v3.0.0 lib hide update

Author: MJx0

AndKittyInjector/runtest.bat

@@ -1,5 +1,6 @@
 @ECHO OFF
 
+SET "INJECTOR_ARCH=arm64"
 SET "INJECTOR_NAME=AndKittyInjector"
 SET "INJECTOR_PATH=/data/local/tmp/AndKittyInjector"
 
@@ -14,24 +15,31 @@ ECHO APP = %APP%
 ECHO LIB_ARCH = %LIB_ARCH%
 ECHO LIB_PATH = %LIB_PATH%
 
+ECHO =========== PUSH ===========
+
+IF "%INJECTOR_ARCH%"=="arm" adb push libs/armeabi-v7a/%INJECTOR_NAME% %INJECTOR_PATH%
+IF "%INJECTOR_ARCH%"=="arm64" adb push libs/arm64-v8a/%INJECTOR_NAME% %INJECTOR_PATH%
+IF "%INJECTOR_ARCH%"=="x86" adb push libs/x86/%INJECTOR_NAME% %INJECTOR_PATH%
+IF "%INJECTOR_ARCH%"=="x86_64" adb push libs/x86_64/%INJECTOR_NAME% %INJECTOR_PATH%
+
 IF "%LIB_ARCH%"=="arm" adb push injtest/armeabi-v7a/libinjtest.so %LIB_PATH%
 IF "%LIB_ARCH%"=="arm64" adb push injtest/arm64-v8a/libinjtest.so %LIB_PATH%
 IF "%LIB_ARCH%"=="x86" adb push injtest/x86/libinjtest.so %LIB_PATH%
 IF "%LIB_ARCH%"=="x86_64" adb push injtest/x86_64/libinjtest.so %LIB_PATH%
 
-ECHO =========== INJECTOR ===========
+ECHO =========== INJECT ===========
 
-adb shell "su -c 'kill $(pidof %INJECTOR_PATH%) > /dev/null 2>&1'"
+adb shell "su -c 'kill $(pidof %INJECTOR_NAME%) > /dev/null 2>&1'"
 
 :: exec perm
 adb shell "su -c 'chmod 755 %INJECTOR_PATH%'"
 
-:: using -dl_memfd -watch and -delay 100000 microsecond, 100ms
-adb shell "su -c './%INJECTOR_NAME% -pkg %APP% -lib %LIB_PATH% -dl_memfd -watch -delay 100000'"
+:: using -dl_memfd  -hide -watch and -delay 100000 microsecond, 100ms
+adb shell "su -c './%INJECTOR_PATH% -pkg %APP% -lib %LIB_PATH% -dl_memfd -hide -watch -delay 100000'"
 
 ECHO ========= CHECKING MAPS =========
 
-adb shell "su -c 'cat /proc/$(pgrep -n %APP%)/maps | grep %LIB_PATH%'"
-adb shell "su -c 'cat /proc/$(pgrep -n %APP%)/maps | grep memfd'"
+adb shell "su -c 'cat /proc/$(pidof %APP%)/maps | grep %LIB_PATH%'"
+adb shell "su -c 'cat /proc/$(pidof %APP%)/maps | grep memfd'"
 
 PAUSE

AndKittyInjector/src/Injector/KittyInjector.cpp

@@ -7,18 +7,19 @@ bool KittyInjector::init(pid_t pid, EKittyMemOP eMemOp)
 
     _kMgr = std::make_unique<KittyMemoryMgr>();
 
-    if (!_kMgr->initialize(pid, eMemOp, false))
+    if (!_kMgr->initialize(pid, eMemOp, true))
     {
         KITTY_LOGE("KittyInjector: Failed to initialize kittyMgr.");
         return false;
     }
 
+    _kMgr->trace.setAutoRestoreRegs(false);
+
     bool isLocal64bit = !KittyMemoryEx::getMapsContain(getpid(), "/lib64/").empty();
     bool isRemote64bit = !KittyMemoryEx::getMapsContain(pid, "/lib64/").empty();
     if (isLocal64bit != isRemote64bit)
     {
-        KITTY_LOGE("KittyInjector: Injector is %sbit but target app is %sbit.",
-                   isLocal64bit ? "64" : "32", isRemote64bit ? "64" : "32");
+        KITTY_LOGE("KittyInjector: Injector is %sbit but target app is %sbit.", isLocal64bit ? "64" : "32", isRemote64bit ? "64" : "32");
         return false;
     }
 
@@ -28,6 +29,8 @@ bool KittyInjector::init(pid_t pid, EKittyMemOP eMemOp)
         return false;
     }
 
+    _soinfo_patch.init(_kMgr.get());
+
     _remote_dlopen = _kMgr->findRemoteOf("dlopen", (uintptr_t)&dlopen);
     if (!_remote_dlopen)
     {
@@ -59,7 +62,7 @@ bool KittyInjector::init(pid_t pid, EKittyMemOP eMemOp)
     return true;
 }
 
