Add detection using module counter

Two counters for module loading and unloading are introduced in the commit https://cs.android.com/android/_/android/platform/bionic/+/a2e83ab34845759f0999d0ec88f4cdf558c0a9f5.

Moreover, we remove detection using proc/self/smaps
For projects using LSPlt as PLT hooks, the problem of dirty_page is avoided by restoring memory blocks.

Author: JingMatrix

README.md

@@ -16,8 +16,12 @@ The following cases are considered as injections:
 
 See blog [Android 用户态注入隐藏已死](https://nullptr.icu/index.php/archives/182/).
 
+## Detection using `module counter`
+
+A call to `dlclose` will increase the counter [g_module_unload_counter](https://cs.android.com/android/platform/superproject/main/+/main:bionic/linker/linker.cpp;l=1956).
+
 ## State of bypassing current test
 
-- [x] [Zygisk of Magisk](https://github.com/topjohnwu/Magisk)
-- [x] [ZygiskNext](https://github.com/Dr-TSNG/ZygiskNext) (since [v1.1.0](https://github.com/Dr-TSNG/ZygiskNext/releases/tag/v1.1.0))
+- [ ] [Zygisk of Magisk](https://github.com/topjohnwu/Magisk)
+- [ ] [ZygiskNext](https://github.com/Dr-TSNG/ZygiskNext)
 - [x] [ReZygisk](https://github.com/PerformanC/ReZygisk) (fixed by JingMatrix in https://github.com/PerformanC/ReZygisk/pull/101)

app/src/main/cpp/include/solist.hpp

@@ -7,7 +7,7 @@ namespace SoList {
 class SoInfo {
 public:
 #ifdef __LP64__
-  inline static size_t solist_next_offset = 0x30;
+  inline static size_t solist_next_offset = 0x28;
   constexpr static size_t solist_realpath_offset = 0x1a8;
 #else
   inline static size_t solist_next_offset = 0xa4;
@@ -89,6 +89,7 @@ class ProtectedDataGuard {
 static SoInfo *solist = NULL;
 static SoInfo *somain = NULL;
 static SoInfo **sonext = NULL;
+static uint64_t *g_module_unload_counter = NULL;
 
 static bool Initialize();
 
@@ -100,6 +101,7 @@ inline T *getStaticPointer(const SandHook::ElfImg &linker, const char *name) {
 }
 
 SoInfo *DetectInjection();
+size_t DetectModules();
 
 bool Initialize();
 

app/src/main/cpp/native-lib.cpp

@@ -12,11 +12,10 @@ Java_org_matrix_demo_MainActivity_stringFromJNI(JNIEnv *env,
 
   std::string solist_detection = "No injection found using solist";
   std::string vmap_detection = "No injection found using vitrual map";
-  std::string smap_detection = "No injection found using stats map";
+  std::string counter_detection = "No injection found using module counter";
   SoList::SoInfo *abnormal_soinfo = SoList::DetectInjection();
   VirtualMap::MapInfo *abnormal_vmap = VirtualMap::DetectInjection();
-  /* StatsMap::SmapsEntry abnormal_smap = */
-  /*     StatsMap::DetectInjection(std::string("libharfbuzz_ng.so")); */
+  size_t module_injected = SoList::DetectModules();
 
   if (abnormal_soinfo != nullptr) {
     solist_detection =
@@ -32,13 +31,12 @@ Java_org_matrix_demo_MainActivity_stringFromJNI(JNIEnv *env,
          abnormal_vmap->start, abnormal_vmap->end);
   }
 
-  /* if (abnormal_smap.private_dirty_kb != -1) { */
-  /*   smap_detection = */
-  /*       std::format("Stats map: injection at {}", abnormal_smap.pathname); */
-  /*   LOGE("Abnormal smap %s", abnormal_smap.pathname.data()); */
-  /* } */
+  if (module_injected > 0) {
+    counter_detection =
+        std::format("Module counter: {} shared libraries injected", module_injected);
+  }
 
   return env->NewStringUTF(
-      (solist_detection + "\n" + vmap_detection + "\n" + smap_detection)
+      (solist_detection + "\n" + vmap_detection + "\n" + counter_detection)
           .c_str());
 }

app/src/main/cpp/solist.cpp

@@ -6,6 +6,15 @@ namespace SoList {
 ProtectedDataGuard::FuncType ProtectedDataGuard::ctor = NULL;
 ProtectedDataGuard::FuncType ProtectedDataGuard::dtor = NULL;
 
+size_t DetectModules() {
+  if (g_module_unload_counter == NULL) {
+    LOGI("g_module_unload_counter not found");
+    return 0;
+  } else {
+    return *g_module_unload_counter;
+  }
+}
+
 SoInfo *DetectInjection() {
   if (solist == NULL && !Initialize()) {
     LOGE("Failed to initialize solist");
@@ -117,8 +126,8 @@ bool Initialize() {
   snprintf(sonext_sym_name, sizeof(somain_sym_name), "__dl__ZL6sonext%s",
            llvm_sufix);
 
-  char vsdo_sym_name[sizeof("__dl__ZL4vdso") + sizeof(llvm_sufix)];
-  snprintf(vsdo_sym_name, sizeof(vsdo_sym_name), "__dl__ZL4vdso%s", llvm_sufix);
+  char vdso_sym_name[sizeof("__dl__ZL4vdso") + sizeof(llvm_sufix)];
+  snprintf(vdso_sym_name, sizeof(vdso_sym_name), "__dl__ZL4vdso%s", llvm_sufix);
 
   somain = getStaticPointer<SoInfo>(linker, somain_sym_name);
   if (somain == NULL)
@@ -128,21 +137,23 @@ bool Initialize() {
   if (sonext == NULL)
     return false;
 
-  SoInfo *vsdo = getStaticPointer<SoInfo>(linker, vsdo_sym_name);
-  if (vsdo == NULL)
-    return false;
+  SoInfo *vdso = getStaticPointer<SoInfo>(linker, vdso_sym_name);
 
   SoInfo::get_realpath_sym =
       reinterpret_cast<decltype(SoInfo::get_realpath_sym)>(
           linker.getSymbAddress("__dl__ZNK6soinfo12get_realpathEv"));
   SoInfo::get_soname_sym = reinterpret_cast<decltype(SoInfo::get_soname_sym)>(
       linker.getSymbAddress("__dl__ZNK6soinfo10get_sonameEv"));
 
+  g_module_unload_counter = reinterpret_cast<decltype(g_module_unload_counter)>(
+      linker.getSymbAddress("__dl__ZL23g_module_unload_counter"));
+  if (g_module_unload_counter != NULL)
+    LOGD("found symbol g_module_unload_counter");
+
   for (size_t i = 0; i < 1024 / sizeof(void *); i++) {
     auto *possible_next = *(void **)((uintptr_t)solist + i * sizeof(void *));
-    if (possible_next == somain || (vsdo != NULL && possible_next == vsdo)) {
+    if (possible_next == somain || (vdso != NULL && possible_next == vdso)) {
       SoInfo::solist_next_offset = i * sizeof(void *);
-
       break;
     }
   }