Demo/app/src/main/cpp/native-lib.cpp at 2a689081dce536407201c3b5eb5a5c7a89a2de3b · JingMatrix/Demo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include "atexit.hpp"
#include "logging.h"
#include "smap.h"
#include "solist.hpp"
#include "statfs.hpp"
#include "vmap.hpp"
#include <format>
#include <jni.h>
#include <string>

extern "C" JNIEXPORT jstring JNICALL
Java_org_matrix_demo_MainActivity_stringFromJNI(JNIEnv *env,
                                                jobject /* this */) {

  std::string solist_detection = "No injection found using solist";
  std::string vmap_detection = "No injection found using vitrual map";
  std::string counter_detection = "No injection found using module counter";
  std::string system_mount_detection =
      "No traces found for /system re-mounting";
  SoList::SoInfo *abnormal_soinfo = SoList::DetectInjection();
  VirtualMap::MapInfo *abnormal_vmap = VirtualMap::DetectInjection();
  size_t module_injected = SoList::DetectModules();
  VirtualMap::DumpStackStrings();
  auto g_array = Atexit::findAtexitArray();
  if (g_array != nullptr) {
    LOGD("g_array status: %s", g_array->format_state_string().c_str());
  }
  auto mount_type = get_filesystem_type("/proc/self/exe");

  if (abnormal_soinfo != nullptr) {
    solist_detection =
        std::format("Solist: injection at {}", (void *)abnormal_soinfo);
    LOGE("Abnormal soinfo %p: %s loaded at %s", abnormal_soinfo,
         abnormal_soinfo->get_name(), abnormal_soinfo->get_path());
  }

  if (abnormal_vmap != nullptr) {
    vmap_detection =
        std::format("Virtual map: injection at {}", abnormal_vmap->path);
    LOGE("Abnormal vmap %s: [0x%lx-0x%lx]", abnormal_vmap->path.data(),
         abnormal_vmap->start, abnormal_vmap->end);
  }

  if (module_injected > 0) {
    counter_detection = std::format(
        "Module counter: {} shared libraries unloaded", module_injected);
  }

  if (mount_type != "EXT4") {
    system_mount_detection =
        std::format("/system/bin was mounted with type {}", mount_type);
  }

  return env->NewStringUTF((solist_detection + "\n" + vmap_detection + "\n" +
                            counter_detection + "\n" + system_mount_detection)
                               .c_str());
}