida.

Prerequisites

Android NDK r21
Rooted Android device

Preparing the build environment

Point $ANDROID_NDK_ROOT to your NDK path.

Running

$ make

This will build the injector, the payload, and an example program you can inject the payload into to easily observe the results.

Next copy the bin/ directory somewhere on your Android device, and in one terminal adb shell into your device and launch the victim binary:

$ ./victim
Victim running with PID 1303

Then in another terminal change directory to where the inject binary is and run it:

$ ./inject 1303
$

You should now see a message printed by the victim process every time open() is called.

android-inject-custom's People

Contributors

Stargazers

Watchers

android-inject-custom's Issues

Process crash on inject

Hello,

I've compiled your example for armeabi-v7a and arm64, neither works. Whenever I inject the shared object the target process crashes. I've also tried building an example on my own with the same result. Here's the code I used for my own example: https://pastebin.com/623kFV9D
Below are screenshots of my shell (as URLs because they would be huge).
https://user-images.githubusercontent.com/17969238/63078048-8ca2d200-bf3a-11e9-9a8b-33915ae23869.png
https://user-images.githubusercontent.com/17969238/63078049-8d3b6880-bf3a-11e9-9c78-95646c9c4d90.png

Inject to process and crash

inject to zygote

I use sample code and core-devkit to inject zygote. The inject code not run error, but zygote crash. below is the crash log:

2020-06-22 13:29:38.275 803-7261/? A/libc: failed to wait for crash_dump helper: No child processes
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG: Build fingerprint: 'google/blueline/blueline:9/PQ3A.190605.003/5524043:user/release-keys'
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG: Revision: 'MP1.0'
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG: ABI: 'arm'
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG: pid: 803, tid: 7261, name: main  >>> zygote <<<
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG: Cause: null pointer dereference
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG:     r0  ef6b0360  r1  d82f3928  r2  d82f392c  r3  d82f3df4
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG:     r4  00000000  r5  2b063843  r6  ef6b0000  r7  00000003
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG:     r8  00000323  r9  00000323  r10 f2b524ec  r11 00001000
2020-06-22 13:29:38.283 7279-7279/? A/DEBUG:     ip  f2b4f340  sp  d82f3928  lr  ef6af0d1  pc  00000000
2020-06-22 13:29:38.284 7279-7279/? A/DEBUG: backtrace:
2020-06-22 13:29:38.284 7279-7279/? A/DEBUG:     #00 pc 00000000  <unknown>

inject to common process

when I try to inject so to common app process. the target process also will crash like below log

 A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 in tid 26144

Env

env: pixel3/android9/arm/frida-core-devkit-12.9.4

my code

int frida_inject (int pid, const char* pname, const char *load_file)
{
    int result = 0;
    const char * path = load_file;
    const char * context = "u:object_r:frida_file:s0";
    FridaInjector * injector;

    GError * error;
    guint id;

    frida_init ();

    if (pid <= 0){
        LOGI("[frida_inject] pid < 0");
        return pid;
    }

    frida_selinux_patch_policy ();

    if (setxattr (path, XATTR_NAME_SELINUX, context, strlen (context) + 1, 0) != 0)
        goto setxattr_failed;

    injector = frida_injector_new ();

    error = NULL;
    id = frida_injector_inject_library_file_sync (injector, pid, path, "example_agent_main", "example data", NULL, &error);
    if (error != NULL)
    {
        LOGE ("[frida_inject] inject error:%s\n", error->message);
        g_clear_error (&error);

        result = 1;
    }

    frida_injector_close_sync (injector, NULL, NULL);
    g_object_unref (injector);

    frida_deinit ();

    return result;

    setxattr_failed:
    {
        LOGE ("[frida_inject] Failed to set SELinux permissions\n");
        frida_deinit ();
        return 1;
    }
}

i can't build this ? why?

i can't build this ? why? i'm in win10 ,ndk20,down your source,and build like you say
but it's make error=-1
can you make a ndk-build script ?
thank you

