Home

Awesome

Detecting library injection in memory

Detection using solist

In Bionic linker, the soinfo structure has a field next, which points to the next loaded library in a linked list consisting of all loaded libraries.

Hence, an injected application can easily find all loaded libraries.

Detection criteria

The following cases are considered as injections:

  1. some soinfo object has empty pathname;
  2. the linked list of all soinfo has gaps between elements, and such gap appears before specializeAppProcess.

Detection using virtual maps

See blog Android 用户态注入隐藏已死.

Detection using module counter

A call to dlclose will increase the counter g_module_unload_counter.

This detection highly depends on Android OS and vendor customization, which is shown to be false positive on Samsung and OnePlus.

State of bypassing current test