Update v2.0.0

- Code improvements & fixes
- Added command line arguments
- Added option to watch app launch
- Added option to set delay
- Added test lib

Author: MJx0

AndKittyInjector/Android.mk

@@ -1,18 +1,20 @@
 LOCAL_PATH := $(call my-dir)
 
 KITTYMEMORY_PATH = $(LOCAL_PATH)/../KittyMemoryEx/KittyMemoryEx
-KITTYMEMORY_SRC = $(wildcard $(KITTYMEMORY_PATH)/*.cpp)
+KITTYMEMORY_SRC  = $(wildcard $(KITTYMEMORY_PATH)/*.cpp)
 
 ## Example exec
 include $(CLEAR_VARS)
 
 LOCAL_MODULE := AndKittyInjector
 
 # add -DkITTYMEMORY_DEBUG for debug outputs
-LOCAL_CPPFLAGS += -std=c++17 -DkNO_KEYSTONE
+# use logcat logging to get outputs in realtime
+LOCAL_CPPFLAGS += -std=c++17 -DkNO_KEYSTONE #-DkUSE_LOGCAT -DkITTYMEMORY_DEBUG
 
-LOCAL_SRC_FILES := src/main.cpp $(wildcard src/Injector/*.cpp) $(KITTYMEMORY_SRC)
+LOCAL_C_INCLUDES += $(KITTYMEMORY_PATH)
 
-LOCAL_C_INCLUDES += $(KITTYMEMORY_PATH)/../
+PROJ_SRC = $(wildcard $(LOCAL_PATH)/src/*.cpp) $(wildcard $(LOCAL_PATH)/src/Injector/*.cpp)
+LOCAL_SRC_FILES := $(PROJ_SRC) $(KITTYMEMORY_SRC)
 
 include $(BUILD_EXECUTABLE)

AndKittyInjector/injtest/arm64-v8a/libinjtest.so

@@ -0,0 +1,37 @@
+@ECHO OFF
+
+SET "INJECTOR_NAME=AndKittyInjector"
+SET "INJECTOR_PATH=/data/local/tmp/AndKittyInjector"
+
+SET "APP=com.kiloo.subwaysurf"
+
+:: test lib prints hello world to ( logcat -s "KittyMemoryEx" )
+SET "LIB_ARCH=arm64"
+SET "LIB_PATH=/data/local/tmp/injtest.so"
+
+ECHO INJECTOR_ARCH = %INJECTOR_ARCH%
+ECHO APP = %APP%
+ECHO LIB_ARCH = %LIB_ARCH%
+ECHO LIB_PATH = %LIB_PATH%
+
+IF "%LIB_ARCH%"=="arm" adb push injtest/armeabi-v7a/libinjtest.so %LIB_PATH%
+IF "%LIB_ARCH%"=="arm64" adb push injtest/arm64-v8a/libinjtest.so %LIB_PATH%
+IF "%LIB_ARCH%"=="x86" adb push injtest/x86/libinjtest.so %LIB_PATH%
+IF "%LIB_ARCH%"=="x86_64" adb push injtest/x86_64/libinjtest.so %LIB_PATH%
+
+ECHO =========== INJECTOR ===========
+
+adb shell "su -c 'kill $(pidof %INJECTOR_PATH%) > /dev/null 2>&1'"
+
+:: exec perm
+adb shell "su -c 'chmod 755 %INJECTOR_PATH%'"
+
+:: using -dl_memfd -watch and -delay 100000 microsecond, 100ms
+adb shell "su -c './%INJECTOR_NAME% -pkg %APP% -lib %LIB_PATH% -dl_memfd -watch -delay 100000'"
+
+ECHO ========= CHECKING MAPS =========
+
+adb shell "su -c 'cat /proc/$(pgrep -n %APP%)/maps | grep %LIB_PATH%'"
+adb shell "su -c 'cat /proc/$(pgrep -n %APP%)/maps | grep memfd'"
+
+PAUSE

AndKittyInjector/injtest/armeabi-v7a/libinjtest.so

@@ -2,15 +2,6 @@
 
 bool KittyInjector::init(pid_t pid, EKittyMemOP eMemOp)
 {
-    bool isLocal64bit = !KittyMemoryEx::getMapsContain(getpid(), "/lib64/").empty();
-    bool isRemote64bit = !KittyMemoryEx::getMapsContain(pid, "/lib64/").empty();
-    if (isLocal64bit != isRemote64bit)
-    {
-        KITTY_LOGE("KittyInjector: Injector is %sbit but target app is %sbit.",
-                   isLocal64bit ? "64" : "32", isRemote64bit ? "64" : "32");
-        return false;
-    }
-
     if (_kMgr.get())
         _kMgr.reset();
 