-injected_info_t KittyInjector::injectLibrary(std::string libPath, int flags, bool use_memfd_dl)
+injected_info_t KittyInjector::injectLibrary(std::string libPath, int flags, bool use_memfd_dl, bool hide)
 {
     if (!_kMgr.get() || !_kMgr->isMemValid())
     {
@@ -133,14 +136,46 @@ injected_info_t KittyInjector::injectLibrary(std::string libPath, int flags, boo
         }
     }
 
+    pt_regs bkup_regs;
+    memset(&bkup_regs, 0, sizeof(bkup_regs));
+
+    if (!_kMgr->trace.getRegs(&bkup_regs))
+    {
+        KITTY_LOGE("injectLibrary: failed to backup registers.");
+        return {};
+    }
+
     injected_info_t injected {};
 
     if (libHdr.e_machine == kNativeEM)
+    {
+        if (hide)
+            _soinfo_patch.before_dlopen_patch();
+
         injected = nativeInject(libFile, flags, canUseMemfd);
+
+        if (hide)
+            _soinfo_patch.after_dlopen_patch();
+    }
     else
+    {
         injected = emuInject(libFile, flags);
+    }
+
+    KITTY_LOGI("lib handle = %p", (void*)injected.dl_handle);
 
-    if (!injected.is_valid())
+    if (injected.is_valid())
+    {
+        if (libHdr.e_machine == kNativeEM && hide)
+        {
+            hideSegmentsFromMaps(injected);
+
+            uintptr_t hide_init = injected.elfMap.elfScan.findSymbol("hide_init");
+            KITTY_LOGI("Calling hide_init -> %p", (void*)hide_init);
+            _kMgr->trace.callFunction(hide_init, 0);
+        }
+    }
+    else
     {
         KITTY_LOGE("injectLibrary: failed )':");
         KITTY_LOGE("injectLibrary: calling dlerror...");
@@ -165,6 +200,9 @@ injected_info_t KittyInjector::injectLibrary(std::string libPath, int flags, boo
     // cleanup
     _remote_syscall.clearAllocatedMaps();
 
+    if (!_kMgr->trace.setRegs(&bkup_regs))
+        KITTY_LOGE("injectLibrary: failed to restore registers.");
+
     return injected;
 }
 
@@ -196,7 +234,7 @@ injected_info_t KittyInjector::nativeInject(KittyIOFile& lib, int flags, bool us
     {
         std::string memfd_rand = KittyUtils::random_string(KittyUtils::randInt(5, 12));
 
-        info.name = memfd_rand;
+        info.name = "/memfd:" + memfd_rand;
 
         uintptr_t rmemfd_name = _remote_syscall.rmmap_str(memfd_rand);
         if (!rmemfd_name)
@@ -237,7 +275,7 @@ injected_info_t KittyInjector::nativeInject(KittyIOFile& lib, int flags, bool us
         info.dl_handle = _kMgr->trace.callFunction(_remote_dlopen_ext, 3, rmemfd_name, flags, rdlextinfo);
         kINJ_WAIT;
 
-        info.elfMap = _kMgr->getElfBaseMap(memfd_rand);
+        info.elfMap = _kMgr->getElfBaseMap(info.name);
 
         return info.elfMap.isValid();
     };
@@ -290,7 +328,8 @@ injected_info_t KittyInjector::emuInject(KittyIOFile& lib, int flags)
         //    return (char *)&unk_64DF10 + 0xC670 * ns + qword_80C6C8;
         auto tryRemoteloadLibraryExt = [&](uint8_t ns_start, uint8_t ns_end) -> uintptr_t
         {
-            for (uint8_t i = ns_start; i <= ns_end; i++) {
+            for (uint8_t i = ns_start; i <= ns_end; i++)
+            {
                 uintptr_t h = _kMgr->trace.callFunction((uintptr_t)_nativeBridgeItf.loadLibraryExt, 3, remoteLibPath, flags, i);
                 kINJ_WAIT;
 
@@ -339,4 +378,49 @@ injected_info_t KittyInjector::emuInject(KittyIOFile& lib, int flags)
     info.elfMap = _kMgr->getElfBaseMap(lib.Path());
 
