search

PerformanC / ReZygisk

Transparent implementation of Zygisk.
GNU General Public License v3.0
465 stars 49 forks source link

[BUG]: set module prop permission to adb data file to prevent detection #67

Closed Dialgatrainer02 closed 3 weeks ago

Dialgatrainer02 commented 3 weeks ago

Version

(242-ce8fa08-release)

Modules

Modules . Json from apatch bug report

[
  {
    "updateJson": "https://5ec1cff.github.io/TrickyStore/update.json",
    "enabled": "true",
    "name": "Tricky Store",
    "remove": "false",
    "web": "false",
    "versionCode": "149",
    "action": "false",
    "description": "A trick of keystore",
    "version": "v1.2.0-RC2 (149-323b944-release)",
    "id": "tricky_store",
    "author": "5ec1cff",
    "update": "false"
  },
  {
    "id": "zygisk-assistant",
    "name": "Zygisk Assistant",
    "remove": "false",
    "description": "A Zygisk module to hide root.",
    "enabled": "true",
    "update": "false",
    "web": "false",
    "versionCode": "213",
    "action": "false",
    "updateJson": "https://raw.githubusercontent.com/snake-4/Zygisk-Assistant/main/update_metadata/update.json",
    "version": "v2.1.3 (7b35d36-release)",
    "author": "snake-4"
  },
  {
    "update": "false",
    "remove": "false",
    "versionCode": "010104",
    "id": "systemless-hosts-KernelSU-module",
    "web": "true",
    "name": "systemless hosts KernelSU module",
    "updateJson": "https://raw.githubusercontent.com/symbuzzer/systemless-hosts-KernelSU-module/main/update.json",
    "action": "false",
    "enabled": "true",
    "description": "Required module to use applications such as AdAway on KernelSU and APatch",
    "author": "symbuzzer (avalibeyaz.com/github)",
    "version": "v1.1.4"
  },
  {
    "id": "zygisk_lsposed",
    "version": "v1.10.1 (7115)",
    "update": "false",
    "description": "Another enhanced implementation of Xposed Framework. Supports Android 8.1 ~ 15. Requires Magisk 26.0+ and Zygisk enabled.",
    "versionCode": "7115",
    "remove": "false",
    "action": "false",
    "author": "Jing Matrix & LSPosed Developers",
    "enabled": "false",
    "web": "true",
    "updateJson": "https://raw.githubusercontent.com/JingMatrix/LSPosed/master/magisk-loader/update/zygisk.json",
    "name": "Zygisk - LSPosed"
  },
  {
    "name": "Charging limit to 80% for Pixel 6 Pro",
    "id": "LimitCharging80",
    "versionCode": "1",
    "version": "1",
    "enabled": "true",
    "action": "false",
    "author": "foobar66_and_kk",
    "remove": "false",
    "web": "false",
    "update": "false",
    "description": "Charging limit to 80% for Pixel 6 Pro"
  },
  {
    "web": "false",
    "remove": "false",
    "author": "osm0sis & chiteroman @ xda-developers",
    "action": "true",
    "description": "[Scripts-only mode] Fix ctsProfile (SafetyNet) and DEVICE (Play Integrity) verdicts",
    "enabled": "true",
    "id": "playintegrityfix",
    "name": "Play Integrity Fork",
    "updateJson": "https://raw.githubusercontent.com/osm0sis/PlayIntegrityFork/main/update.json",
    "versionCode": "110000",
    "update": "false",
    "version": "v11"
  },
  {
    "name": "ReZygisk",
    "enabled": "true",
    "version": "v1.0.0 (242-ce8fa08-release)",
    "versionCode": "242",
    "web": "false",
    "description": "[monitor: 😋 tracing, zygote64:😋 injected,  daemon64:😋running(Root: APatch,module(1): zygisk-assistant) zygote32:😋 injected,  daemon32:😋running(Root: APatch,module(1): zygisk-assistant)] Standalone implementation of Zygisk.",
    "action": "false",
    "author": "The PerformanC Organization",
    "update": "false",
    "remove": "false",
    "id": "zygisksu"
  },
  {
    "version": "v19.34.42",
    "author": "j-hc",
    "enabled": "true",
    "name": "YouTube ReVanced",
    "id": "youtube-jhc",
    "description": "YouTube ReVanced Magisk module",
    "update": "false",
    "updateJson": "https://raw.githubusercontent.com/j-hc/revanced-magisk-module/update/youtube-update.json",
    "remove": "false",
    "web": "false",
    "action": "false",
    "versionCode": "20220967"
  },
  {
    "name": "Google Photos Unlimited backup",
    "web": "false",
    "action": "false",
    "remove": "false",
    "version": "1.1-stable",
    "author": "cuynu",
    "id": "PixelifyPhotos",
    "update": "false",
    "enabled": "false",
    "versionCode": "002",
    "description": "Adds Photos features and unlimited Google Photos original backup quality by spoof device info to Pixel XL only on Photos app."
  },
  {
    "id": "tsupport-advance",
    "description": "When the moonlight shines on the silver lake, a path appears for those determined to move ahead.",
    "name": "TSupport Advance",
    "author": "Citra-Standalone",
    "updateJson": "https://raw.githubusercontent.com/citra-standalone/TSupport-Advance/main/release.json",
    "version": "R241026",
    "enabled": "true",
    "versionCode": "241026",
    "update": "true",
    "remove": "false",
    "web": "false",
    "action": "true"
  }
]

Description

Memory detector is finding the module.prop file of this module due to the incorrect file context

Steps to reproduce

Install rezygisk using root implementation Install memory detector See rezygisk be detected

Logs

X Found 1 item(s) modified or added by Magisk/ KernelSU:

  1. /data/adb/modules/zygisksu/module.prop

Confirmations

Code of Conduct

ThePedroo commented 3 weeks ago

I am unsure which branch you're on, but I know that you are outdated. Update ReZygisk.

Unb0rn commented 3 weeks ago

Strange - got the same result with Native detector and Holmes (Found injection) with the same /data/adb/modules/zygisksu/module.prop. Using the latest ReZygisk from c99 branch that was built 3 days ago - 270-37c40f4-release

ThePedroo commented 3 weeks ago

I suppose that's with those apps on Deny list? If not, it is expected

Unb0rn commented 3 weeks ago

My bad - used the wrong terminal. With unmount nothing suspicious is in /proc/self/mounts, but "found injection" and "futile hide" are still there, but this is another issue...

kevin01523 commented 3 weeks ago

the one giving futile hide is zygisk assistant and the found injection(number here) is lsposed

R917C commented 3 weeks ago

Currently, Rezygisk cannot hide itself well, so there is a "found injection". Since it is forked from ZygiskNext, and the old version of ZygiskNext will leak some traces, this is the reason. Now we just have to wait and see when he (ThePedroo) fixes it.