@@ -22,6 +13,15 @@ bool KittyInjector::init(pid_t pid, EKittyMemOP eMemOp)
         return false;
     }
 
+    bool isLocal64bit = !KittyMemoryEx::getMapsContain(getpid(), "/lib64/").empty();
+    bool isRemote64bit = !KittyMemoryEx::getMapsContain(pid, "/lib64/").empty();
+    if (isLocal64bit != isRemote64bit)
+    {
+        KITTY_LOGE("KittyInjector: Injector is %sbit but target app is %sbit.",
+                   isLocal64bit ? "64" : "32", isRemote64bit ? "64" : "32");
+        return false;
+    }
+
     if (!_remote_syscall.init(_kMgr.get()))
     {
         KITTY_LOGE("KittyInjector: Failed to initialize remote syscall.");
@@ -57,18 +57,24 @@ bool KittyInjector::init(pid_t pid, EKittyMemOP eMemOp)
     return true;
 }
 
-uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags)
+uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags, bool use_memfd_dl)
 {
     if (!_kMgr.get() || !_kMgr->isMemValid())
     {
         KITTY_LOGE("injectLibrary: Not initialized.");
         return 0;
     }
 
+    if (!_kMgr->trace.isAttached())
+    {
+        KITTY_LOGE("injectLibrary: Not attached.");
+        return 0;
+    }
+
     errno = 0;
-    bool useMemfd = _remote_dlopen_ext && !(syscall(syscall_memfd_create_n) < 0 && errno == ENOSYS);
+    bool canUseMemfd = use_memfd_dl && _remote_dlopen_ext && !(syscall(syscall_memfd_create_n) < 0 && errno == ENOSYS);
 
-    if (!_remote_dlopen && !useMemfd)
+    if (!_remote_dlopen && !canUseMemfd)
     {
         KITTY_LOGE("injectLibrary: remote dlopen not found.");
         return 0;
@@ -126,17 +132,11 @@ uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags)
         }
     }
 
-    if (!_kMgr->trace.Attach())
-    {
-        KITTY_LOGE("injectLibrary: Failed to attach.");
-        return 0;
-    }
-
     uintptr_t remoteLibPath = _remote_syscall.rmmap_str(libPath);
     if (!remoteLibPath)
     {
         KITTY_LOGE("injectLibrary: mmaping lib name failed, errno = %s.",
-                   _remote_syscall.getRemoteError().c_str());
+            _remote_syscall.getRemoteError().c_str());
         return 0;
     }
 
@@ -145,7 +145,7 @@ uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags)
     // native dlopen
     if (libHdr.e_machine == kNativeEM)
     {
-        if (useMemfd)
+        if (canUseMemfd)
         {
             do
             {
@@ -159,7 +159,7 @@ uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags)
 
                 auto libBuf = libFile.toBuffer();
 
-                int rmemfd = _remote_syscall.rmemfd_create(rmemfd_name, MFD_CLOEXEC | MFD_ALLOW_SEALING, libBuf.size());
+                int rmemfd = _remote_syscall.rmemfd_create(rmemfd_name, MFD_CLOEXEC | MFD_ALLOW_SEALING);
                 if (rmemfd <= 0)
                 {
                     KITTY_LOGE("injectLibrary: memfd_create failed, errno = %s.",
@@ -176,16 +176,7 @@ uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags)
                     break;
                 }
 
-                // mmap remote memfd in our process
-                void *rshmem = mmap(nullptr, libBuf.size(), PROT_READ | PROT_WRITE, MAP_SHARED, rmemfdFile.FD(), 0);
-                if (!rshmem)
-                {
-                    KITTY_LOGE("injectLibrary: Failed to map shared memfd file, errno = %s.", strerror(errno));
-                    break;
-                }
-                // copy lib to remote memfd
-                memcpy(rshmem, libBuf.data(), libBuf.size());
-                munmap(rshmem, libBuf.size());
+                libFile.writeToFd(rmemfdFile.FD());
 