     return info;
+}
+
+bool KittyInjector::hideSegmentsFromMaps(injected_info_t &inj_info)
+{
+    if (!inj_info.is_valid())
+    {
+        KITTY_LOGE("hideSegmentsFromMaps: Invalid info.");
+        return false;
+    }
+
+    if (inj_info.is_hidden || inj_info.elfMap.map.pathname.empty())
+        return true;
+
+    // idea from https://github.com/RikkaApps/Riru/blob/master/riru/src/main/cpp/hide/hide.cpp
+
+    auto maps = KittyMemoryEx::getMapsContain(_kMgr->processID(), inj_info.elfMap.map.pathname);
+    for (auto& it : maps)
+    {
+        KITTY_LOGI("hideSegmentsFromMaps: Hiding segment %p - %p", (void*)it.startAddress, (void*)it.endAddress);
+
+        // backup segment code
+        auto bkup = _kMgr->memBackup.createBackup(it.startAddress, it.length);
+
+        _remote_syscall.rmunmap(it.startAddress, it.length);
+        uintptr_t segment_new_map = _remote_syscall.rmmap_anon(it.startAddress, it.length, it.protection, false);
+
+        if (!IsValidRetPtr(segment_new_map))
+        {
+            KITTY_LOGE("hideSegmentsFromMaps: Failed to re-map segment %p, error = %s", (void*)it.startAddress, _remote_syscall.getRemoteError().c_str());
+            return false;
+        }
+        
+        // restore segment code
+        bkup.Restore();
+    }
+
+    inj_info.name.clear();
+    inj_info.name.shrink_to_fit();
+
+    inj_info.elfMap.map.pathname.clear();
+    inj_info.elfMap.map.pathname.shrink_to_fit();
+
+    inj_info.is_hidden = true;
+
+    return true;
 }

AndKittyInjector/src/Injector/KittyInjector.hpp

@@ -8,6 +8,7 @@
 #include "../NativeBridge/NativeBridge.hpp"
 
 #include "RemoteSyscall.hpp"
+#include "SoInfoPatch.hpp"
 
 #ifdef __aarch64__
 static constexpr ElfW_(Half) kNativeEM = EM_AARCH64;
@@ -47,6 +48,8 @@ class KittyInjector
     ElfBaseMap _houdiniElf;
     NativeBridgeCallbacks _nativeBridgeItf;
 
+    SoInfoPatch _soinfo_patch;
+
 public:
     KittyInjector() : _remote_dlopen(0), _remote_dlopen_ext(0), _remote_dlclose(0), _remote_dlerror(0)
     {
@@ -68,9 +71,11 @@ class KittyInjector
     inline bool attach() { return _kMgr.get() && _kMgr->isMemValid() && _kMgr->trace.Attach(); };
     inline bool detach() { return _kMgr.get() && _kMgr->isMemValid() && _kMgr->trace.Detach(); }
 
-    injected_info_t injectLibrary(std::string libPath, int flags, bool use_dl_memfd);
+    injected_info_t injectLibrary(std::string libPath, int flags, bool use_dl_memfd, bool hide);
 
 private:
     injected_info_t nativeInject(KittyIOFile& lib, int flags, bool use_dl_memfd);
     injected_info_t emuInject(KittyIOFile& lib, int flags);
+
+    bool hideSegmentsFromMaps(injected_info_t &inj_info);
 };

AndKittyInjector/src/Injector/RemoteSyscall.hpp

@@ -9,9 +9,8 @@
 #define syscall_munmap_n 215
 #define syscall_memfd_create_n 279
 #elif __arm__
-#define syscall_mprotect_n 125
 #define syscall_fcntl_n 221 // fcntl64
-//#define syscall_fcntl_n 55
+#define syscall_mprotect_n 125
 #define syscall_mmap_n 192 // mmap2
 #define syscall_munmap_n 91
 #define syscall_memfd_create_n 385
@@ -78,8 +77,11 @@ class RemoteSyscall
         if (!_kMgr || !_kMgr->isMemValid())
             return 0;
 
-        intptr_t remoteMem = _kMgr->trace.callFunction(_remote_syscall, 7, syscall_mmap_n,
-                                                       addr, size, prot, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
+        int flags = MAP_PRIVATE | MAP_ANONYMOUS;
+        if (addr)
+            flags |= MAP_FIXED;
+
+        intptr_t remoteMem = _kMgr->trace.callFunction(_remote_syscall, 7, syscall_mmap_n, addr, size, prot, flags, 0, 0);
         if (!IsValidRetPtr(remoteMem))
             return 0;
 
@@ -89,17 +91,22 @@ class RemoteSyscall
         return remoteMem;
     }
 
-    uintptr_t rmmap_shared(uintptr_t addr, size_t size, int prot, int fd)
+    uintptr_t rmmap_shared(uintptr_t addr, size_t size, int prot, int fd, bool deleteOnClear=true)
     {
         if (!_kMgr || !_kMgr->isMemValid())
             return 0;
 
-        intptr_t remoteMem = _kMgr->trace.callFunction(_remote_syscall, 7, syscall_mmap_n,
-                                                       addr, size, prot, MAP_SHARED, fd, 0);
+        int flags = MAP_SHARED;
+        if (addr)
+            flags |= MAP_FIXED;
+
+        intptr_t remoteMem = _kMgr->trace.callFunction(_remote_syscall, 7, syscall_mmap_n, addr, size, prot, flags, fd, 0);
         if (!IsValidRetPtr(remoteMem))
             return 0;
 
-        vAllocatedMaps[remoteMem] = size;
+        if (deleteOnClear)
+            vAllocatedMaps[remoteMem] = size;
+
         return remoteMem;
     }