Awesome
Detecting library injection in memory
Detection using solist
In Bionic linker, the soinfo structure has a field next, which points to the next loaded library in a linked list consisting of all loaded libraries.
Hence, an injected application can easily find all loaded libraries.
Detection criteria
The following cases are considered as injections:
- some
soinfo
object has empty pathname; - the linked list of all
soinfo
has gaps between elements, and such gap appears before specializeAppProcess.
Detection using virtual maps
See blog Android 用户态注入隐藏已死.
Detection using module counter
A call to dlclose
will increase the counter g_module_unload_counter.
This detection highly depends on Android OS and vendor customization, which is shown to be false positive on Samsung and OnePlus.
State of bypassing current test
- Zygisk of Magisk
- ZygiskNext
- ReZygisk (fixed by JingMatrix in https://github.com/PerformanC/ReZygisk/pull/101)