Segmentation fault when inject into victim

I did a some modify to prepare inject into a app, get this Segmentation fault 👍

10-11 18:11:45.546  1221  1599 D WifiStateMachine: updateCapabilities for config:LTTfalse,false
10-11 18:11:46.472  1892  1983 W QCNEJ   : |CORE| CNE received unexpected action: android.intent.action.BATTERY_CHANGED
10-11 18:11:46.935 17598 17598 I magiskd : type=1400 audit(0.0:427): avc: denied { associate } for name="UNIX" dev="sockfs" ino=164041 scontext=u:object_r:magisk_file:s0 tcontext=u:object_r:sockfs:s0 tclass=filesystem permissive=1
10-11 18:11:47.805   328   328 I auditd  : type=1403 audit(0.0:428): policy loaded auid=4294967295 ses=4294967295
10-11 18:11:48.554  1838  1838 D wpa_supplicant: wlan0: Control interface command 'SIGNAL_POLL'
10-11 18:11:48.557  1838  1838 D wpa_supplicant: CTRL-DEBUG: global_ctrl_sock-sendto: sock=9 sndbuf=229376 outq=768 send_len=48
10-11 18:11:48.890 17591 17591 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7f89e54108 in tid 17591 (victim)
10-11 18:11:48.891   330   330 W         : debuggerd: handling request: pid=17591 uid=10071 gid=10071 tid=17591
10-11 18:11:48.885   330   330 I debuggerd64: type=1400 audit(0.0:429): avc: denied { read } for name="victim" dev="mmcblk0p49" ino=527666 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
10-11 18:11:48.885   330   330 I debuggerd64: type=1400 audit(0.0:430): avc: denied { open } for path="/data/data/com.termux/files/home/test/victim" dev="mmcblk0p49" ino=527666 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
10-11 18:11:48.885 17614 17614 I debuggerd64: type=1400 audit(0.0:431): avc: denied { getattr } for path="/data/data/com.termux/files/home/test/victim" dev="mmcblk0p49" ino=527666 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
10-11 18:11:48.906 17614 17614 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-11 18:11:48.906 17614 17614 F DEBUG   : LineageOS Version: '14.1-20180307-UNOFFICIAL-rolex'
10-11 18:11:48.906 17614 17614 F DEBUG   : Build fingerprint: 'Xiaomi/rolex/rolex:6.0.1/MMB29M/V8.5.1.0.MCCMIED:user/release-keys'
10-11 18:11:48.907 17614 17614 F DEBUG   : Revision: '0'
10-11 18:11:48.907 17614 17614 F DEBUG   : ABI: 'arm64'
10-11 18:11:48.907 17614 17614 F DEBUG   : pid: 17591, tid: 17591, name: victim  >>> ./victim <<<
10-11 18:11:48.907 17614 17614 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7f89e54108
10-11 18:11:48.907 17614 17614 F DEBUG   :     x0   0000007f89e540e0  x1   0000007fc4cc6648  x2   0000007fc4cc6748  x3   0000007fc4cc67d0
10-11 18:11:48.907 17614 17614 F DEBUG   :     x4   000000559476d6ef  x5   0000007f8648d01e  x6   000000000000000a  x7   000000000000000a
10-11 18:11:48.907 17614 17614 F DEBUG   :     x8   0000000000000000  x9   000000559476d6fb  x10  0000000000004001  x11  0000000000000000
10-11 18:11:48.907 17614 17614 F DEBUG   :     x12  000000000ccccccc  x13  000000008000002f  x14  0000007f869a3fd8  x15  0000007f869a3c7c
10-11 18:11:48.907 17614 17614 F DEBUG   :     x16  0000007f89e41000  x17  0000007f89e540e0  x18  0000007f87965e92  x19  0000007fc4cc6648
10-11 18:11:48.908 17614 17614 F DEBUG   :     x20  0000007f89e540e0  x21  0000007fc4cc67d0  x22  0000007fc4cc6878  x23  0000000000000000
10-11 18:11:48.908 17614 17614 F DEBUG   :     x24  0000000000000000  x25  0000000000000000  x26  0000000000000000  x27  0000000000000000
10-11 18:11:48.908 17614 17614 F DEBUG   :     x28  0000007f89e54108  x29  0000007fc4cc6630  x30  0000007f89e41070
10-11 18:11:48.908 17614 17614 F DEBUG   :     sp   0000007fc4cc65a0  pc   0000007f8627f0f8  pstate 0000000000000000
10-11 18:11:48.910 17614 17614 F DEBUG   : 
10-11 18:11:48.910 17614 17614 F DEBUG   : backtrace:
10-11 18:11:48.910 17614 17614 F DEBUG   :     #00 pc 00000000001d20f8  /data/local/tmp/libhello.so (offset 0x188000)
10-11 18:11:48.910 17614 17614 F DEBUG   :     #01 pc 000000000000006c  <anonymous:0000007f89e41000>

Is there a way to debug the victim process ? what cause this Segmentation fault?

Java Implementation Code

Hi ..
Can you provide how can I put my java code here ..
I use java implementation code .. and it work successfully in ubuntu ( my android device connect via USB )
but how can I use it here ?
the "agent.c" file written in C
and also "inject.c" file
how can I insert my java code ?
regards ..

Corrections

Makefile
a. Add -lm to host_ldflags
b. Remove -fuse-ld=gold from LDFLAGS
guint id is unused, and can be omitted
a. https://github.com/oleavr/android-inject-custom/blob/master/inject.c#L17
b. https://github.com/oleavr/android-inject-custom/blob/master/inject.c#L36
agent.so path is hardcoded https://github.com/oleavr/android-inject-custom/blob/master/inject.c#L12