Closed kotori2 closed 3 years ago
What do you suggest
Parse /proc/self/maps for detection ,What can't be detected
@tianyah That's why we need random ELF names
please parse /proc/self/maps, According to what features can riru be detected?
@tianyah
OnePlus7Pro:/proc/7181 # cat maps |grep riru
f0501000-f0531000 r-xp 00000000 fc:02 9444869 /system/lib/libriru_storage_redirect.so
f0531000-f0534000 r--p 0002f000 fc:02 9444869 /system/lib/libriru_storage_redirect.so
f0534000-f0535000 rw-p 00032000 fc:02 9444869 /system/lib/libriru_storage_redirect.so
f0700000-f077c000 r-xp 00000000 fc:02 9445053 /system/lib/libriru_edxp.so
f077c000-f0781000 r--p 0007b000 fc:02 9445053 /system/lib/libriru_edxp.so
f0781000-f0782000 rw-p 00080000 fc:02 9445053 /system/lib/libriru_edxp.so
f07d7000-f07f1000 r-xp 00000000 fc:02 9175162 /system/lib/libriru_location_report_enabler.so
f07f2000-f07f4000 r--p 0001a000 fc:02 9175162 /system/lib/libriru_location_report_enabler.so
f07f4000-f07f5000 rw-p 0001c000 fc:02 9175162 /system/lib/libriru_location_report_enabler.so
Yes, obviously
@tianyah obviously i didn't get what you mean
I mean the features are obvious
I have an app that is apparently able to detect Riru (Riru Core is the only installed Magisk module). As soon as I remove the Riru Core module, the app runs fine.
Is there a way to find out if the changes proposed by @kotori2 would help in this case?
First, It's possible to detect if a file is added/replaced by Magisk modules, so any randomization is meaningless (not many people know for now). Also in the future, SafetyNet may enforce locked bootloader (apps can achieve this without SafetyNet if they want). We can do something to "hide" for now (if they haven't used those methods), but in the long run, play this cat-and-mouse game is not fun and we have already lost.
First, It's possible to detect if a file is added/replaced by Magisk modules, so any randomization is meaningless (not many people know for now).
But don’t know what these random names mean, and some people did not use Magisk to install riru
At present, if there is no other test like symbols in .text
segment, random names are valid and feasible
Also in the future, SafetyNet may enforce locked bootloader (apps can achieve this without SafetyNet if they want).
Most software does not use SafetyNet to verify
My plan is to remove the prefix of riru_
for the riru module, and randomly name the original libmemtrack.so for the riru core, and then replace the so binary of riru with a random name
Edit:
There are some software that can detect Storage Redirect and make corresponding countermeasures (钱钱飞走了
We all know that riru can be easily detected by parsing /proc/self/maps. Is there any possibility that we hide Riru with following modifications:
libmemtrack.so
to riru, to prevent producinglibmemtrack_old.so
/data/adb
and load riru modules with random name and random export table.text
segment, i don't have idea for now, maybe use some protection and encrypt plaintext strings, to prevent memory searching