                 // restrict further modifications to remote memfd
                 _remote_syscall.rmemfd_seal(rmemfd, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL);
@@ -205,11 +196,11 @@ uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags)
 
         if (!remoteContainsMap(memfd_rand))
         {
-            if (useMemfd)
+            if (canUseMemfd)
                 KITTY_LOGW("android_dlopen_ext failed, using legacy dlopen...");
 
-            _kMgr->trace.callFunction(_remote_dlopen, 2, remoteLibPath, flags);
-            kINJ_WAIT;
+           _kMgr->trace.callFunction(_remote_dlopen, 2, remoteLibPath, flags);
+           kINJ_WAIT;
         }
     }
     // bridge dlopen
@@ -305,7 +296,5 @@ uintptr_t KittyInjector::injectLibrary(std::string libPath, int flags)
     // cleanup
     _remote_syscall.clearAllocatedMaps();
 
-    _kMgr->trace.Detach();
-
     return libBase;
 }

AndKittyInjector/injtest/x86/libinjtest.so

@@ -1,6 +1,6 @@
 #pragma once
 
-#include <KittyMemoryEx/KittyMemoryMgr.hpp>
+#include <KittyMemoryMgr.hpp>
 
 #include <dlfcn.h>
 #include <android/dlext.h>
@@ -55,5 +55,8 @@ class KittyInjector
      */
     bool init(pid_t pid, EKittyMemOP eMemOp);
 
-    uintptr_t injectLibrary(std::string libPath, int flags);
+    inline bool attach() { return _kMgr.get() && _kMgr->isMemValid() && _kMgr->trace.Attach(); };
+    inline bool detach() { return _kMgr.get() && _kMgr->isMemValid() && _kMgr->trace.Detach(); }
+
+    uintptr_t injectLibrary(std::string libPath, int flags, bool use_dl_memfd);
 };

AndKittyInjector/injtest/x86_64/libinjtest.so

@@ -4,35 +4,30 @@
 
 #ifdef __aarch64__
 #define syscall_fcntl_n 25
-#define syscall_ftruncate_n 46
 #define syscall_mmap_n 222
 #define syscall_munmap_n 215
 #define syscall_memfd_create_n 279
 #elif __arm__
 #define syscall_fcntl_n 221 // fcntl64
-#define syscall_ftruncate_n 194 // ftruncate64
 //#define syscall_fcntl_n 55
-//#define syscall_ftruncate_n 93
 #define syscall_mmap_n 192 // mmap2
 #define syscall_munmap_n 91
 #define syscall_memfd_create_n 385
 #elif __i386__
 #define syscall_fcntl_n 55
-#define syscall_ftruncate_n 93
 #define syscall_mmap_n 192 // mmap2
 #define syscall_munmap_n 91
 #define syscall_memfd_create_n 356
 #elif __x86_64__
 #define syscall_fcntl_n 72
-#define syscall_ftruncate_n 77
 #define syscall_mmap_n 9
 #define syscall_munmap_n 11
 #define syscall_memfd_create_n 319
 #else
 #error "Unsupported ABI"
 #endif
 
-#include <KittyMemoryEx/KittyMemoryMgr.hpp>
+#include <KittyMemoryMgr.hpp>
 
 #define IsValidRetPtr(x) (uintptr_t(x) > 0 && uintptr_t(x) != uintptr_t(-1) && uintptr_t(x) != uintptr_t(-4) && uintptr_t(x) != uintptr_t(-8))
 
@@ -135,16 +130,12 @@ class RemoteSyscall
         return remoteMem;
     }
 
-    int rmemfd_create(uintptr_t rname, unsigned int flags, size_t size)
+    int rmemfd_create(uintptr_t rname, unsigned int flags)
     {
         if (!_kMgr || !_kMgr->isMemValid())
             return 0;
 
-        int rmemfd = _kMgr->trace.callFunction(_remote_syscall, 3, syscall_memfd_create_n, rname, flags);
-        if (rmemfd > 0)
-            _kMgr->trace.callFunction(_remote_syscall, 3, syscall_ftruncate_n, rmemfd, size);
-
-        return rmemfd;
+        return _kMgr->trace.callFunction(_remote_syscall, 3, syscall_memfd_create_n, rname, flags);
     }
 
     int rmemfd_seal(int rmemfd, unsigned long seals)